Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[Global InterSec 2002012101] DeleGate Application Proxy - Multiple Vulnerabilities

From: "Global InterSec Research" <lists () globalintersec com>
Date: Thu, 7 Feb 2002 21:59:10 -0800
--------------------------------------------------------------------------
Global InterSec LLC
http://www.globalintersec.com
--------------------------------------------------------------------------
GIS Advisory ID: 2002012101
Changed:  07/02/2002
Author: research () globalintersec com
Reference:  http://www.globalintersec.com/adv/delegate-2002012101.txt
--------------------------------------------------------------------------

Summary:

   DeleGate - A popular application layer proxy contains
   a number of buffer overflows which are remotely exploitable.

Impact:

   A remote attacker may execute arbitrary commands.

Versions:

  All through to the current version.

Description:

   DeleGate is made up from several components which
   together proxy various services. These include pop,
   http and https.

   Global InterSec found a number of vulnerabilities in
   the various proxy components, all of which could lead
   to remote command execution and privilege escalation.

   DeleGate seems to have quite a history of problems
   (see Credit section) and potentially many more
   vulnerabilities than described within this advisory.
   The author has addressed many of the previous problems
   by attempting to randomise the stack area. However as
   we have proved, this work-around is non-comparable to
   re-writing the vulnerable areas of code.

   Less serious vulnerabilities also exist in DeleGate including
   real path disclosure within chrooted ftp environments
   and cross site scripting vulnerabilities in DeleGates http(s)
   proxy code.

   Due to the sheer number of exploitable  vulnerabilities we
   found, we've opted to release a single advisory, exemplifying
   one of the issues.

Scope for attack:

  Proxies are often placed on networks to protect sensitive
  systems and networks from exposure to public networks.
  To this end, systems running proxies are often in privileged
  parts of networks, where they are able to proxy services on
  more sensitive systems, whether they be in a DMZ or otherwise.

  In the case of the POP proxy overflow, exploitation requires
  no authentication. The only constraint may be tcp wrapping
  for that service.

  Successful exploitation of the buffer overflows within the
  popper proxy code would lead to an ability to execute commands
  as the user of the daemon process, this is by default nobody
  however DeleGate can be configured to run as any user.

Work around:

  If DeleGate is critical to your networks operation, we suggest
  the use of tcp wrappers as a TEMPORARY solution, until an alternate
  solution is found. In the case of ftp/http/https we suggest the use
  of squid.

  URL: http://www.squid-cache.org/

  tcpproxy is also available, however it is not an application gateway
  level proxy, simply forwarding tcp connections.

  URL: http://www.quietsche-entchen.de/software/tcpproxy.html

Credit:

  Vulnerabilities detailed in this advisory were discovered by
  Tom Parker (Global InterSec LLC).

  Previous vulnerabilities in DeleGate
 http://www.synnergy.net/downloads/exploits/delegate.c
 http://www.securiteam.com/exploits/3W5Q2RFQ0E.html

  The existence an exploit for the current release of DeleGate is rumoured.


Vendor Status:

  None as yet:
  It seems the authors answer to most of the problems
  previously found in DeleGate were work around's such
  as his stack randomisation functions, so don't hold
  your breath for an official patch.

  Global InterSec *are* working on a diff file to solve
  some of the problems - however due to the sheer number
  of them it wont be available immediately.

  When available it will be linked to at the url at the
  top of this advisory.

Exploits (Proof of concept):

  As described above, the below proof of concept details
  DeleGate's function as a POP proxy.

  The below SIGSEGV occurs due to the use of globally declared
  array size, ie:
 pop.c:28:#define LNSIZE 1024
  This is used to set sizes of a number of arrays, including
  that of the username and password.

  As with many of the vulnerabilities in DeleGate, a SIGSEGV occurs
  when attempting to strcpy() unexpectedly long strings.
  In spite of attempts DeleGate makes to randomise the stack, we
  were successful in overwriting the Extended instruction pointer.
  Although the stack randomisation functions make things harder, they
  do not make arbitrary command execution impossible.

 Attacking target `xxx.xxxx.xxx.xxx`:
 : +OK Proxy-POP server (DeleGate/7.7.1 by ysato () delegate org) at
xxx.xxx.xxx.xxx starting.
 Sleeping for 20 seconds, attach gdb ;-)

 root@foo:/home/foo/delegate7.7.1/src > ps -ax | grep DeleGate
 30215 ?        S      0:00
DeleGate -{016+00:foo.bar.com}[pop://-/]-Pxxx.xxx.xxx.xxx:110 --
   root@foo:/home/foo/delegate7.7.1/src > gdb delegated

 GNU gdb 5.0
 Copyright 2000 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you
are
 welcome to change it and/or distribute copies of it under certain
conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-suse-linux"...

 (gdb) at 30215
 Attaching to program: /home/foo/delegate7.7.1/src/delegated, Pid 30179
 Reading symbols from /lib/libnsl.so.1...done.
 Loaded symbols for /lib/libnsl.so.1
 Reading symbols from /lib/libc.so.6...done.
 Loaded symbols for /lib/libc.so.6
 Reading symbols from /lib/ld-linux.so.2...done.
 Loaded symbols for /lib/ld-linux.so.2
 Reading symbols from /lib/libnss_compat.so.2...done.
 Loaded symbols for /lib/libnss_compat.so.2
 Reading symbols from /lib/libnss_files.so.2...done.
 Loaded symbols for /lib/libnss_files.so.2
 Reading symbols from /lib/libnss_dns.so.2...done.
 Loaded symbols for /lib/libnss_dns.so.2
 Reading symbols from /lib/libresolv.so.2...done.
 Loaded symbols for /lib/libresolv.so.2
 0x40101167 in poll () from /lib/libc.so.6

 -> USER AAAAAAAAAAAA<~1024 Bytes>

 (gdb) c
 Continuing.
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 (gdb) print $eip
 $1 = (void *) 0x41414141
 (gdb)

 In the case of a *real* exploit, the EIP could be a pointer to
 the attackers shellcode which would already be in memory.

Exploit:
 Yea right ;-)

Legal:
This advisory is the intellectual property of Global InterSec LLC
but may be freely distributed with the conditions that:

a) no fee is charged
b) appropriate credit is given.
c) distribution of the advisory does not break NDA's issued by GIS.
Global InterSec LLC 2002
Previous By Date Next
Previous By Thread Next

Current thread: