Dropbear SSH Server Format String Vulnerability

Posted on 20 August 2003


From: Joel Eriksson <je@bitnux.com>

===============================================
0xbadc0ded Advisory #02 - 2003/08/17 - Dropbear SSH Server <= 0.34
===============================================

Reference http://0xbadc0ded.org/advisories/0302.txt
PGP-key http://0xbadc0ded.org/advisories/pubkey.asc

Application Dropbear SSH Server <= 0.34
Discovered By Joel Eriksson <je@bitnux.com>
Researched By Joel Eriksson <je@bitnux.com>

Overview

Dropbear SSH Server is a small Secure Shell server suitable for embedded
environments. It implements various features of the SSH 2 protocol,
including X11 and Authentication agent forwarding.

Problem

A remotely exploitable format string vulnerability exists in the default
configuration of the Dropbear SSH Server up until version 0.35, which was
released shortly after Matt Johnston, the Dropbear developer, was notified
of the problem. Thanks for a quick response Matt!

The bug can be triggered by supplying a username with format specifiers and
make a login attempt. Since the user does not exist, the login attempt will
fail and the following code in auth.c will be executed:

dropbear_log(LOG_WARNING,
"login attempt for nonexistant user '%s' from %s",
username, ses.addrstring);

To format the log message, vsnprintf() is used, the resulting buffer will be
passed to syslog() (unless dropbear is run in foreground or compiled with
DISABLE_SYSLOG defined). The formatted buffer is passed as a format string
to syslog() so if the username contains any format string specifiers, they
will be parsed. This can be used to overwrite arbitrary memory addresses
(such as function pointers) with userdefined data (such as the address to
shellcode supplied by the attacker).

Exploit

Exploiting this bug was not entirely straightforward, but not far from
either. The total time from downloading and starting to audit the Dropbear
source until having developed a working exploit was just a few hours.
Instead of just presenting an exploit, I will describe the essential steps
of the process in detail here and make the exploit available from the
0xbadc0ded.org webpage at a later time.

I will also take the opportunity to mention that among the services that
Bitnux offer are code review, exploit development and technical training in
auditing and exploit development techniques. :-)

First, let's see if we can find the offset to our format string by using
%<N>$08X to log four bytes at offset N.

[root@vudo /home/je/dropbear-0.34]# ./dropbear -p 2222
[root@vudo /home/je/dropbear-0.34]# ssh -p 2222 'AAAA.%24$08X'@localhost
AAAA%24$08X@localhost's password:
^C
[root@vudo /home/je/dropbear-0.34]# tail -2 /var/log/auth.log
Aug 16 20:04:43 vudo dropbear[14497]: login attempt for nonexistant user \
'AAAA.41414141' from 127.0.0.1
Aug 16 20:04:48 vudo dropbear[14497]: exited before userauth: error reading
[root@vudo /home/je/dropbear-0.34]#

Of course, a remote attacker would have to guess the offset (which in this
case is 24), but this is not much of a problem. It may vary depending on if
gcc-2.x or gcc-3.x is used for instance, since gcc-3.x adds a little padding
to buffers (supposedly to make 1-byte-overflows harmless), but the variation
won't be big.

The username is limited to 25 characters, which is a little too few for
traditional format string techniques where an entire 4-bytes pointer is
overwritten, using two or four overlapping writes (with %hn or %hhn
respectively). We also need to find a place for our shellcode, since there
obviously will not be enough place left in the username.
v By examining recv_msg_userauth_request() in auth.c we can see that three
strings are received: The username, the servicename and the methodname. We
are already using the username for our format string (and it is limited to
25 bytes, as mentioned), the servicename must be "ssh-connection" or the
connection will fail before the vulnerable code is executed, but the
methodname may be anything except "none" which is explicitly not allowed.

We can put as much as a little more than 30,000 characters in the
methodname-string. To do this, we have to modify an SSH-client of course, or
implement the SSH-protocol ourselves. I choosed to modify the SSH client
from OpenSSH.

I have already mentioned that there is not enough space for a format string
that overwrites an entire 4-bytes pointer, but we have more than enough
space to overwrite two bytes with an arbitrary value. By overwriting the two
upper bytes of the GOT-entry of a function that is used after syslog() has
been called, we have a very good chance being able to point it into the
methodstring with our shellcode.

