Vulnerability Development mailing list archives
Re: Playing around with a buggy source code
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Tue, 15 Aug 2000 10:53:58 +0200
On Tue, 15 Aug 2000, Bluefish wrote:
The bug I've verified so far assumes /bin/sh to be a symlink to /bin/bash, because it's bad use of popen. The code replaces |;&>'\r\n with \0, but it allows $[](), so one can send $(command) which eventually will end up in /bin/bash -c "/bin/echo -n $(command)|/usr/bin/md5sum" if you use redhat or distro where sh is the same as bash.
If sh == bash, you can use "<(command)" as well.
The source includes the line recv(d, p, 1000, 0), however I cannot find any null termination of p. If I'm reading man recv correctly, it does not null terminate? (well, it kind of does, if it hits any of the blacklisted characters) So if I send 1000 'A', p will be all 'A's and no \0 anywhere to be seen?
Exactly. recv() does not add any terminator. The code appears to work because the memory area where the buffer is stored has not been touched since the kernel materialized the page(s) (filling them with zeros) where it is located.
This p will later end up in a snprintf which looks like this: snprintf(fmt, 1024, "/bin/echo -n %s|/usr/bin/md5sum", plain); which if I count correctly allows an attacker to cut away "5sum" from the end (additionally, wasn't it some OS [solaris?] which doesn't null terminate snprintf on overflows?)
Yes, you can probably turn md5sum into md but it is inconsequential as long as there is no /usr/bin/md (md5, md5s etc.) on the system doing anything useful. Nevertheless, bugs of this kind can do harm: do you remember the sendmail HELO bug that made it possible to relay messages without revealing your own identity in the headers?
This is a small server program that can be put on an untrusted host, without the danger of the hard-coded password being retrieved.
Terminate your password with a backslash. The program will try to run /bin/echo -n password\|/usr/bin/md5sum Of course, the result will be the following string password|/usr/bin Substitute a MD5 hash (32 characters long) you extracted from the binary for the password. The program will read the FIRST 32 characters of the output, i.e. the hash you supplied, i.e. the hash it expects. No cleartext password needed. Alternatively, you can use a hash instead of a backslash. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Playing around with a buggy source code Bluefish (Aug 14)
- Re: Playing around with a buggy source code Bluefish (Aug 14)
- Re: Playing around with a buggy source code Bluefish (P.Magnusson) (Aug 18)
- Re: Playing around with a buggy source code Pavel Kankovsky (Aug 15)
- Re: Playing around with a buggy source code Bluefish (Aug 14)