Hi everyone! We have discovered a remote vulnerability in Berkeley finger, which is somewhat trivial to exploit. The vendor has been notified and now is the time for the hole to be fully disclosed to the security community. Attached to this submission is our advisory + full working exploit. Remember to use the information responsibly. Happy hacking. The GOBBLES Research Team http://www.bugtraq.org ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ALERT! BERKELEY FINGER VULNERABILITY! ALERT! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ This is NOT Robert Morris gets() bug! #include "/tmp/.admin_files/trash/about_us.h" GOBBLES LABS was pioneered in year 2001 to address security threat to public. We will become renowned for our bleeding edge technology and method of giving software full-fledged battery of attack to find weakness and make this weaknesses known to public sector (not disk sector hehehe) so problem may be fixed in reliable manner. We invent several fuzz testing tool for remote daemon and we thus are able to stress test application for security. GOBBLES LABS uses proprietary artificial intelligence tool to aid in enumeration of remote host banner and then able to identify flaw through new operating system TCP/IP stack fingerprint by measuring delayed acknowledgement behaviour, thus being able to ratify system information by referencing a table of TCP slow start and fast retransmit behaviour. GOBBLES be adding patches to nmap security tool to show this method of identifying system like Solaris, IRIX, SCSI, Linux, *BSD, etc. etc. oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo "To be or not to exist, were the great green grass exhumed by the twilight hour mystique" -- Gobbles Poetry, 2000 PRODUCT ******* program: Berkeley finger.cgi website: http://www.csua.berkeley.edu/cgi-bin/finger?source BACKGROUND ********** Inspired by recent ingenius Bugtraq post entitled "How to use Google to find confidential informations," GOBBLES team begin question prospects in finding exploitable conditions in scripts return by google search machine. First GOBBLES did search like "allinurl:cgi-bin/finger" and find source offered by berkeley.edu in public domain. Source promise security but this promise broken because airhead programmer did not use common sense but instead use shoes too much (everyone remember pine holes?!?! not shoes used that time but too much cereal heheheeee). Programmer claim security with Perl comment: ######################################################### # check for some loozer trying to run a different process ######################################################### This obnoxious attitude not buy security though. Programmer who not fully understand /bin/sh -c nuance should not get programming as hobby at all. Ok, so for this audit we going to use vi editor because it offer flexibility in locate precise vulnerability. So we have our tools and that's important because we have to have tool. "Important to relax and just let source code speak to soul." -- Anonymous TECHNICAL DETAILS ***************** Here is the working spotlight portion of code: ######################################################### # check for some loozer trying to run a different process ######################################################### if ($dest =~ /;|>||\||&/) { print <<EOH; <H1>Forget it, bum!</H1> <P>Either you made a big typo, or you're trying something funny with the system. </BODY></HTML> EOH exit(0); } ############### # do the finger ############### if ($dest) { if ($xpid = open(FINGER,"$finger $dest |")) { print "<PRE>", <FINGER>, "</PRE>"; close(FINGER); } else { print <<EOH; <P>There was an error during the finger process.</P> EOH } } Ok, so we immediately see questionable open() call and notice $dest scalar come from user input. But programmer try best to strip out metacharacter. HE WRONG. HE DID NOT THINK ABOUT NEWLINE!!!! WHAT MATTER WITH DENSE PEOPLE THESE DAYS???? Nobody learn from phf hole???? GOBBLES find this poor education in public very disturbing and hope that "necessary evil" stated by aleph1 will help berkeley.edu fix their security. DEMONSTRATION ************* In order to prevent malicious attacker from using this hole, GOBBLES has taken obscurity measures to protect an innocent host from being cracked. Thus, the vulnerable host has been replaced with domain host.com below. http://www.host.com/cgi-bin/finger?dest=x%0aid EXPLOIT ******* This bug can be exploited with Unicode / CGI Decode exploit from Microsoft called Internet Explorer. VENDOR NOTIFICATION ******************* Domain Name: BERKELEY.EDU Administrative Contact, Technical Contact, Billing Contact: University of California, Berkeley (UCB-NOC) nocat_private Communication and Network Services 283 Evans Hall #3806 Berkeley, CA 94720-3806 USA 1-510-643-3267 rootat_private and nocat_private contacted with vulnerability information and fix suggestion. GREETS ****** dianora -- where would we be without you? You instilled in GOBBLES security importance of clearly documenting "return 0;" behavior in big, robust code like hybrid-6. GOBBLES knows numeric misuse issues in hybrid-6 but will keep them quiet for now until we able to develop patch and stop irc warrior abusing issue with exploit created by GOBBLES hacking team who help security industry to stop other hackers getting in. That important trend today: hackers working with security industry to stop hackers getting in is logical progression from stage magician telling the audience how the trick is done. It is sensible and people should not be criticized for this. tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, emmanuel goldstein, box.sk, @stake, securityfocus, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirstin dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, and all our friends and family. GOBBLES SECURITY http://www.bugtraq.org/
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 15:31:00 PST