Archive for the ‘Vulnerability Analysis’ Category

YOPS Webserver Stack Buffer Overflow   1 comment

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: February 16, 2011
      # Category: Exploiting, Programming, Security, Vulnerability Analysis

    Welcome back, goodfella ;)

    This is another post in “Vulnerability Analysis” category, but at this time, this is one of our (DcLabs) 0-days.

    1. Introduction
    YOPS is a really simple webserver we’ve found an Arbitrary (Remote) Code Execution and released an advisory and exploit last year.

    2. Triggering the bug
    One of DcLabs members, ipax, using a fuzzer noticed that when sending a big buffer and using the “HEAD” HTTP Method the software crashed with a segfault signal.

    He then asked me to take a look and, some time later, here we are ;). Ok, first thing to do is download a copy of the software and (God bless open source) compile it with debugging symbols, then running our “trigger” again, we were able to identify the crash:

    # --- gdb output ---
    MANAGER: 1 jobs in ACCEPTOR->PARSER queue
    errorer #1 has job (status = 400) (.errors/400.html)
    
    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 1208023360 (LWP 14222)]
    logger_th (arg=Cannot access memory at address 0xa30300c
    ) at main.c:383
    383                     printf("logger #%d: '%s' LOGGED [%d]\n", id, job->hdr.request_line, job->status);
    # --- gdb output ---
    

    The flaw happened at function logger_th(), something overwrote its argument address, as seen in (logger_th (arg=Cannot access memory at address 0xa30300c)) gdb message.

    3. Hunting down a vulnerability
    Read the rest of this entry »

    Advertisements

    Posted March 24, 2011 by waKKu in Exploiting, Security, Vulnerability Analysis

    CVE: 2009-0692 – ISC-dhclient stack overflow   Leave a comment

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: February 06, 2011
      # Category: Exploiting, Programming, Security, Vulnerability Analysis

    Wassup fellas…

    During H2HC 6th Edition (2009) I went through the COSEINC Linux Exploitation training, taught by Rodrigo Rubira Branco a.k.a. BSDaemon. On the last day Rodrigo launched a “challenge” that could give us an “especial” certificate.
    It was November/2009 and the month’s headline vulnerability was a classic stack overflow in “netmask” field of isc-dhclient.

    I’ll try to disclose all details in the path until the flaw, the flaw itself and at last: my exploit ;).

    So, before start posting a lot of dhclient’s source code here, I’ll try to explain the process within DHCP protocol:
    1– The client (in our case dhclient process) sends a broadcast packet: DHCPDISCOVER
    2– DHCP server answers with a DHCPOFFER packet offering an IP address, netmask, lease-time and other configs
    3– So the client sends a DHCPREQUEST for that offered IP, notifying an acceptance for that configuration
    4– DHCP server then sends a DHCPACK packet, meaning “configuration saved” and finishing the process.

    A– The client now calculates, based on that lease-time previously provided by server, and schedule to send a new DHCPREQUEST packet (also known as Renewing Process) before lease’s expiration time, notifying the server that the client still holds this IP and avoiding the server to deliver it to another client.
    B– Again DHCP server sends a DHCPACK packet to confirm.
    If DHCP server configuration has changed between step 2 and B (e.g.: dns servers, new domain, router, whatever…), the server should attach these new options to DHCPACK packet.

    If we pay attention in this process we realize a “gap” to consider: Until step 4 the client HAS NO IP address! It leaves us with 2 attacking vectors:
    1) Break-in the first 4 steps and utilize a non-network shellcode;
    2) Break-in between step 4 and B and to depend on client’s renew interval.
    I was using an academic setup and had control of both (client and server machines), so decided to go with option 2 and manipulate server’s lease-time.

    After all this intro we still need to understand the flaw, let’s take a look at DHCP’s internal structures:
    Read the rest of this entry »

    Posted February 6, 2011 by waKKu in Exploiting, Programming, Security, Vulnerability Analysis