SecurityvulnsSECURITYVULNS:DOC:2305Remote Root Hole in FreeBSD Ports
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++
ALERT! ALERT! MULTIPLATFORM REMOTE ROOT! ALERT! ALERT!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#include "/var/spool/mail/… /hithere.h"
"For a list of all the ways technology has failed to improve the
quality of life, please press three."
– Alice Kahn
GOBBLES get criticized for he disclosure policy. Without he disclosure
policy, you systems still be vulnerable. Is this really what you want
from GOBBLES?
PRODUCT
Program:
Perdition 0.1.8 (libvanessa_logger 0.0.1)
FreeBSD port:
/usr/ports/mail/perdition
/usr/ports/devel/libvanessa_logger
Author WWW:
http://perdition.sourceforge.net/
BACKGROUND
The turkey has struck again, hehehe!
In GOBBLES mission to make FreeBSD system more secure he audits
many ports. Many vulnerabilties has been found so far and there
will be even more.
This day GOBBLES was searching the mail directory for vulnerable
programs. Perdition, one of the most widely deployed distributed
POP3 / IMAPS daemons out there seemed to be good target.
GOBBLES do 500 sit-up every morning to keep in perfect physical shape so
that exercise like copy/paste from vendor website is piece of pie:
Perdition
-----
More Verge Linux
Perdition on Verge
Perdition on Source Forge
Perdition: Mail Retrieval Proxy
What is perdition?
Perdition is allows users to connect to a content-free POP3 or IMAP4
server that will redirect them to their real POP3 or IMAP4 server.
This enables mail retrieval for a domain to be split across multiple
backend servers on a per user basis. This can also be used to as a
POP3 or IMAP4 proxy especially in firewall applications. Perdition
supports arbitrary library based map access to determine the server
for a user. POSIX Regular Expression, GDBM, MySQL and PostgreSQL
libraries ship with the distribution. The use of perditon to scale
mail services beyond a single box is discussed in a paper I wrote on
high capacity email.
-----
Poetry
perdition
I lately lost a preposition;
It hid, I thought, beneath my chair
And angrily I cried, "Perdition!
Up from out of under there."
Correctness is my vade mecum,
And straggling phrases I abhor,
And yet I wondered, "What should he come
Up from out of under for?"
Morris Bishop
contributed by Kfish
-----
PROBLEM
-r-xr-xr-x 1 GOBBLESroot wheel 55792 Dec 18 05:53
/usr/local/sbin/perdition
Hehehe, not setuid root (not even setgid kmem, …).
But again, that doesn't stop GOBBLES :)
$ grep perdition /etc/inetd.conf
grep: /etc/inetd.conf: Permission denied
$ su root
su: unknown login: root
$ su GOBBLESroot
Password:
Sorry
$ su - GOBBLESroot
Password:
grep perdition /etc/inetd.conf
pop3 stream tcp nowait GOBBLESroot /usr/local/sbin/perdition perdition -i
kill -9 $$
Killed
$
Apparently program is run as root - that's a good start!
After doing some source auditing GOBBLES found a couple vulnerabilities.
There exists a format string vulnerability in libvanessa_logger library
used by program perdition which allow remote penetrator to takeover admin's
server and he emails :(
$ id
uid=1001(GOBBLES) gid=1001(GOBBLES) groups=1001(GOBBLES)
$ # just making sure we are unpriviledged user!
$
$ telnet 0 110
Trying 0.0.0.0…
Connected to 0.
Escape character is '^]'.
+OK POP3 Ready freegobbles.bugtraq.org
USER GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->%p-%p-%p
+OK USER GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->%p-%p-%p set
PASS HEHEHE!
In systemlogs logged by program syslogd, GOBBLES notices:
Dec 18 06:23:36 freegobbles perdition[42804]: Connect:
user="GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->0x8053140-0xbfbffb78-0x2807cc6c"
server="(null)" port="110"
While playing around a bit stupid program perdition suddenly dies :-(
Dec 18 16:24:53 freegobbles perdition[42898]: Exiting on signal 11
GOBBLES Labs find it to be very difficult bug to exploit but then GOBBLES
member Simon came up with clever thing and 8 hours later our team got a
bash#
from it hehehe.
GOBBLES won't release an exploit this time because perdition appear
to be widely used (music&spam site mp3.com use perdition program)
and there are plenty of rpms, debs etc with indirect vulnerable
perdition program out there.
In era of information warfare, releasing such an exploit could be
devastating to Internet community. Hence, GOBBLES sat on his turkey hand
and decide to hold off before he release penetrator's tool which can
bring down much of Internet.
GOBBLES also know certain blackhat use mp3.com payback-for-playback
service and list they band URL in exploit to make the big dollar off
tricking securityfocus.com readers, and GOBBLES do not want to aide any
unlawful entry into mp3.com and make look like more mp3 downloaded than
really are to make more the big dollar, fraud is bad.
VENDOR NOTIFICATION STATUS
In attempt to be responsible E-Citizen, GOBBLES sent advisory to
BUGTRAQ security repository. However, if BUGTRAQ moderator decide to
censor this valuable alert they endanger the safety of Internet community.
All advisory always available at website www.bugtraq.org, do not confuse
bugtraq.org with securityfocus.com, they many different.
GOBBLES Labs request BUGTRAQ moderator think twice before denying this
message, because he may be at fault for a revolution in the Internet
security communities.
Security Focus CEO once said
- "Full Disclosure is a necessary evil."
(…but still GOBBLES has he rights to remain silent!)
Thanks to all the security moderators who support our effort to make
Internet a safer place for the boys and girls (and turkeys!) of tomorrow.
TECHNICAL DETAILS
Once again, GOBBLES uses he great cut'n'paste skills to paste the following
piece of information from libvanessa_logger/vanessa_logger.c !!
