Statd Format Bug Vulnerability

[Janoc Florez]

Vulnerabilitiesin statd RPC Format String is a high risk vulnerability that is one of the most frequently found on networks around the world. This issue has been around since at least 1990 but has proven either difficult to detect, difficult to resolve or prone to being overlooked entirely.

Use of Vulnerability Management tools, like AVDS, are standard practice for the discovery of this vulnerability. The primary failure of VA in finding this vulnerability is related to setting the proper scope and frequency of network scans. It is vital that the broadest range of hosts (active IPs) possible are scanned and that scanning is done frequently. We recommend weekly. Your existing scanning solution or set of test tools should make this not just possible, but easy and affordable. If that is not the case, please consider AVDS.

The Vulnerabilities in statd RPC Format String is prone to false positive reports by most vulnerability assessment solutions. AVDS is alone in using behavior based testing that eliminates this issue. For all other VA tools security consultants will recommend confirmation by direct observation. In any case Penetration testing procedures for discovery of Vulnerabilities in statd RPC Format String produces the highest discovery accuracy rate, but the infrequency of this expensive form of testing degrades its value. The ideal would be to have pentesting accuracy and the frequency and scope possibilities of VA solutions, and this is accomplished only by AVDS.

AVDS is currently testing for and finding this vulnerability with zero false positives. If your current set of tools is indicating that it is present but you think it is probably a false positive, please contact us for a demonstration of AVDS.

The secret killer of VA solution value is the false positive. There was an industry wide race to find the most vulnerabilities, including Vulnerabilities in statd RPC Format String ,and this resulted in benefit to poorly written tests that beef up scan reports by adding a high percentage of uncertainty. This may have sold a lot of systems some years ago, but it also stuck almost all VA solutions with deliberately inaccurate reporting that adds time to repairs that no administrator can afford. Beyond Security did not participate in this race to mutually assured destruction of the industry and to this day produces the most accurate and actionable reports available.

Vulnerabilities in statd RPC Format String is a high risk vulnerability that is also high frequency and high visibility. This is the most severe combination of security factors that exists and it is extremely important to find it on your network and fix it as soon as possible.

The Exploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.

The Google Hacking Database (GHDB) is a categorized index of Internet search engine queries designed to uncover interesting, and usually sensitive, information made publicly available on the Internet. In most cases, this information was never meant to be made public but due to any number of factors this information was linked in a web document that was crawled by a search engine that subsequently followed that link and indexed the sensitive information.

After nearly a decade of hard work by the community, Johnny turned the GHDB over to OffSec in November 2010, and it is now maintained as an extension of the Exploit Database. Today, the GHDB includes searches for other online search engines such as Bing, and other online repositories like GitHub, producing different, yet equally valuable results.

This is great, because I have a write-what-where primitive know! My first thought was to overwrite a GOT entry with system(). For that to work, I needed several things: the address of system() in libc, and thus which version of libc I was dealing with; and the address of a GOT pointer which I could overwrite. First things first, I wrote a dumper script to start dumping the binary.

Using the write-an-address-to-scratch-space primitive, I started dumping the binary. I added a function to dump from a specific memory address and I verified it by grabbing the bytes at 0x400000. These should correspond to the magic bytes of an ELF header.

From here on out, I adjusted the script to dump out the entire binary. It was a slow process, but I managed to speed it up a bit by not having it write out the full address each time, and dumping as much bytes as possible (I adjusted the grab_value_indirectly). The problem with the dumping process via sprintf is that it stops dumping bytes when it hits a 0x0a, 0x0d or 0x00 byte. I have no way of knowing which one it actually is, so I assumed NULL bytes. This gave me an imperfect dump, which I could not run and readelf could not make heads or tails of the section headers.

