Full Disclosure mailing list archives
Uptime Agent 5.0.1 Stack Overflow Vulnerability
From: Denis Andzakovic <denis.andzakovic () security-assessment com>
Date: Thu, 28 Nov 2013 11:02:57 +1300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. Uptime Agent 5.0.1 Stack Overflow Vulnerability Affected versions: Uptime Agent 5.0.1 (i386) PDF: http://www.security-assessment.com/files/documents/advisory/Up.Time%20Agent%205.0.1%20Stack%20Overflow.pdf +-----------+ |Description| +-----------+ A Remote stack overflow vulnerability has been discovered within the Uptime Agent software version 5.0.1. This is the current release of the Uptime Agent for Debian based systems. The stack overflow, which can lead to Remote code execution, exists within the uptime agent Daemon when processing the ?chk4? command. This overflow occurs in the child process spawned by the Uptime Daemon whenever a new connection to said Daemon is created. +------------+ |Exploitation| +------------+ The following proof of concept can be used to trigger the stack overflow and cause the EIP overwrite: $ perl -e 'print "chk4 " . "A"x500 . "\n";' | nc <serverip> <port> Crash analysis has indicated that this vulnerability exists due to the sprintf call within the checkFor function of uptmagnt-d.c. This vulnerability has been successfully exploited on Debian 7 running kernel 3.2.0. This is achieved using a ret2libc ROP chain to syscall execve with the argument ?/bin/nc -lp4444 -e/bin/bash?, creating a bind shell on the vulnerable host. ASLR is being subverted by bruteforcing the libc offset. The exploit code can be found at: http://www.security-assessment.com/files/documents/advisory/UptimeAgent_5.0.1_execve_brute.py +------------+ | Workaround | +------------+ As no official solution has been presented, firewall or disable the vulnerable agent. +------+ |Credit| +------+ Discovered and reported to Uptime Software in August 2013 by Denis Andzakovic of Security-Assessment.com +-------------------+ |Disclosure Timeline| +-------------------+ 03/09/2013: Vendor contacted with advisory. 13/09/2013: Vendor replied advising the document has been passed over to the head of development. Vendor advised "As a policy to protect our customers, we do not discuss any vulnerabilities with outside companies." 28/11/2013: Advisory release. +-----------------------------+ |About Security-Assessment.com| +-----------------------------+ Security-Assessment.com is a New Zealand based world leader in web application testing, network security and penetration testing. Security-Assessment.com services organisations across New Zealand, Australia, Asia Pacific, the United States and the United Kingdom. Security-Assessment.com is currently looking for skilled penetration testers. If you are interested, please email 'hr at security-assessment.com' -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSlmwRAAoJEDTrvLVaTZH44f8P+wbSLSrfOHMFFYIttvxWWBIM vVGXfZjSNMJYpGfvkabuAfTf/0B1GE3SvaFpZGxaAcg68vWXH0Rwqawo4TK2JJz5 PkhTWgFtaR5SzKAyJFTYcLVUBXIzG/fhCeWdZiYFF64c9W92SryfLt/NuB8kdN4G PvLo7ViBTtdrDo6BU94LyNsDOD8/tIh/cwV2WXV5iiEsDThaTDzwUGCwKz2GeEx+ 1iZTjHEXCcH2ZlddsjxOOH3HPbMN8R2v3eSA8F1GJtnMLACFVyIJbn0D06U/Kv4X kdYdgkf0q7SMSoqrPEaBVn0Lz+XgMbhtBWVoyd/Di8qeztFlXnedcrakP25dBpq+ 4xslvfCHyQNYm2zuSy2YLiqJOhGuXXl2D3n1PAo8wbhli/3UbOYFlJiCADy9hmp2 CdFPcXDKVTe+MzYlGWsHCn/36SOf4gI16U+03kF7CqrZGTew2zFbwKZr+fOuAuZW vem4vdkaIs0FzjeNlaBhP3toCM9liWFh04M4PmBXUFKYnC95PZrrURudER4XsQVb 3KnC7QfcFx/tKaYKBY5oRt2li0iCNCYOsk8XYYjBqKetWVYhIlx6B+HYtnA2IyOH xu/0t+pJnFwtdAaOjphTM229BGbtiN2n1P/D7JKVgFPBPlVygzF1VdtPhNxtHUu5 cSvJ8DAGv0Zc2kYGtVpY =0pLf -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Uptime Agent 5.0.1 Stack Overflow Vulnerability Denis Andzakovic (Nov 27)