NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2002-12

From: dong-h0un U (xploit_at_hackermail.com)
Date: Tue Dec 10 2002 - 01:57:23 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

        ========================================
        INetCop Security Advisory #2002-0x82-009
        ========================================

* Title: Remote multiple vulnerability in apt-www-proxy.

0x01. Description

__
bash$ lynx -dump http://ironsides.terrabox.com/~ahzz/apt-www-proxy/

apt-www-proxy

   apt-www-proxy is a proxy server designed specificly for apt-get
   http:// repositories. It gathers files that clients request, and then
   simultaneously retrieves, streams to client, and to local disk archive
   based on a set of archive mappings a lot like apt-proxy does. I
   decided to write this due to the unstable nature of apt-proxy. IMHO
   this is due to it being written in shell script. It's a good design,
   just was never implemented in the right kind of language.

[1]apt-www-proxy 0.1 - accepts clients and automaticly says "not
found". nifty eh? 8-P

And of course, who would be without the [2]latest snapshot!

Back to my [3]homepage!

References

   1. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/apt-www-proxy-0.1.tar.gz
   2. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/latest-AWP.tar.bz2
   3. http://ironsides.terrabox.com/~ahzz/index.html
bash$

--
OK, Let's analyze.
Examine syslog() function first.
There is awp_log() function to 173 lines of 'src/utils.c' code.
    __
   173  void awp_log(int level, const char *message)
        ...
   222    if((level < LOG_DEBUG) || (1 ==  logit))
   224        /* log that information */
   227            syslog(level, message); // Here.
        ...
    --
It's very bad state.
awp_log() function is used as follows.
Format string bug happens by setting file error log.
Let's find awp_log() function in 'apt-www-proxy.c' code.
    __
    47    awp_log(LOG_DATA, errlog);
    78    awp_log(LOG_DATA, errlog);
    93    awp_log(LOG_DATA, errlog);
   130                awp_log(LOG_DATA, errlog);
   146                awp_log(LOG_DATA, errlog);
   157            awp_log(LOG_GEN, errlog);
   287    awp_log(LOG_NOTICE, errlog);
   500        awp_log(LOG_NOTICE,errlog);
   510        awp_log(LOG_CRIT, errlog);
   527            awp_log(LOG_ERR, errlog);
   538    awp_log(LOG_INFO, errlog);
   546        awp_log(LOG_NOTICE, errlog);
   554        awp_log(LOG_NOTICE, errlog);
   560        awp_log(LOG_NOTICE, errlog);
   572        awp_log(LOG_NOTICE, errlog);
    --
Second, examine remote DoS vulnerability.
We read 'utils.c' code again.
    __
   260  int parse_get(struct client * client)
        ...
   268    /* now match against the archives */
   269    if(!strncmp("http://", client->get, 7)) // Here.
   270      {
   271        /* AHHA! It's a full URL. */
    --
If 'client->get' value is NULL, strncmp() function segfault happens crash.
Program function execution structure is as following.
----------------------------------------------------------------------
main()->main_loop()->process_cli()->parse_get()->strncmp()->'segfault'
----------------------------------------------------------------------
0x02. Vulnerable Packages
Vendor site: http://ironsides.terrabox.com/~ahzz/apt-www-proxy/
apt-www-proxy 0.1
-apt-www-proxy-0.1.tar.gz
+Linux
0x03. Exploit
Try simple test.
* Test -
First, execute apt-www-proxy daemon.
Do debug in other shell thereafter.
#1) Test attacker:
bash$ (printf "\r\n";cat)|nc 0 6543
#2) Debugging:
Program received signal SIGSEGV, Segmentation fault.
strncmp (s1=0x804b730 "http://", s2=0x0, n=7)
    at ../sysdeps/generic/strncmp.c:43
43      ../sysdeps/generic/strncmp.c: No such file or directory.
(gdb) bt
#0  strncmp (s1=0x804b730 "http://", s2=0x0, n=7)
    at ../sysdeps/generic/strncmp.c:43
#1  0x804a9f3 in parse_get (client=0x80516c8) at utils.c:269
#2  0x804a176 in process_cli (reads={__fds_bits = {64, 0 <repeats 31 times>}},
    writes={__fds_bits = {64, 0 <repeats 31 times>}}) at lists.c:270
#3  0x8049750 in main_loop (s=5) at apt-www-proxy.c:408
#4  0x8049b56 in main (argc=3, argv=0xbffffbe4,
    arge=0xbffffbf4 ...) at apt-www-proxy.c:578
(gdb)
You can kill daemon through this.
Do you want exploit code? Very regrettable. :-(
We don't want to compose DoS code.
0x04. Patch
=== utils.patch ===
--- utils.c	Mon Oct 22 15:20:29 2001
+++ utils.patch.c	Sat Nov 30 02:26:35 2002
 -224,11 +224,11 
       /* log that information */
       if(background)
 	{
-	  syslog(level, message);
+	  syslog(level, "%s", message);
 	}
       else
 	{
-	  fprintf(stderr, message);
+	  fprintf(stderr, "%s", message);
 	}
     }
 }
 -265,6 +265,10 
   struct urlmask *curu = urls;
   int found = 0;
 
+  if(client->get==NULL)
+  {
+      return(0);
+  }
   /* now match against the archives */
   if(!strncmp("http://", client->get, 7))
     {
=== eof ===
P.S: Sorry, for my poor english.
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
              xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game)
             My World: http://x82.i21c.net
GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y
--
-- 
_______________________________________________
Get your free email from http://www.hackermail.com
Powered by Outblaze

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]