Bugtraq mailing list archives
antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Thu, 18 May 2000 20:21:53 +0200
Hi. This email includes personal opinions that might touch the feelings of some persons, but I cannot post this without some anger in my heart, so read on. The story about this bug started some days ago, when someone notified l0pht of a buffer overflow vulnerability in antisniff. Though this vulnerability is unlikely to be exploited in the wild it shows that no vendor, even the security conscious are safe from accidently creating overflowable code. l0pht issued an update, that should fix the problem. The advisory of l0pht contained one sentence "The fix is as trivial as". Maybe not as trivial as they thought, because not only this fix is broken, but also the second one, which was issued yesterday in response to my exploit post. The latest version of l0pht Antisniff (at least the unix version) is vulnerable to the same buffer overflow even after two fixes. This shows two things, namely a) that nobody, even the "known experts" are safe from creating simple bugs which result in security holes, and b) that you shouldn't go for "just add a *n* into those str* functions and every- thing will be ok" mentality. But it's ok, everyone is allowed to make errors. What got me a bit angry was the comment I read today on their website regarding my exploit. It was "reported not to work", and my supplied information "was invalid". I made one error in my post, that I admit, and thats I messed up with the different version numbering of the unix and the windows version. I haven't checked the windows version of antisniff for vulnerability, but the latest unix version (which was already "fixed") was vulnerable at the time of post, and thats what I meant. I'm sorry if that confused some people. The other point that the exploit doesn't work is maybe because it requires some fiddling with the offset and such. I didn't had the time nor the will to make the exploit more foolproof, so even the dumbest script kiddie can use it without having to try a couple of times. But in regard to the comment on the website I modified the exploit a bit, now it should work against all versions of antisniff for unix (up to and including 1-1-1) on a linux/x86 box. If not you only have to do small mods to the offset and it should be ok. But don't claim it doesn't work unless you've checked in the debugger and see how the return address isn't overwritten. Thanks. For all that still don't believe, here is a little snapshot: (... == victim ip, removed, against x86/linux 2.2.x box with antisniff 1-1-1) foo:~ # ./l0phtl0phe 1.1.1.1 ... exploitation succeeded. try: "telnet ... 17664" now. foo:~ # telnet ... 17664 Trying ... ... Connected to ... . Escape character is '^]'. id; uid=0(root) gid=0(root) groups=0(root) : command not found exit; Connection closed by foreign host. foo:~ # I feel that l0pht is allowed to make errors too, but they shouldn't be such contraproductive against people that point out security holes in their products by downsizing the claims and putting the stuff as "not working", just because it requires some work. ciao and regards, scut / teso -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a -- -- lot of people to be great, you need a few great to be the best ------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 -- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon - <HR NOSHADE> <UL> <LI>text/plain attachment: l0phtl0phe-kid.c </UL>
Current thread:
- Re: "ClientSideTrojan" bug, (continued)
- Re: "ClientSideTrojan" bug David L. Nicol (May 11)
- Re: "ClientSideTrojan" bug Magosanyi Arpad (May 16)
- BUFFER OVERRUN VULNERABILITIES IN KERBEROS Jeffrey I. Schiller (May 16)
- Re: BUFFER OVERRUN VULNERABILITIES IN KERBEROS Kris Kennaway (May 18)
- antisniff x86/linux remote root exploit, including "fixed" 1.02 version Sebastian (May 16)
- announce : Nessus 1.0 released Renaud Deraison (May 17)
- RFP2K04: Mining BlackICE with RFPickAxe rain forest puppy (May 17)
- FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx [REVISED] FreeBSD Security Officer (May 17)
- klogin remote exploit duke (May 17)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Robert Graham (May 17)
- antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Sebastian (May 18)
- Re: antisniff latest ("two times fixed") version still exploitable, l0phtl0phe-kid.c Mudge (May 18)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Matt (May 18)
- AUX Security Advisory on Be/OS 5.0 (DoS) visi0n (May 17)
- Re: RFP2K04: Mining BlackICE with RFPickAxe Andrew Lambeth (May 19)
- Remote Dos attack against Intel express 8100 router Dimuthu Parussalla (May 18)
- RFP2K05: NetProwler vs. RFProwler rain forest puppy (May 19)
- Key Generation Security Flaw in PGP 5.0 gec () ACM ORG (May 23)
- Filesystem vulnerability in AIX salme () US IBM COM (May 23)
- Re: RFP2K05: NetProwler vs. RFProwler Pedro Quintanilha (May 23)
- Security Vulnerability in Qpopper 2.53 (Upgrade to 3.0.2) Qpopper Support (May 23)