------------------------------------------------------------------------
DynaWeb httpd Format String and AnswerBook 2
Unauthenticated Admin Script Execution Vulnerabilities
Release Date: August 1, 2002
Application: Solaris ab2 1.4.2 / dwhttpd 4.1a6
with patch 110011-02 (and before)
Severity: Remote unprivileged execution of arbitrary code
Author: ghandi <[EMAIL PROTECTED]>
Vendor Status: Vendor patches available for format string bug
Fix: Apply vendor-supplied patch, delete some scripts
0. Table of Contents
1. Description
2. Vulnerable Releases
3. Details
4. Fix
5. Timeline
6. Exploitability
1. Description
Sun's AnswerBook 2 utilizes a third-party web server daemon (dwhttpd)
that suffers from a format string vulnerability. The vulnerability
can be exploited to cause the web server process to execute arbitrary
code. The web server runs as user and group 'daemon' who, under
recent installations of Solaris, owns no critical files. Typically,
daemon only owns all files pertaining to the AnswerBook 2
installation. This effectively limits the severity of the
vulnerability to a remote unprivileged shell.
In addition, not all AnswerBook Admin scripts require authentication,
allowing the attacker to perform administrative functions without an
account. Among other things, it is possible to add a new admin user
or view the server's error log.
The combination of these two vulerabilities allows for a remote
exploit that can determine the exact location of its payload,
requiring no guessing of return addresses or NOP padding.
2. Vulnerable Releases
I tested the releases of AnswerBook2 available on the Solaris 2.6, 7,
and 8 media kits, as well as versions 1.4, 1.4.1, and 1.4.2 available
on Sun's web site (http://www.sun.com/software/ab2). The presence of
the vulnerabilities are summarized in the table below. The dwhttpd
version number is stated in the HTTP response Server header. The
AnswerBook2 version is from http://host:8888/ab2/@VersionInfo.
---------------------------------------------------------------------
| dwhttpd version | AnswerBook2 version | format? | admin scripts? |
---------------------------------------------------------------------
| dwhttpd/3.1a4 | 1.1.1 | no | no |
| dwhttpd/4.0.2a7a | 1.2 | yes | yes |
| dwhttpd/4.1a6 | 1.4.2 | yes | yes |
| dwhttpd/4.1a6 | 1.4.2 w/ 110011-02 | yes | yes |
--------------------------------------------------------------------
The following command will verify the vulnerability of the locally
running ab2 server (requires perl and netcat):
% perl -e 'print"GET /";print"%x"x20;print" HTTP/1.0\r\n\r\n\r\n"' | \
nc localhost 8888
If a long string of hexadecimal digits appears in the error log, the
server is vulnerable to the format string attack.
3. Details
3.1. Format String Vulnerability
User-supplied input from a GET request is used in a format string in a
call to vsprintf(3s). When the file isn't found by the send_file()
function, an error is logged to the ab2 log files. As the file name
of the requested file is printed to the error log, vsprintf() is
called with the unchecked filename. Sending a long string of "%n"
formats as the filename in the GET request causes the webserver to die
with a segmentation fault in vsprintf(3s).
If a long string of "%x" formats are used as the filename, values from
the stack are printed out to the error log:
http-8888 [23/Sep/2000:13:09:37 -0700] warning: send-file reports: The
requested object "/usr/lib/ab2/data/docs/0fea19f580073656e642d66696c6520
7265706f7274733a2054686520726571756573746564206f626a65637420222f7573722f6
c69622f6162322f646174612f646f63732f" could not be opened!
3.2. Unauthorized Script Execution
In DynaWeb requests, the string following the @ refers to a dwScript
that generates the output. In most cases, these will be things like
Ab2Admin, Ab2TocView, etc. But, browsing through the .template files
in /usr/lib/ab2/dweb/data/config, we find several other interesting
scripts that we can call. In particular, in ab2_admin.template, we
find AdminViewError particularly interesting for our present purposes.
For example, the following URL will display the error log of the local
AnswerBook2 server:
http://localhost:8888/ab2/@AdminViewError
There are many more (possibly more useful) scripts that we can abuse,
including AdminAddadmin (add user 'foo' with password 'bar'):
http://localhost:8888/ab2/@AdminAddadmin?uid=foo&password=bar&re_password=bar
4. Fix
The patches were released (without a Sun Security Alert or Security
Bulletin) on January 31, 2001 and are available on
http://sunsolve.sun.com:
110538-01 AnswerBook 1.4.3_x86: HTTP GET overflow allows code execution
110537-01 AnswerBook 1.4.2_x86: HTTP GET overflow allows code execution
110532-01 AnswerBook 1.4.3: HTTP GET overflow allows code execution
110531-01 AnswerBook 1.4.2: HTTP GET overflow allows code execution
The patches have also made their way into the recommended patch clusters.
The script execution vulnerability is yet to be resolved. This can be
mitigated by removing the vulnerable scripts.
The AnswerBook2 web server has been End-of-Lifed and is no longer
included with Solaris releases (as of Solaris 9).
5. Timeline
09/25/2000 - [EMAIL PROTECTED] notified about format string attack
11/07/2000 - T-patches released for format string vulnerability
01/31/2001 - Patches for format string bug released to SunSolve
03/14/2001 - Sun notified about script execution vulnerabilities
... - Format string patches worked into recommended patch clusters
08/01/2002 - Advisory released to BUGTRAQ
6. Exploitability
Because input is already bounds checked, a simple buffer overflow is
not possible. But because of the interpretation of the format string,
the string can be "inflated" by the format string interpretation to
overflow internal buffers. A large field width is used to "inflate"
the attack string, overflowing the destination argument of vsprintf(),
placing code on the stack.
Using a carefully crafted request string, it is possible to exploit
the format string bug to print a pointer to the stack into the error
log. From this value, we can calculate the exact address where our
shellcode will be on the stack. In addition, we are able to bypass
authentication and executing scripts directly. This will allow us to
retrieve the error log and parse our stack pointer from it.
Because the overflow happens after the HTTP request is parsed, there
can be no space (0x20) or '?' (0x3f) characters in the shellcode,
frame pointer or return address. Devising shellcode encoded without
these bytes is relatively simple and space bytes in the frame pointer
or return address (quite common under some Solaris revisions) can be
encoded by creative use of the format string interpretation.
----------------------------------------------------------------------
--
ghandi / [EMAIL PROTECTED] / www.dopesquad.net
"Bein' Crazy is the least of my worries." - Jack Kerouac
C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F