Enough theory, let's see how it works out in practice. First I modified
OpenSSH to let me specify the method-string in an environment variable:

[je@vudo ~/openssh-3.6.1p2]$ SSH_METHOD=`perl -e 'print "A"x30000'` ./ssh -p
2222 \
whatever@localhost

Then I looked up the address of a suitable GOT-entry and attached with gdb
to the server-process:

[root@vudo /home/je/dropbear-0.34]# objdump -R dropbear | awk '$3 ==
"write"'
08067590 R_386_JUMP_SLOT write
[root@vudo /home/je/dropbear-0.34]# ps auxw | grep dropbear | tail -1
root 14685 5.8 0.6 1912 840 pts/7 S 21:06 0:00 ./dropbear -p 2222
[root@vudo /home/je/dropbear-0.34]# gdb dropbear 14685
[snip]
(gdb) x/x 0x8067590
0x8067590 <__JCR_LIST__+64>: 0x4012e6c0
(gdb) x/x 0x807e6c0
0x807e6c0: 0x41414141

As you can see, write()'s GOT-entry has the value 0x4012e6c0, and 0x0807e6c0
points into the method-string. Thus, to exploit this bug we could put
shellcode at the end of methodname and use the format string vulnerability
to write 0x0807 to 0x08067590+2.

This is a sample run of the exploit I developed for the vulnerability:

[je@vudo ~/openssh-3.6.1p2]$ ./dropdead
Linux/x86 Exploit for Dropbear SSH Server <= 0.34
By Joel Eriksson <je@0xbadc0ded.org>
Usage: ./dropdead ADDR [PORT] [HIADDR] [FPADDR]
[je@vudo ~/openssh-3.6.1p2]$ ./dropdead
id
uid=0(root) gid=0(root) groups=0(root)
exit
[je@vudo ~/openssh-3.6.1p2]$

Fix

Upgrade to Dropbear version 0.35, or edit util.c and change:

syslog(priority, printbuf);

to:

syslog(priority, "%s", printbuf);

Disclosure Timeline

2003/08/16 Notified Matt Johnston - The Dropbear developer
2003/08/16 Received response from Matt Johnston
2003/08/17 Public release

===============================================
The 0xbadc0ded.org team is hosted and sponsored by Bitnux: www.bitnux.com
===============================================
Bitnux is a newly founded company located in Sweden focused on security
research and system development. We offer services such as: - Code Reviews -
Exploit Development - Reverse Engineering of Code - Security Revisions of
Systems and Software - Custom System Development for Unix/Linux/BSD and
Windows E-mail : info@bitnux.com Phone : +46-70-228 64 16 Chat :
http://bitnux.com/live



--
Regard: Joh@nnes
"If U know neither the enemy nor yourself,U will succumb in every battle"
0
Johannes
8/20/2003 7:56:00 PM
grc.security 16608 articles. 3 followers. Follow

0 Replies
467 Views

Similar Articles

[PageSpeed] 57

Reply:

Similar Artilces:

Windows FTP Server Format String Vulnerability
Credit: Author : Peter Winter-Smith Software: Packages : Windows FTP Server Version : 1.6 and below Vendor : HD Soft/Windows Ftp Server SOFTWARE Vendor Url : http://srv.nease.net/ Vulnerability: Bug Type : 'wscanf' Format String Vulnerability Severity : Moderately/Highly Critical + Denial of Service + Arbitrary Memory Can Be Read/Written 1. Description of Software "Are you wondering how to setup a FTP server ? Companies small to large have their own web sites to distribute info, products, contact, description of their services, files... When it comes to fil...

Windows FTP Server Format String Vulnerability #2
Posted on 13 January 2004 From: "Peter Winter-Smith" <peter4020(at)hotmail.com> Credit: Author : Peter Winter-Smith Software: Packages : Windows FTP Server Version : 1.6 and below Vendor : HD Soft/Windows Ftp Server SOFTWARE Vendor Url : http://srv.nease.net/ Vulnerability: Bug Type : 'wscanf' Format String Vulnerability Severity : Moderately/Highly Critical + Denial of Service + Arbitrary Memory Can Be Read/Written 1. Description of Software "Are you wondering how to setup a FTP server ? Companies small to large have their own web site...

What are proper format strings for String.format, Number.format, etc?
Hi guys, I just started using the client side version of the Ajax framework. Everything is working out so far, except that I can't seem to be able to format any strings of numbers the way I want. Wheather I use the String.format or Number.format functions, I just keep getting Sys.FormatException errors. What are the proper format strings? I tried the relevant ones that I use in C#, but it just doesn't work.Help would be much appreciated!  I believe D, C, N, and P are the only valid ones for numbers (client side).Encosia - ASP.NET, AJAX, and more.Latest article: Using complex ...

iDEFENSE Security Advisory 12.13.04: Adobe Reader 6.0 .ETD File Format String Vulnerability
Adobe Reader 6.0 .ETD File Format String Vulnerability iDEFENSE Security Advisory 12.13.04 www.idefense.com/application/poi/display?id=163&type=vulnerabilities December 14, 2004 I. BACKGROUND Adobe Acrobat Reader is a program for viewing Portable Document Format (PDF) documents. More information is available at the following site: http://www.adobe.com/products/acrobat/readermain.html II. DESCRIPTION Remote exploitation of a format string vulnerability in version 6.0.2 of Adobe's Reader could allow attackers to execute arbitrary code. The problem specifically...

How to format a string of percentage format to decimal format ?
How to format a string of percentage format to decimal format ? 1    orginalValue  // value will be 1265.48 2    percentString // value after applying percentage format will be 126548 %3    requiredvalue // value should be 1265.48  I converted the string from orginalValue to percentString, now i need to convert back to requiredvalue. Is there any way to do ? regards, Ananth RM - msarm.com  string percentString="126548 %";double value=double.Parse(percentString.Replace("%","").Tri...

Server.HtmlEncode(String.Format
I am trying to prevent html from being entered in a web form.  I thought i had done so - however when I tried to test it, I got an error listed below.  I didn't think that's how it worked, i thought it just converted any html to plain text. A potentially dangerous Request.Form value was detected from the client (Name1="<td />&nbsp;_Test_&a..."). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the ...

Curency format /String.Format
   Dim subtotal As String = price * quatity 'price and  quatity  are Decimal type.  subtotal = String.Format("{0:c}", subtotal) I  want to get the sub total  in currency format  ie somedigits.twodigits (eg 100000.50), i dont want $ or any such symble before the digits. I tried the above code but it fails why?     Hey if you just want to format to 2 decimal places use {0:n2} Use the following format: {0:n2}Thanks, EdMicrosoft MVP - ASP/ASP.NET try out as         decima...

Number Format and String Format ?
Suppose I have a number "1", how can change the number format to "001" ? How can I convert the number "1" into string format "001" ? Thx for your help ~ :) http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconnumericformatstrings.asp int x = 1;Response.Write(x.ToString("000"));Steven A SmithAspAlliance.com - The #1 ASP.NET CommunityDevAdvice.com - Answers to Questions If you got your data from SQL Stored Procedure, you can do the formating in your query: RIGHT('000' + CAST(Col1 AS varchar), 3) -- Tough People Do Tough Task -- It works ~ Thank you ve...

Vulnerabilities and Security, is AJAX secure ?
Hi All, Since Microsoft's SmartClient technology did not succeed as expected (because its complex design and coding), I recently realized that I have no option but to try to improve my projects with AJAX. Although it's understandable to feel fear when using a "new" or "non-mature" technology, I found this document that made me think twice before I update some of my work to avoid users suffer the "POST" pain: http://www.owasp.org/index.php/Testing_for_AJAX_Vulnerabilities Can somebody provide me some feedback about this text ?, I found it very...

VLC media player: Format string vulnerabilities
...."A vulnerability has been discovered in VLC media player, allowing for the remote execution of arbitrary code. [ ] Resolution ========== All VLC media player users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6c"... <http://www.securityfocus.com/archive/1/474965> Download: <http://www.videolan.org/> or Help | Check for updates -- js http://justheadlines.awardspace.com On Sat, 28 Jul 2007 16:02:58 -0700, john s. smith said: > ..."A vulnerability has been d...

