Hackers Beware

ToolTalk Buffer Overflow

Inadequate boundary checks allow stack data to be overwritten by user data.

Exploit Details:

•Name: ToolTalk Buffer Overflow

•Operating System: Solaris, AIX, HP-UX, IRIX, and others

•Protocols/Services: TCP, usually high Remote Procedure Call (RPC) ports

The ToolTalk buffer overflow is a remote buffer overflow that allows arbitrary code to be run with superuser privileges on the target computer. This exploit is used to gain control of a remote computer over a network connection. The attacker connects to the ToolTalk RPC service and sends it a specially crafted message that overflows an internal buffer in the program and causes it to execute instructions that are contained in the message.

This attack affects most versions of UNIX and its variants that run the ToolTalk service, including Solaris x86/Sparc, AIX, HP-UX, IRIX, and several Common Desktop Environment (CDE) distributions.

Protocol Description

Remote Procedure Calls (RPCs) allow computers on a network to share resources and computational power. RPC rides on top of the TCP/IP protocol stack as an application protocol. RPC services are dynamic by nature, receiving their run-time port numbers from the portmapper service. The portmapper service is a program that runs on UNIX that maps port numbers to services. This is different than other services that run on static ports like SMTP, which runs on 25, or DNS, which runs on port 53.

The ToolTalk attack begins when the attacker connects to the portmapper and requests information about the ToolTalk service. The portmapper returns information to the attacker about the assigned port of the service and the protocol it is using. After this transaction has taken place, the attacker connects to the ToolTalk port and issues a command containing the buffer overflow exploit code. The command is precisely tuned to overflow just enough of the buffer to execute the attacker’s code. After this overflow has been sent to the target system, the attacker’s command is run at the privilege level of the ToolTalk service, which runs as root.

How the Exploit Works

Attackers can download example exploit code from the Bugtraq vulnerability database at Security Focus, located at www.securityfocus.com. The following is the format for using the ToolTalk exploit program:

The most basic version of the running exploit uses just the command name, the target’s IP address, and the command to run on the target host. There are several other options available, including killing the service, connecting using UDP, connecting straight to the ToolTalk port, and storing the datagram that the program would send to a file. Attackers find this last option useful if another program, such as netcat, is to be used to provide interactive access to the target host.

Signature of the Attack

Here are two signature packets of this attack generated from TCPdump:

Initial Portmapper query (0001 86f3 = ToolTalk service num)

22:14:13.347410 10.1.1.2.625 > 10.1.1.1.111: udp 56 (ttl 64,

Exploit packet (801c 4011 = Solaris/Sparc NOP bytecode)

22:14:13.374766 10.1.1.2.626 > 10.1.1.1.32775: P 1:1169(1168)

The first packet shows the portmapper query coming in from the attacking computer. Notable signatures of this packet are the port number of the portmapper in the decoded packet header (port 111) and the ToolTalk RPC service number in the packet payload (0001 86f3).

The exploit packet is the second packet displayed. Again, the ToolTalk RPC service number is in the packet payload. A series of repeating hexadecimal numbers can also be seen, which turns out to be the bytecode value for an NOP instruction on the Sparc architecture. Buffer overflows often contain large numbers of NOP instructions to pad the front of the attacker’s data and simplify the calculation of the value to place into the return pointer.

How to Protect Against It

There are several ways to protect against this attack. Generally speaking, portmapper access from the Internet should be limited, which can be done at the firewall. Additionally, the ToolTalk service is usually run on top of the TCP transport protocol. Configuring a firewall to reject incoming TCP connections to high ports can be an effective method of preventing this, as well as other attacks. However, this does not fix the problem, it just limits the access attackers have.

The best way to fix the problem and remove the vulnerability is to apply vendor patches for the affected versions of the service. Also, if you are running an older version of the software, upgrading to the latest version can fix the problem.

Source Code/Pseudo Code

Source code for this attack can be found at Security Focus, http://www.securityfocus.com.

As you can imagine, based on the description, the source code of this attack is quite complex. The pseudo code is outlined here to give you an idea of how the exploit works:

overflow causes service to exec /bin/ksh -c <user command>

Additional Information

More information about this exploit can be found in the Security Focus Bugtraq vulnerability database. The CERT advisory for this exploit can be found at www.cert.org. The original development work on this exploit was done by Network Associates and can be found on their web site. The following is a list of the web sites:

•http://www.securityfocus.com vulnerability database

•http://www.cert.org/advisiories/CA-98.11.tooltalk.html

•http://www.nai.com/nai_labs/asp_set/advisory/29_ttdbserver_adv. asp

IMAPD Buffer Overflow

Inadequate boundary check allows stack data to be overwritten by user data.

Exploit Details:

•Name: IMAPD Buffer Overflow

•CVE Number: CVE-1999-0042

•Software Version(s): University of Washington IMAPD 10.234 and earlier

•Protocols/Services: TCP, port 143

Internet Message Access Protocol (IMAP) is a method of accessing email or bulletin board messages that are kept on a mail server. The IMAPD buffer overflow is used to gain control of a remote computer over a network connection. The attacker connects to the IMAPD mail service and sends it a specially crafted message that overflows an internal buffer in the program, causing it to execute machine instructions in the message. This attack affects all versions of WU-IMAPD up to and including version 10.234.