This meant that I had no way of knowing exactly where each GOT entry was, and which function address each entry held. Reverse engineering the dumped binary provided an alternative. I was looking at the output of xxd and noticed the following:

First, it writes out 0x601e20, 0x601e21 and 0x601e22 on the stack. 0x601e20 is an unused memory address close the GOT entries. Then, the payload to actually write three bytes to those addresses looks like this:

OK, so that worked! I plugged in the values for system, the GOT entry for strlen and crossed my fingers. I tried to spawn a shell, but alas, no output. The binary had crashed though, and I tried again, this time trying for outbound access to my vps with wget. However, I never saw a HTTP connection and the remote binary seemed to hang. The service did not come back up. Uh-oh.

First things first, though, I needed a ROP chain to actually read in the shellcode and run it. The stack was not executable (NX took care of that), so I had find a way to call mprotect to mark a section rwx and then read in the shellcode.

I started working on the ROP chain before Mr. Un1k0d3r sent over the files. This was pretty hard, as I had to search for the gadgets in libc (the binary did not contain enough gadgets) by dumping it. I first uploaded my own libc to ropshell. Once I had found a gadget, I dumped from -0x100 to +0x100 relative to that address; this allowed me to find the gadgets I needed. Luckily, soon after, I obtained the libc and the binary from Mr.Un1k0d3r, which helped a lot. I ran it in a 64-bit Kali (based on Debian) and started building and debugging my ROP exploit. But hold on a second!

This meant that I had multiple options to pivot rsp to buf, for instance with a xchg rax, rsp gadget. Upon finding no suitables ones, I had to go with stack lifting. I uploaded the libc which I got from Mr. Un1k0d3r to ropshell.com and starting looking for gadgets. What would I need?

See, I needed quite a few gadgets to be able to call mprotect and read. First, the stack lifting: I settled on 0x00082cfe: add rsp, 0x100; ret in libc. I had no idea if I would have the correct amount added to rsp, but I solved that the lazy way by adding the ROP equivalent of a NOP-sled:

The process is simple. The first pop r15 will pop -0x48 from the stack. Then, the address rbp+r15 (effectively pointing to rbp-0x48) is loaded into rax. The value at this address is taken into rax in the third gadget. Finally, the value is stored in edi, ready for use in the read syscall. Here, I assume that the socket descriptor is less than 32 bits, which I think is reasonable. The read part of the ROP chain will read in the shellcode that we send and return to it.

The actual shellcode that landed me a shell uses dup2 to duplicate stdin from the socket. This will allow us to communicate with the spawned shell. The assembly is quite straightforward. Not optimized, not pretty:

You can see that the dup2 shellcode is not completely effective; I needed to redirect stdout to stdin to get command output so somehow dup2 does not duplicate stdout correctly. But hey, the objective is met! An interactive shell on an otherwise inaccessible server!

This was a story of how a single format string vulnerability was beaten into arbitrary code execution. The exploit bypasses ASLR and NX via ROP, and finally sends over shellcode which will be executed. The CTF challenge was not designed with this in mind, but it was a fun exercise (and a potential warmup for Boston Key Party) nonetheless! My thanks go out to Mr.Un1k0d3r for being cool with me trying to break his challenge and even giving me the binary :)

Who should read this bulletin: Administrators and developers who have deployed applications or utilities using the Sun [TM] Microsystems RPC library on the Services for Unix 3.0 Interix SDK.

Affected Software:Only applications or utilities running on the following operating systems using the Sun Microsystem RPC library on the Services for Unix 3.0 Interix SDK should consider applying the patch.

All three vulnerabilities discussed in this bulletin involve the inclusion of the Sun RPC library in Microsoft's Services for UNIX (SFU) 3.0 on the Interix SDK. Developers who created applications or utilities using the Sun RPC library from the Interix SDK need to evaluate three vulnerabilities.

Windows Services for UNIX (SFU) 3.0 provides a full range of cross-platform services to integrate Windows into existing UNIX environments. In version 3.0, the Interix subsystem technology is built in so that Windows Services for UNIX 3.0 can provide platform interoperability and application migration in one fully integrated and supported product from Microsoft. Developers who have integrated Windows into their existing UNIX environments may have used the Interix SDK to develop custom applications and utilities so that applications that only ran on the UNIX platform can now run in a Windows environment. Developers who used the Interix SDK to develop applications or utilities should read this bulletin.

3a8082e126