Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities
From: Tom Parker <tom () rooted net>
Date: Tue, 12 Feb 2002 10:38:08 +0000


> These vulnerabilities were publicized several years ago; the
> developers appear to have made some effort to clean up the code, but
> given the condition it was in to begin with it's not really any
> surprise there are many problems remaining.

As stated in the advisory - other vulnerabilities in delegate haven't been
uncommon in the past. However no one seems to of yet stepped out
and outlined the sheer severity and number of them which exist.
Neither has anyone outlined that the work arounds the author introduced
do little or no good toward prevention of the bugs being exploited.

In answer to Kojima Hajime's question:

> And, delegate has execve(2) trap (-Tx). Can you break it?

Yes - A couple of methods spring to mind..
When an processes calling execve() is being ptrace()'d will send a SIGTRAP
which is caught by the signal handlers in delegate and handled accordingly,


forkspawn.c:114: if( sig == SIGTRAP ){
forkspawn.c:115: if( lNOEXEC() )
forkspawn.c:116: ptraceKill(pid);
forkspawn.c:117: else ptraceContinue(pid,0);

If we had control of the parent (which we don't) you could either overwrite
the execve trap by adding another (NULL) signal handler for the event in
your shellcode.

However, If I were to have time to write a proof of concept(c) Id attempt
to execute the execve() after fork()'ing in my shellcode. For example:
if (fork () == 0) { execve-shellcode(); }

You can also use ptrace within your shellcode to deceive the watcher (parent)
process, I haven't had time to investigate this technique with delegate right now,
the original advisory will be updated with additional information on this when
Ive had time to prove it works ;-)

Tom Parker

---------------------------------------------------------------------------- ----------------------
Tom Parker - tom () rooted net
Global Intersec LLC California +1 888 797 3262
---------------------------------------------------------------------------- ----------------------
"Stupidity cannot be cured with money or through
education or by legislation. Stupidity is not a sin,
the victim can't help being stupid. But stupidity
is the only universal capital crime; the sentence
is death there is no appeal and execution is
carried out automatically and without pity."
 -Robert Heinlein
---------------------------------------------------------------------------- ----------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]