NETSYS.COM - The Intelligent Hacker's Choice - http://www.netsys.com/library/alerts/sun-ab2-2002-08-01.txtThe Intelligent Hacker's Choice.. Systems, Networks, Administration.. since 1977 >>>> advertisement ------------------------------------------------------------------------ DynaWeb httpd Format String and AnswerBook 2 Unauthenticated Admin Script Execution Vulnerabilities Release Date: August 1, 2002 Application: Solaris ab2 1.4.2 / dwhttpd 4.1a6 with patch 110011-02 (and before) Severity: Remote unprivileged execution of arbitrary code Author: ghandi Vendor Status: Vendor patches available for format string bug Fix: Apply vendor-supplied patch, delete some scripts 0. Table of Contents 1. Description 2. Vulnerable Releases 3. Details 4. Fix 5. Timeline 6. Exploitability 1. Description Sun's AnswerBook 2 utilizes a third-party web server daemon (dwhttpd) that suffers from a format string vulnerability. The vulnerability can be exploited to cause the web server process to execute arbitrary code. The web server runs as user and group 'daemon' who, under recent installations of Solaris, owns no critical files. Typically, daemon only owns all files pertaining to the AnswerBook 2 installation. This effectively limits the severity of the vulnerability to a remote unprivileged shell. In addition, not all AnswerBook Admin scripts require authentication, allowing the attacker to perform administrative functions without an account. Among other things, it is possible to add a new admin user or view the server's error log. The combination of these two vulerabilities allows for a remote exploit that can determine the exact location of its payload, requiring no guessing of return addresses or NOP padding. 2. Vulnerable Releases I tested the releases of AnswerBook2 available on the Solaris 2.6, 7, and 8 media kits, as well as versions 1.4, 1.4.1, and 1.4.2 available on Sun's web site (http://www.sun.com/software/ab2). The presence of the vulnerabilities are summarized in the table below. The dwhttpd version number is stated in the HTTP response Server header. The AnswerBook2 version is from http://host:8888/ab2/@VersionInfo. --------------------------------------------------------------------- | dwhttpd version | AnswerBook2 version | format? | admin scripts? | --------------------------------------------------------------------- | dwhttpd/3.1a4 | 1.1.1 | no | no | | dwhttpd/4.0.2a7a | 1.2 | yes | yes | | dwhttpd/4.1a6 | 1.4.2 | yes | yes | | dwhttpd/4.1a6 | 1.4.2 w/ 110011-02 | yes | yes | -------------------------------------------------------------------- The following command will verify the vulnerability of the locally running ab2 server (requires perl and netcat): % perl -e 'print"GET /";print"%x"x20;print" HTTP/1.0\r\n\r\n\r\n"' | \ nc localhost 8888 If a long string of hexadecimal digits appears in the error log, the server is vulnerable to the format string attack. 3. Details 3.1. Format String Vulnerability User-supplied input from a GET request is used in a format string in a call to vsprintf(3s). When the file isn't found by the send_file() function, an error is logged to the ab2 log files. As the file name of the requested file is printed to the error log, vsprintf() is called with the unchecked filename. Sending a long string of "%n" formats as the filename in the GET request causes the webserver to die with a segmentation fault in vsprintf(3s). If a long string of "%x" formats are used as the filename, values from the stack are printed out to the error log: http-8888 [23/Sep/2000:13:09:37 -0700] warning: send-file reports: The requested object "/usr/lib/ab2/data/docs/0fea19f580073656e642d66696c6520 7265706f7274733a2054686520726571756573746564206f626a65637420222f7573722f6 c69622f6162322f646174612f646f63732f" could not be opened! 3.2. Unauthorized Script Execution In DynaWeb requests, the string following the @ refers to a dwScript that generates the output. In most cases, these will be things like Ab2Admin, Ab2TocView, etc. But, browsing through the .template files in /usr/lib/ab2/dweb/data/config, we find several other interesting scripts that we can call. In particular, in ab2_admin.template, we find AdminViewError particularly interesting for our present purposes. For example, the following URL will display the error log of the local AnswerBook2 server: http://localhost:8888/ab2/@AdminViewError There are many more (possibly more useful) scripts that we can abuse, including AdminAddadmin (add user 'foo' with password 'bar'): http://localhost:8888/ab2/@AdminAddadmin?uid=foo&password=bar&re_password=bar 4. Fix The patches were released (without a Sun Security Alert or Security Bulletin) on January 31, 2001 and are available on http://sunsolve.sun.com: 110538-01 AnswerBook 1.4.3_x86: HTTP GET overflow allows code execution 110537-01 AnswerBook 1.4.2_x86: HTTP GET overflow allows code execution 110532-01 AnswerBook 1.4.3: HTTP GET overflow allows code execution 110531-01 AnswerBook 1.4.2: HTTP GET overflow allows code execution The patches have also made their way into the recommended patch clusters. The script execution vulnerability is yet to be resolved. This can be mitigated by removing the vulnerable scripts. The AnswerBook2 web server has been End-of-Lifed and is no longer included with Solaris releases (as of Solaris 9). 5. Timeline 09/25/2000 - security-alert@sun.com notified about format string attack 11/07/2000 - T-patches released for format string vulnerability 01/31/2001 - Patches for format string bug released to SunSolve 03/14/2001 - Sun notified about script execution vulnerabilities ... - Format string patches worked into recommended patch clusters 08/01/2002 - Advisory released to BUGTRAQ 6. Exploitability Because input is already bounds checked, a simple buffer overflow is not possible. But because of the interpretation of the format string, the string can be "inflated" by the format string interpretation to overflow internal buffers. A large field width is used to "inflate" the attack string, overflowing the destination argument of vsprintf(), placing code on the stack. Using a carefully crafted request string, it is possible to exploit the format string bug to print a pointer to the stack into the error log. From this value, we can calculate the exact address where our shellcode will be on the stack. In addition, we are able to bypass authentication and executing scripts directly. This will allow us to retrieve the error log and parse our stack pointer from it. Because the overflow happens after the HTTP request is parsed, there can be no space (0x20) or '?' (0x3f) characters in the shellcode, frame pointer or return address. Devising shellcode encoded without these bytes is relatively simple and space bytes in the frame pointer or return address (quite common under some Solaris revisions) can be encoded by creative use of the format string interpretation. ---------------------------------------------------------------------- -- ghandi / ghandi@mindless.com / www.dopesquad.net "Bein' Crazy is the least of my worries." - Jack Kerouac C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F Copyright © 2003 netsys.com All Rights Reserved.