++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ALERT! MULTIPLATFORM REMOTE ROOT! ALERT! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ #include "/var/spool/mail/.. /hithere.h" "For a list of all the ways technology has failed to improve the quality of life, please press three." -- Alice Kahn GOBBLES get criticized for he disclosure policy. Without he disclosure policy, you systems still be vulnerable. Is this really what you want from GOBBLES? PRODUCT ******* Program: Perdition 0.1.8 (libvanessa_logger 0.0.1) FreeBSD port: /usr/ports/mail/perdition /usr/ports/devel/libvanessa_logger Author WWW: http://perdition.sourceforge.net/ BACKGROUND ********** The turkey has struck again, hehehe! In GOBBLES mission to make FreeBSD system more secure he audits many ports. Many vulnerabilties has been found so far and there will be even more. This day GOBBLES was searching the mail directory for vulnerable programs. Perdition, one of the most widely deployed distributed POP3 / IMAPS daemons out there seemed to be good target. GOBBLES do 500 sit-up every morning to keep in perfect physical shape so that exercise like copy/paste from vendor website is piece of pie: Perdition ----- More Verge Linux Perdition on Verge Perdition on Source Forge Perdition: Mail Retrieval Proxy What is perdition? Perdition is allows users to connect to a content-free POP3 or IMAP4 server that will redirect them to their real POP3 or IMAP4 server. This enables mail retrieval for a domain to be split across multiple backend servers on a per user basis. This can also be used to as a POP3 or IMAP4 proxy especially in firewall applications. Perdition supports arbitrary library based map access to determine the server for a user. POSIX Regular Expression, GDBM, MySQL and PostgreSQL libraries ship with the distribution. The use of perditon to scale mail services beyond a single box is discussed in a paper I wrote on high capacity email. ----- Poetry perdition I lately lost a preposition; It hid, I thought, beneath my chair And angrily I cried, "Perdition! Up from out of under there." Correctness is my vade mecum, And straggling phrases I abhor, And yet I wondered, "What should he come Up from out of under for?" Morris Bishop contributed by Kfish ----- PROBLEM ******* -r-xr-xr-x 1 GOBBLESroot wheel 55792 Dec 18 05:53 /usr/local/sbin/perdition Hehehe, not setuid root (not even setgid kmem, ..). But again, that doesn't stop GOBBLES :) $ grep perdition /etc/inetd.conf grep: /etc/inetd.conf: Permission denied $ su root su: unknown login: root $ su GOBBLESroot Password: Sorry $ su - GOBBLESroot Password: # grep perdition /etc/inetd.conf pop3 stream tcp nowait GOBBLESroot /usr/local/sbin/perdition perdition -i # kill -9 $$ Killed $ Apparently program is run as root - that's a good start! After doing some source auditing GOBBLES found a couple vulnerabilities. There exists a format string vulnerability in libvanessa_logger library used by program perdition which allow remote penetrator to takeover admin's server and he emails :( $ id uid=1001(GOBBLES) gid=1001(GOBBLES) groups=1001(GOBBLES) $ # just making sure we are unpriviledged user! $ $ telnet 0 110 Trying 0.0.0.0... Connected to 0. Escape character is '^]'. +OK POP3 Ready freegobbles.bugtraq.org USER GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->%p-%p-%p +OK USER GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->%p-%p-%p set PASS HEHEHE! In systemlogs logged by program syslogd, GOBBLES notices: Dec 18 06:23:36 freegobbles perdition[42804]: Connect: user="GOBBLES_IS_TAKING_A_WALK_ON_HE_STACK->0x8053140-0xbfbffb78-0x2807cc6c" server="(null)" port="110" While playing around a bit stupid program perdition suddenly dies :-( Dec 18 16:24:53 freegobbles perdition[42898]: Exiting on signal 11 GOBBLES Labs find it to be very difficult bug to exploit but then GOBBLES member Simon came up with clever thing and 8 hours later our team got a bash# from it hehehe. GOBBLES won't release an exploit this time because perdition appear to be widely used (music&spam site mp3.com use perdition program) and there are plenty of rpms, debs etc with indirect vulnerable perdition program out there. In era of information warfare, releasing such an exploit could be devastating to Internet community. Hence, GOBBLES sat on his turkey hand and decide to hold off before he release penetrator's tool which can bring down much of Internet. GOBBLES also know certain blackhat use mp3.com payback-for-playback service and list they band URL in exploit to make the big dollar off tricking securityfocus.com readers, and GOBBLES do not want to aide any unlawful entry into mp3.com and make look like more mp3 downloaded than really are to make more the big dollar, fraud is bad. VENDOR NOTIFICATION STATUS ************************** In attempt to be responsible E-Citizen, GOBBLES sent advisory to BUGTRAQ security repository. However, if BUGTRAQ moderator decide to censor this valuable alert they endanger the safety of Internet community. All advisory always available at website www.bugtraq.org, do not confuse bugtraq.org with securityfocus.com, they many different. GOBBLES Labs request BUGTRAQ moderator think twice before denying this message, because he may be at fault for a revolution in the Internet security communities. Security Focus