Protocol Description

IMAPD is an email service that allows users to retrieve and manage all of their email remotely. It allows users to manage their email using a serverbased paradigm. IMAPD permits a client email program to access remote message stores as if they were local. Email stored on an IMAP server can be manipulated from a desktop computer at home, a workstation at the office, or a notebook computer while traveling, without the need to transfer messages or files back and forth between these computers. IMAP stores all user email and handles email management on the server side. One feature of IMAP is the choice of a number of authentication

mechanisms. The incorrect implementation of the authentication subsystem is the root cause of this exploit.

Detailed Description

The attacker begins an IMAP attack by connecting to port 143, which is the port that the IMAP daemon runs on. After the connection is established, the attacker has to authenticate to the server to access his mail. If the attacker uses the default authentication and issues an oversized AUTHENTICATE larger than 1024 bytes, he can overflow the buffer. The command is precisely tuned to overflow just enough of the buffer to execute the attacker’s code. The initial content of the authentication command contains the exploit code that the attacker wants to run. After this overflow has been sent to the target system, the attacker’s command is run at the privilege level of the IMAP service, which usually runs as root.

How to Use It

Example exploit code for both Linux and BSD variants can be downloaded from the Bugtraq vulnerability database at Security Focus, www.securityfocus.com. For an attacker to run the exploit, an intermediary program is needed. In this situation, and many other buffer overflow exploits, netcat is used. netcat provides a simple transmission pipeline and allows the attacker to run the exploit and maintain a usable terminal interface with the remote computer.

After the exploit has run successfully, the attacker is left staring at a blank line. A good command-line tool to check that the attack has indeed succeeded is ID. ID tells the attacker what his current privilege level is and confirms that he has established a good command-line interface with the remote target. This is the default command that is run by the exploit, but that command can easily be replaced by something like opening an xterm or adding an entry to the /etc/passwd file.

The following is the command format the attacker uses to run this exploit:

Command format (BSD version): imappy <nop> <esp> <offset>

•<nop>: number of NOPs to prepend to exploit

•<esp>: 32-bit stack pointer value

•<offset>: 32-bit offset to add to esp to calculate the instruction pointer value

Usage (composite command line):

(imappy <nop> <esp> <offset>; cat) | nc hostname 143

From a terminal window on a UNIX machine, an attacker runs the code with the offset of the buffer and pipes it to netcat, which redirects it to the victim’s machine. The following is the code from running this exploit:

Exploit Output:

[elric ~]# (./imappy 403 0xefbfd5e8 100; cat) | nc 10.1.1.2 143/usr/bin/id

uid=0(root) gid=0(root) groups=0(root)

Signature of the Attack

The following is the overflow packet as viewed by TCPdump. It has been cut down, but many of the standard characteristics of buffer overflows can be seen with casual examination. The repeating NOP bytecodes (9090) are generally a dead giveaway, plus the shellcode from the exploit source is plainly visible:

Exploit packet (0x90 = x86 NOP bytecode)

22:46:31.693096 10.1.1.3.21496 > 10.1.1.2.143: . 1:1449(1448)

1488 5619 31c0 b07f 2046 0120 4602

2046

0320 4605 2046 06b0 3b8d 4e0b 89ca

5251

5350 eb18 e8c7 ffff ff2f e2e9 ee2f

f3e8

0101 0101 0202 0202 0303 0303 9a04

0404

0407 044c d6bf ef4c d6bf ef4c d6bf

ef4c

d6bf ef4c d6bf ef4c d6bf ef4c d6bf

ef4c

How to Protect Against It

There are several ways to protect against this attack. The best way is to upgrade the server software to the latest version available. Vendor patches are also available for this attack, but the best policy is an immediate upgrade. Generally speaking, unnecessary access from the public Internet should be limited, which can be done at the firewall. Configuring a firewall to reject incoming TCP connections to port 143 and other ports can be an effective method of preventing this attack. Strong authentication mechanisms, such as Kerberos or SecureID, can also be effective in strengthening the security of a service that allows remote user logins. The following is a summary of the things that can be done to protect against IMAPD exploits:

•Upgrade to a newer version of IMAPD.

•Apply vendor patches.

•Firewall: Filter external IMAPD access if possible.

•Use strong authentication mechanisms (Kerberos, SecureID, and so on)

Source Code/Pseudo Code

Attackers can find the source code for this attack at Packetstorm, http://packetstorm.securify.com.

The source code of this attack is somewhat complex. The code contains the pre-made bytecode, which is combined with an the AUTHENICATE command and sent to standard out by the program. Generally speaking, the attacker establishes a standard TCP connection to the service and then sends the attack bytecode. If the attack is successful, the attacker effectively controls the targeted computer.