/**********************************************************************
-
vanessa_logger.c September 2000
-
Horms [email protected]
-
vanessa_logger
-
Generic logging layer
-
Copyright (C) 2000 Horms
...
/**********************************************************************
-
__vanessa_logger_log
-
Internal function to log a message
-
pre: vl: logger to use
-
priority: priority to log with -
Only used if log type is __vanessa_logger_syslog -
Ignored otherwise -
fmt: format for log message -
ap: varargs for format -
post: message is logged to appropriate logger
-
vl->ident[pid]: will be prepended to each log -
'\n' will be appended to each log that doesn't already end with -
a '\n' -
Nothing on error -
return: none
**********************************************************************/
#define __VANESSA_LOGGER_DO_FH(_vl, _fmt, _fh, _ap) \
{ \
int len; \
if(snprintf( \
_vl->buffer, \
_vl->buffer_len-1, \
"%s[%d]: %s", \
_vl->ident, \
getpid(), \
_fmt \
)<0){ \
fprintf(_fh, "__vanessa_logger_log: snprintf: output
truncated\n"); \
return; \
} \
len=strlen(_vl->buffer); \
if(*((_vl->buffer)+len-1)!='\n'){ \
*((_vl->buffer)+len)='\n'; \
*((_vl->buffer)+len+1)='\0'; \
} \
vfprintf(_fh, _vl->buffer, _ap); \
}
static void __vanessa_logger_log(
__vanessa_logger_t *vl,
int priority,
char *fmt,
va_list ap
){
if(vl==NULL||vl->ready==__vanessa_logger_false||priority>vl->max_priority){
return;
}
switch(vl->type){
case __vanessa_logger_filehandle:
__VANESSA_LOGGER_DO_FH(vl, fmt, vl->data.d_filehandle, ap);
break;
case __vanessa_logger_filename:
__VANESSA_LOGGER_DO_FH(vl, fmt, vl->data.d_filename->filehandle,
ap);
break;
case __vanessa_logger_syslog:
if(vsnprintf(vl->buffer, vl->buffer_len, fmt, ap)<0){
syslog(priority, "__vanessa_logger_log: vsnprintf: output
truncated");
return;
}
syslog(priority, vl->buffer);
break;
case __vanessa_logger_none:
break;
}
}
Sharp reader see bad syslog() usage behavior (like hitting heself with
hammer
while being drunk, hehehe).
syslog(priority, vl->buffer);
WORKAROUND
GOBBLES suggest concerned admin uninstall perdition and install
more secure pop3 daemon instead, like maybe Microsoft product.
As a temporary fix GOBBLES modified libvanessa_logger.c:
-
syslog(priority, vl->buffer);
-
syslog(priority, "%s", vl->buffer);
GREETS
dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble,
knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org,
blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet,
bugtraq (thanks aleph1 and david ahmad for devoting your time to a great
list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie,
vesselin
bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley,
manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens,
radiohead, george michael, larry wall, beethoven, francis bacon, bruce
willis, bruce schneier, alan turing, john von neumann, donald knuth,
michael
abrash, robert sedgewick, richard simmons, government boy, ralph lauren,
kevin mitnick, david koresh, the violent femmes, legions of doom, quentin
tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky,
hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock,
ray bradbury, linux torvalds, alyssa milano, sarah michelle geller,
jennifer
lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci,
nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo
dolls, savage garden, george bush, john howard, tony blair, ashida kim,
andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi,
deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster,
attrition.org, cliff stoll, bill gates, alan cox, george harrison,
berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru
paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian
crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko, santa
claus, the easter bunny, the christmas tree, hacktech.org, mixter and the
rest of #darknet/2xs, the planet Pluto, pluto the dog, walt disney, the
smurfs, packetstormsecurity.org, chocolate, caramel, marshmallows, rice
crispies, rice crispie treats, cousin WOBBLES, rfp, Alan@packetstorm,
george
bush senior, george w. bush, his drunken daughters, gary coleman, fat
albert, rhino9, eEye.com, the djali zwan, digital unix, o'reilly &
associates, hwa-security.net, #malvu/efnet, donkey kong, diddy kong, p
diddy, mr. peanut, all girls who pose naked on webcam for GOBBLES, mr
goldilocks, checkpoint.com, whoever invented deoderant, monkey.org, bono,
micheal stipes, clark kent, bruce banner, ssh.com, hacked.cisco.com, thomas
edison, steven king, P80 Systems, gnutella, colin powell, Joakim von Braun,
#openbsd/efnet, jnathan/efnet, debian.org, mr. ed, scooby doo, spud
mckenzie, sam i am, guy who wrote that bible book, george b. thomas junior,
ross l. finney, maurice d. wier, john bobbit, transmeta.com, linus
torvalds,
naked supermodel in magazines, d'arcy gretzky, deep purple, shampoos that
kill head lice, kraft.com, george clooney, jonathon swift, plan9 from outer
space, penelope cruz, chuck norris, mandy moore, christina aguilera, drew
barrymore, bjarne stroustrup, psychic friends network, david letterman,
~el8, jennicide, the mentor, kevin spacey, sho kosugi, michael dudikoff,
HERT, anton lavey, daath, stephen hawking, the illuminati,
[email protected],
spinux, efnet@ROUTE, the movie "dirty dancing", darth maul, liz taylor,
barney rubble, pacman, the fantastic four (when they had spiderman and
hulk as members #4 and #5), Narr0w, angrypackets.com, sinbad, jim phillips
(hehe do $ whois hackers.com, hehe), the movie "pink flamingos" –
wonderful performance ricki lake, guy who invent drugs, and all our
friends and family.
GOBBLES Security