Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Uptime Agent 5.0.1 Stack Overflow Vulnerability

From: Denis Andzakovic <denis.andzakovic () security-assessment com>
Date: Thu, 28 Nov 2013 11:02:57 +1300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
(    , )     (,
  .   '.' ) ('.    ',
   ). , ('.   ( ) (
  (_,) .'), ) _ _,
 /  _____/  / _  \    ____  ____   _____
 \____  \==/ /_\  \ _/ ___\/  _ \ /     \
 /       \/   |    \\  \__(  <_> )  Y Y  \
/______  /\___|__  / \___  >____/|__|_|  /
        \/         \/.-.    \/         \/:wq
                    (x.0)
                  '=.|w|.='
                  _=''"''=.

                presents..

Uptime Agent 5.0.1 Stack Overflow Vulnerability
Affected versions: Uptime Agent 5.0.1 (i386)

PDF:
http://www.security-assessment.com/files/documents/advisory/Up.Time%20Agent%205.0.1%20Stack%20Overflow.pdf


+-----------+
|Description|
+-----------+
A Remote stack overflow vulnerability has been discovered within the Uptime
Agent software version 5.0.1. This is the current release of the Uptime
Agent
for Debian based systems. The stack overflow, which can lead to Remote code
execution, exists within the uptime agent Daemon when processing the
?chk4? command. This overflow occurs in the child process spawned by the
Uptime Daemon whenever a new connection to said Daemon is created.

+------------+
|Exploitation|
+------------+
The following proof of concept can be used to trigger the stack overflow
and cause the EIP overwrite:

$ perl -e 'print "chk4 " . "A"x500 . "\n";' | nc <serverip> <port>

Crash analysis has indicated that this vulnerability exists due to the
sprintf call within the checkFor function of uptmagnt-d.c.

This vulnerability has been successfully exploited on Debian 7 running
kernel
3.2.0. This is achieved using a ret2libc ROP chain to syscall execve
with the
argument ?/bin/nc -lp4444 -e/bin/bash?, creating a bind shell on the
vulnerable host. ASLR is being subverted by bruteforcing the libc
offset. The
exploit code can be found at:
http://www.security-assessment.com/files/documents/advisory/UptimeAgent_5.0.1_execve_brute.py

+------------+
| Workaround |
+------------+
As no official solution has been presented, firewall or disable the
vulnerable
agent.

+------+
|Credit|
+------+
Discovered and reported to Uptime Software in August 2013 by Denis
Andzakovic of Security-Assessment.com

+-------------------+
|Disclosure Timeline|
+-------------------+
03/09/2013: Vendor contacted with advisory.
13/09/2013: Vendor replied advising the document has been passed over to the
head of development. Vendor advised "As a policy to protect our
customers, we
do not discuss any vulnerabilities with outside companies."
28/11/2013: Advisory release.

+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+

Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Security-Assessment.com
services organisations across New Zealand, Australia,
Asia Pacific, the United States and the United
Kingdom.

Security-Assessment.com is currently looking for skilled penetration
testers. If you are interested, please email 'hr at security-assessment.com'


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
iQIcBAEBAgAGBQJSlmwRAAoJEDTrvLVaTZH44f8P+wbSLSrfOHMFFYIttvxWWBIM
vVGXfZjSNMJYpGfvkabuAfTf/0B1GE3SvaFpZGxaAcg68vWXH0Rwqawo4TK2JJz5
PkhTWgFtaR5SzKAyJFTYcLVUBXIzG/fhCeWdZiYFF64c9W92SryfLt/NuB8kdN4G
PvLo7ViBTtdrDo6BU94LyNsDOD8/tIh/cwV2WXV5iiEsDThaTDzwUGCwKz2GeEx+
1iZTjHEXCcH2ZlddsjxOOH3HPbMN8R2v3eSA8F1GJtnMLACFVyIJbn0D06U/Kv4X
kdYdgkf0q7SMSoqrPEaBVn0Lz+XgMbhtBWVoyd/Di8qeztFlXnedcrakP25dBpq+
4xslvfCHyQNYm2zuSy2YLiqJOhGuXXl2D3n1PAo8wbhli/3UbOYFlJiCADy9hmp2
CdFPcXDKVTe+MzYlGWsHCn/36SOf4gI16U+03kF7CqrZGTew2zFbwKZr+fOuAuZW
vem4vdkaIs0FzjeNlaBhP3toCM9liWFh04M4PmBXUFKYnC95PZrrURudER4XsQVb
3KnC7QfcFx/tKaYKBY5oRt2li0iCNCYOsk8XYYjBqKetWVYhIlx6B+HYtnA2IyOH
xu/0t+pJnFwtdAaOjphTM229BGbtiN2n1P/D7JKVgFPBPlVygzF1VdtPhNxtHUu5
cSvJ8DAGv0Zc2kYGtVpY
=0pLf
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: