Bugtraq mailing list archives

Re: [Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities

From: Tom Parker <tom () rooted net>
Date: Tue, 12 Feb 2002 10:38:08 +0000

Kris

> These vulnerabilities were publicized several years ago; the
> developers appear to have made some effort to clean up the code, but
> given the condition it was in to begin with it's not really any
> surprise there are many problems remaining.

As stated in the advisory - other vulnerabilities in delegate haven't been
uncommon in the past. However no one seems to of yet stepped out
and outlined the sheer severity and number of them which exist.
Neither has anyone outlined that the work arounds the author introduced
do little or no good toward prevention of the bugs being exploited.

In answer to Kojima Hajime's question:

> And, delegate has execve(2) trap (-Tx). Can you break it?

Yes - A couple of methods spring to mind..
When an processes calling execve() is being ptrace()'d will send a SIGTRAP
which is caught by the signal handlers in delegate and handled accordingly,

ie:

forkspawn.c:114: if( sig == SIGTRAP ){
forkspawn.c:115: if( lNOEXEC() )
forkspawn.c:116: ptraceKill(pid);
forkspawn.c:117: else ptraceContinue(pid,0);

If we had control of the parent (which we don't) you could either overwrite
the execve trap by adding another (NULL) signal handler for the event in
your shellcode.

However, If I were to have time to write a proof of concept(c) Id attempt
to execute the execve() after fork()'ing in my shellcode. For example:
if (fork () == 0) { execve-shellcode(); }

You can also use ptrace within your shellcode to deceive the watcher (parent)

process, I haven't had time to investigate this technique with delegateright now,

the original advisory will be updated with additional information on this when
Ive had time to prove it works ;-)

Regards
Tom Parker

--------------------------------------------------------------------------------------------------

Tom Parker - tom () rooted net
Global Intersec LLC California +1 888 797 3262

--------------------------------------------------------------------------------------------------

"Stupidity cannot be cured with money or through
education or by legislation. Stupidity is not a sin,
the victim can't help being stupid. But stupidity
is the only universal capital crime; the sentence
is death there is no appeal and execution is
carried out automatically and without pity."
 -Robert Heinlein

--------------------------------------------------------------------------------------------------

Current thread:

[Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities Global InterSec Research (Feb 07)
- Re: [Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities KOJIMA Hajime (Feb 08)
- Re: [Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities Kris Kennaway (Feb 08)
  - Re: [Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities Tom Parker (Feb 13)