Daemon02 - HITB Malaysia 2008 CtF

Analysis Daemon02 is a classic example of command injection vulnerability. It is a daemon listening on five ports from 2221 to 2225 which receives input from users, parse it into command, then execute that command on the host system. Available commands are: * help: print help banner * status : print system uptime * procs : print list of running processes The interesting one is procs. When receiving "procs " command, daemon02 will first perform various checks for dangerous metacharacters such as ";", "|", and "&". If any of them found, daemon02 will replace it with an empty space. Then the command line string is built as "proc ax | grep -v root | grep -v nobody | grep -v apache | grep -v args". Finally it calls popen(3) with the command line string described in the last sentence as the first argument. The result of popen(3) will be returned to the user. Vulnerability As you can see, part of the input string is used at the end of the command line string, so there's maybe a chance for command injection here, if somehow we can bypass the metacharacters checking. Indeed we can ;). daemon02 checks for metacharacters using strchr(3) whose prototype is "char *strchr(const char *s, int c);". Basically it returns a pointer to the first occurrence of the character c in the string s. As you may already know, strchr(3) performs on NULL-terminated string which means it stops processing if it encounters a NULL byte in the input string s. daemon02 got its input from the network by calling fgets(3) which means we can throw NULL bytes to it. What if we gives it something like "procs\x00;id"? ;). strchr(3) will fail to see ";" which eventually allows us to execute something like this in the host system: "proc ax | grep -v root | grep -v nobody | grep -v apache | grep -v ;id". How about changing "id" to something more relevant like reading a flag? Exploit Exploit is very easy, just a couple of python lines: sock.send('procs\x00;cat /etc/flags/flag02\n') s = sock.recv(1024) print s

Comments

Anonymous said…
A more simpler way without RE (look at cmd via strace): "procs FOO /etc/flag/flag02 BAR"

--0
Anonymous said…
Oh ze.. Thai-once-again-on stuff that matters :)

|Abe
Anonymous said…
viet tieng viet cho minh hieu voi
Anonymous said…
Nice explaination for daemon02 =)
Anonymous said…
how about other daemons?

i remember smt about "signature of libc". what is that doing with daemon??
VnSpl0it said…
Bác Thái có thể up cái file daemon02 đó lên cho mọi người cùng test ko ?

Thân,
kuza55 said…
Ok, I'm a bit lost, won't popen terminate on the NUL byte as well?

To me this sounds more like a case where you abuse the metacharacters they didn't block (e.g. IO redirection)