Thursday, August 20, 2009

Linux NULL Pointer Dereference CVE-2009-2692

Refer here for a quick read on what a NULL Pointer Dereference vulnerability is.

Over the past week, the latest Linux NULL Pointer Dereference exploit has rendered millions of servers world-wide vulnerable to root compromise. Here's the CVE reference CVE-2009-2692.

Several local exploits have been released so far, the ones I tried and worked like magic are at:
- The shorter one http://www.securityfocus.com/data/vulnerabilities/exploits/36038-4.tgz
- The longer one http://www.securityfocus.com/data/vulnerabilities/exploits/wunderbar_emporium.tgz

Here's how simply I get root on my box using the former exploit

To understand the exploit in detail a good explanation can be found here.

In summary - the exploit does a NULL pointer dereference that lands on page zero that is filled with bytes in your control. The exploit leverages pulseaudio, a setuid binary, to load your code.

Thursday, August 13, 2009

Statefull/Authenticated/Deep Protocol Fuzzing with Sulley

Okay so Sulley works, but creating a basic HTTP fuzzer was nothing so cool. It just scratched the protocol surface. How about statefull or in-state protocol with authentication? How but fuzzing the methods/functions and it's arguments deep within?

Here is a proof-of-concept dig at leveraging Sulley to do just that for FTP. Same would be possible to achieve for various other protocols like SMTP, POP3.

from sulley import *

import socket
import ftplib


s_initialize("ftp-cmds")

if s_block_start("site"):
s_string("status")
s_static("\r\n")
s_block_end()


def ftpcon(target):

ftp = ftplib.FTP('localhost','cloner','cloner')

def do_fuzz():
sess = sessions.session(session_filename="ftptest.log")
target = sessions.target('localhost', 21)
sess.add_target(target)
sess.pre_send=ftpcon
sess.connect(s_get("ftp-cmds"))
sess.fuzz()

if 1:
do_fuzz()

Firing this generates 1076 test cases for fuzzing (ofcourse you could add to the existing Sulley attack library to generate more test cases) one ftp command post authentication.


This code can be extended to fuzz all the ftp commands/methods and its arguments that are available post authentication in a statefull manner.

Let's see what it really took to get this done. It was FTPLIB that made it possible for us to take establish an authenticated session with the target Pure-FTPd server. The default python installation comes with libraries for several other protocols like SMTP, HTTP and POP3 as well.

For encrypted protocols SSL python library is available in case you do not wish to use proto=ssl option from Sulley.

How difficult is it to write something like FTPLIB or the authentication/statefull piece for your target protocol? The short answer is - it depends - on protocol specifications (if at all you have) and your mileage. Good skill set at Python socket programming can boost your mileage considerably!

Let's look at a snippet of FTPLIB and see what does it take.

def connect(self, host='', port=0, timeout=-999):
self.sock = socket.create_connection((self.host, self.port), self.timeout)
self.af = self.sock.family
self.file = self.sock.makefile('rb')
self.welcome = self.getresp()
return self.welcome

No wonder why hackers love Python!

Monday, August 10, 2009

Network Protocol Fuzzing

Arguably fuzzing is one leading technique hackers have leveraged over a decade to discover scores of software security issues.

For a detailed look into techniques, tools, pros & cons a look at Charlie Miller paper is worth a read.

There are two well-known fuzzing frameworks Sulley & Peach - that could be leveraged to create your own fuzzers. I haven't had had a dig at Peach as I haven't yet exhausted Sulley yet or run into major road blocks. The author of Sulley - Pedram has been quite considerate to answer my queries and the tool looks promising so far.

It is fairly straight forward to crank up your first fuzzer if your protocol is as simple as HTTP.

Following code is what I needed to write to get a basic fuzzer ready to torture an HTTP server. The intention was just to have a feel of Sulley. The real goal otherwise is to do some really complex things. But yeah - the things below had to respond to get my confidence & investment.

from sulley import *

s_initialize("HTTP VERBS BASIC")
s_group("verbs", values=["GET", "HEAD"])
if s_block_start("body", group="verbs"):
s_delim(" ")
s_delim("/")
s_string("index.html")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_string("1")
s_delim(".")
s_string("1")
s_static("\r\n\r\n")
s_block_end()

def do_http_fuzz() :
sess = sessions.session(session_filename="audits/http_session_test.txt")
target = sessions.target("127.0.0.1", 80)
sess.add_target(target)
sess.connect(s_get("HTTP VERBS BASIC"))

sess.fuzz()

print "test completed"

do_http_fuzz()

Firing this script on a latest Apache web server results in 9062 test cases and the wireshark screenshot shows some of the attack patterns that are sent to Apache.



This was simple. But then this is HTTP. How about session oriented or stateful protocols like FTP or even better with encryption SSH? And how about fuzzing deep within a protocol? Fuzzing FTP methods or the protocol methods that are reachable only after a valid secure authenticated session is created? The answer is yes, a framework that can facilitate all this would be a great asset for many security testers.

In my next post we will look at fuzzing a stateful protocol. Precisely we will look at fuzzing deep within a stateful protocol post authentication.