CEO once said - "Full Disclosure is a necessary evil." (..but still GOBBLES has he rights to remain silent!) Thanks to all the security moderators who support our effort to make Internet a safer place for the boys and girls (and turkeys!) of tomorrow. TECHNICAL DETAILS ***************** Once again, GOBBLES uses he great cut'n'paste skills to paste the following piece of information from libvanessa_logger/vanessa_logger.c !! /********************************************************************** * vanessa_logger.c September 2000 * Horms horms@vergenet.net * * vanessa_logger * Generic logging layer * Copyright (C) 2000 Horms ... /********************************************************************** * __vanessa_logger_log * Internal function to log a message * pre: vl: logger to use * priority: priority to log with * Only used if log type is __vanessa_logger_syslog * Ignored otherwise * fmt: format for log message * ap: varargs for format * post: message is logged to appropriate logger * vl->ident[pid]: will be prepended to each log * '\n' will be appended to each log that doesn't already end with * a '\n' * Nothing on error * return: none **********************************************************************/ #define __VANESSA_LOGGER_DO_FH(_vl, _fmt, _fh, _ap) \ { \ int len; \ if(snprintf( \ _vl->buffer, \ _vl->buffer_len-1, \ "%s[%d]: %s", \ _vl->ident, \ getpid(), \ _fmt \ )<0){ \ fprintf(_fh, "__vanessa_logger_log: snprintf: output truncated\n"); \ return; \ } \ len=strlen(_vl->buffer); \ if(*((_vl->buffer)+len-1)!='\n'){ \ *((_vl->buffer)+len)='\n'; \ *((_vl->buffer)+len+1)='\0'; \ } \ vfprintf(_fh, _vl->buffer, _ap); \ } static void __vanessa_logger_log( __vanessa_logger_t *vl, int priority, char *fmt, va_list ap ){ if(vl==NULL||vl->ready==__vanessa_logger_false||priority>vl->max_priority){ return; } switch(vl->type){ case __vanessa_logger_filehandle: __VANESSA_LOGGER_DO_FH(vl, fmt, vl->data.d_filehandle, ap); break; case __vanessa_logger_filename: __VANESSA_LOGGER_DO_FH(vl, fmt, vl->data.d_filename->filehandle, ap); break; case __vanessa_logger_syslog: if(vsnprintf(vl->buffer, vl->buffer_len, fmt, ap)<0){ syslog(priority, "__vanessa_logger_log: vsnprintf: output truncated"); return; } syslog(priority, vl->buffer); break; case __vanessa_logger_none: break; } } Sharp reader see bad syslog() usage behavior (like hitting heself with hammer while being drunk, hehehe). syslog(priority, vl->buffer); WORKAROUND ********** GOBBLES suggest concerned admin uninstall perdition and install more secure pop3 daemon instead, like maybe Microsoft product. As a temporary fix GOBBLES modified libvanessa_logger.c: - syslog(priority, vl->buffer); + syslog(priority, "%s", vl->buffer); GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, government boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, legions of doom, quentin tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky, hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock, ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci, nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo dolls, savage garden, george bush, john howard, tony blair, ashida kim, andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi, deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster, attrition.org, cliff stoll, bill gates, alan cox, george harrison, berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko, santa claus, the easter bunny, the christmas tree, hacktech.org, mixter and the rest of #darknet/2xs, the planet Pluto, pluto the dog, walt disney, the smurfs, packetstormsecurity.org, chocolate, caramel, marshmallows, rice crispies, rice crispie treats, cousin WOBBLES, rfp, Alan@packetstorm, george bush senior, george w. bush, his drunken daughters, gary coleman, fat albert, rhino9, eEye.com, the djali zwan, digital unix, o'reilly & associates, hwa-security.net, #malvu/efnet, donkey kong, diddy kong, p diddy, mr. peanut, all girls who pose naked on webcam for GOBBLES, mr goldilocks, checkpoint.com, whoever invented deoderant, monkey.org, bono, micheal stipes, clark kent, bruce banner, ssh.com, hacked.cisco.com, thomas edison, steven king, P80 Systems, gnutella, colin powell, Joakim von Braun, #openbsd/efnet, jnathan/efnet, debian.org, mr. ed, scooby doo, spud mckenzie, sam i am, guy who wrote that bible book, george b. thomas junior, ross l. finney, maurice d. wier, john bobbit, transmeta.com, linus torvalds, naked supermodel in magazines, d'arcy gretzky, deep purple, shampoos that kill head lice, kraft.com, george clooney, jonathon swift, plan9 from outer space, penelope cruz, chuck norris, mandy moore, christina aguilera, drew barrymore, bjarne stroustrup, psychic friends network, david letterman, ~el8, jennicide, the mentor, kevin spacey, sho kosugi, michael dudikoff, HERT, anton lavey, daath, stephen hawking, the illuminati, sml@subterrain.net, spinux, efnet@ROUTE, the movie "dirty dancing", darth maul, liz taylor, barney rubble, pacman, the fantastic four (when they had spiderman and hulk as members #4 and #5), Narr0w, angrypackets.com, sinbad, jim phillips (hehe do $ whois hackers.com, hehe), the movie "pink flamingos" -- wonderful performance ricki lake, guy who invent drugs, and all our friends and family. GOBBLES Security GOBBLES@hushmail.com http://www.bugtraq.org/