Security vulnerability found in MS SQL Server 2000
A vulnerability has been found in Microsoft's SQL Server 2000 that would allow an attacker to remotely execute code in the server. According to security consultants SEC Consult, the cause of the problem is a bug in the program's memory management. By calling the extended stored procedure sp_replwritetovarbin and supplying several uninitialised variables as parameters, it is possible to trigger a memory write to a controlled location. The report claims the success of an attack depends on the version of Windows being used. SEC Consult says it has developed an exploit that h...

Problem on deployment server, Input string was not in a correct format
Hi there! I have a very strange problem here. In our developer machines, these Problem doesn't appear, everything works fine. But in the deployment server we get always this exception, it doesn't matter what kind of input data we give. [FormatException: Input string was not in a correct format.] System.Number.StringToNumber(String str, NumberStyles options, NumberBuffer& number, NumberFormatInfo info, Boolean parseDecimal) +2752867 System.Number.ParseInt32(String s, NumberStyles style, NumberFormatInfo info) +102 System.Int16.Parse(String s, NumberStyles style, NumberForm...

what is the difference bettween string.Format("{0:#.##}", and string.Format("{0:0.00}"
they both seem to do the same thing, what is the difference functionality that # versus 0  ?    string.Format("{0:#.##}", mydecimal); string.Format("{0:0.00}", mydecimal); Look here: http://msdn2.microsoft.com/en-us/library/0c899ak8.aspx Hope it helps Hi, As far as I know, they both are different. 0.00 can remain the position all the time. For example, decimal is 0.1 and then it will return to you with 0.10 by 0.00 format. With #.##, it will cut the unnecessary position in the decimal. For example, decimal is 0.1 and then i...

OpenOffice Neon Client Code Format String Vulnerabilities
Secunia Advisory: SA11364 Release Date: 2004-04-15 Critical: Moderately critical Impact: System access Where: From remote Software: OpenOffice 1.0.x OpenOffice 1.1.x CVE reference: CAN-2004-0179 Description: OpenOffice is affected by some vulnerabilities, which potentially can be exploited by malicious people to compromise a user's system. Solution: Don't connect to untrusted WebDAV servers using OpenOffice. http://secunia.com/advisories/11364/ -- Donna, Track or post software updates at http://www.dozleng.com/updates/index.php?act=calendar ...

Web resources about - Dropbear SSH Server Format String Vulnerability - grc.security

Vulnerability (computing) - Wikipedia, the free encyclopedia
In computer security , a vulnerability is a weakness which allows an attacker to reduce a system's information assurance . Vulnerability is the ...

Facebook Fixing Vulnerability That Would Prohibit Users From Revoking App Permissions
Facebook is working to remedy a vulnerability discovered by application security provider MyPermissions , which blocks users of the social network ...

Search Twitter - xss vulnerability
... incog @ xssineverything X-Line @ XLine0fficiel View more people Top news story The Next Web @ TheNextWeb 3h TweetDeck users: An XSS vulnerability ...

The Power of Vulnerability - Brene Brown - TED Talks - YouTube
http://www.ted.com Brene Brown studies human connection our ability to empathize, belong, love. In a poignant, funny talk at TEDxHouston, she ...

Sam de Brito: a polarising writer who wore his vulnerability on the page
Sam De Brito was a passionate though polarising figure of Australian journalism, writes his former editor, Helen Pitt.

Vulnerability and resilience in Vanuatu
Food gardens and social support systems, which Pacific Islanders rely on in hard times, are not available in Vanuatu.

Researchers find vulnerability in EA's Origin platform - online safety, ReVuln, electronic arts, security ...
Users of Origin, the game distribution platform of Electronic Arts (EA), are vulnerable to remote code execution attacks through origin:// URLs, ...

Islamic State's call to arms reveals a sense of vulnerability
Islamic State's call to arms a scatter-gun approach, to say the least &#8211; and more than faintly ridiculous.

Researcher misinterprets Oracle advisory, discloses unpatched database vulnerability
Instructions on how to exploit an unpatched Oracle Database Server vulnerability in order to intercept the information exchanged between clients ...

Cyber security expert issues dire warning over vulnerability of key infrastructure
Data theft and cybercrime is a major source of funding for Islamic State which is likely to have secretly planted insiders &quot;around the world&quot; ...

Resources last updated: 1/6/2016 10:10:03 PM