The following is the pseudo code of the steps that are performed to run this exploit:

1.Establish TCP connection to port 143.

2.Issue AUTHENTICATE command with exploit bytecode as data.

3.Overflow causes service to execute a user-provided command with root privileges

AOL Instant Messenger Buffer Overflow

AOL Instant Messenger (AIM) configures the system so that the AIM URL protocol connects AIM:// URLs to the AIM client. There is a buffer overflow that exists in parsing of the URL parameters, mainly goim and

screenname.

Exploit Details:

•Name: AOL Instant Messenger Buffer Overflow

•Operating System: Microsoft Windows 98, Microsoft Windows 95, Microsoft Windows NT 4.0, Microsoft Windows NT 2000, and Apple MacOS 9.0

•Protocols/Services: AOL Instant Messenger 3.5.1856, AOL Instant Messenger 4.0, AOL Instant Messenger 4.1.2010, and AOL Instant Messenger 4.2.1193

How It Works

A remote user can overflow the buffer during a memory copy operation and execute arbitrary code by sending a crafted URL, using the AIM protocol, comprised of goim and screenname parameters.

The victim does not need to have AIM running to be attacked. If AIM is inactive and she activates the AIM:// URL by typing the URL into a Web browser or having a program automatically do it for her, the buffer overflow occurs.

This becomes a serious vulnerability because AOL Instant Messenger is bundled with other software like Netscape Communicator and often is installed on a client’s machine without approval. This is why it is so important to know what is running on your system and institute a policy of least privilege. If you do not need a piece of software installed on your machine, it should be removed. In this exploit, even if a victim is not using AIM, but it was installed by another program, the victim is still vulnerable.

How to Protect Against It

The best way to protect against this attack is to remove AOL Instant Messenger from your machine, block it at the firewall, or upgrade to AOL Instant Messenger 4.3.2229 or later.

Source Code/Pseudo Code

The following is the information that an attacker must send via the URL to exploit this vulnerability:

href="aim:goim? screenname=AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAA&message=EIP,+the+other+white+meat" >here</a><br>

Additional Information

Additional information can be found on this vulnerability at www.securityfocus.com.

AOL Instant Messenger BuddyIcon Buffer Overflow

When AOL Instant Messenger is installed, by default, it configures the system so that the AIM URL protocol connects AIM:// URLs to the AIM client. There is a buffer overflow vulnerability in the parsing of the AIM Buddy icon option.

Exploit Details:

•Name: AOL Instant Messenger BuddyIcon Buffer Overflow

•Operating System: Microsoft Windows 98, Microsoft Windows 95, Microsoft Windows NT 4.0, Microsoft Windows 2000, Microsoft Windows CE 3.0, and Apple MacOS 9.0

•Protocols/Services: AOL Instant Messenger 4.0, 4.1.2010, and 4.2.1193

How It Works

The stack overflow occurs if the source parameter is more than 3000 characters. The buffer overflow occurs because of the parsing of parameters that are associated with the Buddy icon option. This vulnerability is contained in an URL. A user needs to click on the URL (which can be embedded in email, web pages, chat rooms, and so on) for the flaw to be exploited. Exploitation of this vulnerability leads to complete compromise of the target host.

How to Use It

Each AIM:// URL gets passed directly to the AIM client, as if it was put on the command line. Hence, when the attacker types the following into a browser’s address box, Internet Explorer pops up an Instant Message box ready to send to Tom:

aim:goim?Screenname=Tom&Message=goodmorningtom

AOL client software has many vulnerabilities that allow a maliciously crafted URL to overflow internal buffers and obtain control of the program. Arbitrary buddies can be automatically added to an AIM user’s Buddy List by a malicious web page or HTML email. A buffer overflow is demonstrated by typing the following URL into your browser:

aim:goim?=+-restart

Another buffer overflow is demonstrated by an attacker tricking a user into typing the following, where there are more than 3000 A characters:

aim:buddyicon?screenname=abob&groupname=asdf&Src=http://localh

ost/AAA.

How to Protect Against It

If you are an AOL Instant Messenger user and can upgrade, install the latest version of AIM. Or, if you are not a user and find AIM on your system, uninstall it.

If it is not feasible to upgrade or delete AIM, follow these instructions for removing the vulnerable functionality of AIM (for versions prior to 4.3.2229) that allows it to be launched through a malicious URL.

AOL Instant Messenger rewrites the Registry settings when it is launched, thus undoing any protective patches. On a system that can enforce access control on Registry keys, such as Windows NT and Windows 2000, you can perform the following:

1. Set the following key values to be empty:

o HKEY_CLASSES_ROOT\aim\shell\open\command

o HKEY_CLASSES_ROOT\aimfile\shell\open\command o HKEY_CLASSES_ROOT\AIM.Protocol\CLSID

oHKEY_CLASSES_ROOT\AIM.Protocol.1\CLSID

2.Change the security permissions to be Read-Only on these keys.

This does not work on Windows 95/98/ME systems because there is no mechanism to apply permissions to Registry keys.