Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » 2002012101: DeleGate Application Proxy - Multiple Vulnerabilities

2002012101: DeleGate Application Proxy - Multiple Vulnerabilities

by Nikola Strahija on February 8th, 2002 Global InterSec found a number of vulnerabilities in the various proxy components, all of which could lead to remote command execution and privilege escalation.


Summary:

DeleGate - A popular application layer proxy contains
a number of buffer overflows which are remotely exploitable.

Impact:

A remote attacker may execute arbitrary commands.

Versions:

All through to the current version.

Description:

DeleGate is made up from several components which
together proxy various services. These include pop,
http and https.

Global InterSec found a number of vulnerabilities in
the various proxy components, all of which could lead
to remote command execution and privilege escalation.

DeleGate seems to have quite a history of problems
(see Credit section) and potentially many more
vulnerabilities than described within this advisory.
The author has addressed many of the previous problems
by attempting to randomise the stack area. However as
we have proved, this work-around is non-comparable to
re-writing the vulnerable areas of code.

Less serious vulnerabilities also exist in DeleGate including
real path disclosure within chrooted ftp environments
and cross site scripting vulnerabilities in DeleGates http(s)
proxy code.

Due to the sheer number of exploitable vulnerabilities we
found, we've opted to release a single advisory, exemplifying
one of the issues.

Scope for attack:

Proxies are often placed on networks to protect sensitive
systems and networks from exposure to public networks.
To this end, systems running proxies are often in privileged
parts of networks, where they are able to proxy services on
more sensitive systems, whether they be in a DMZ or otherwise.

In the case of the POP proxy overflow, exploitation requires
no authentication. The only constraint may be tcp wrapping
for that service.

Successful exploitation of the buffer overflows within the
popper proxy code would lead to an ability to execute commands
as the user of the daemon process, this is by default nobody
however DeleGate can be configured to run as any user.

Work around:

If DeleGate is critical to your networks operation, we suggest
the use of tcp wrappers as a TEMPORARY solution, until an alternate
solution is found. In the case of ftp/http/https we suggest the use
of squid.

URL: http://www.squid-cache.org/

tcpproxy is also available, however it is not an application gateway
level proxy, simply forwarding tcp connections.

URL: http://www.quietsche-entchen.de/software/tcpproxy.html

Credit:

Vulnerabilities detailed in this advisory were discovered by
Tom Parker (Global InterSec LLC).

Previous vulnerabilities in DeleGate
http://www.synnergy.net/downloads/exploits/delegate.c
http://www.securiteam.com/exploits/3W5Q2RFQ0E.html

The existence an exploit for the current release of DeleGate is rumoured.


Vendor Status:

None as yet:
It seems the authors answer to most of the problems
previously found in DeleGate were work around's such
as his stack randomisation functions, so don't hold
your breath for an official patch.

Global InterSec *are* working on a diff file to solve
some of the problems - however due to the sheer number
of them it wont be available immediately.

When available it will be linked to at the url at the
top of this advisory.

Exploits (Proof of concept):

As described above, the below proof of concept details
DeleGate's function as a POP proxy.

The below SIGSEGV occurs due to the use of globally declared
array size, ie:
pop.c:28:#define LNSIZE 1024
This is used to set sizes of a number of arrays, including
that of the username and password.

As with many of the vulnerabilities in DeleGate, a SIGSEGV occurs
when attempting to strcpy() unexpectedly long strings.
In spite of attempts DeleGate makes to randomise the stack, we
were successful in overwriting the Extended instruction pointer.
Although the stack randomisation functions make things harder, they
do not make arbitrary command execution impossible.

Attacking target `xxx.xxxx.xxx.xxx`:
: +OK Proxy-POP server (DeleGate/7.7.1 by [email protected]) at
xxx.xxx.xxx.xxx starting.
Sleeping for 20 seconds, attach gdb ;-)

[email protected]:/home/foo/delegate7.7.1/src > ps -ax | grep DeleGate
30215 ? S 0:00
DeleGate -{016+00:foo.bar.com}[pop://-/]-Pxxx.xxx.xxx.xxx:110 --
[email protected]:/home/foo/delegate7.7.1/src > gdb delegated

GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-suse-linux"...

(gdb) at 30215
Attaching to program: /home/foo/delegate7.7.1/src/delegated, Pid 30179
Reading symbols from /lib/libnsl.so.1...done.
Loaded symbols for /lib/libnsl.so.1
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_compat.so.2...done.
Loaded symbols for /lib/libnss_compat.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
0x40101167 in poll () from /lib/libc.so.6

-> USER AAAAAAAAAAAA

(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) print $eip
$1 = (void *) 0x41414141
(gdb)

In the case of a *real* exploit, the EIP could be a pointer to
the attackers shellcode which would already be in memory.

Exploit:
Yea right ;-)

Legal:
This advisory is the intellectual property of Global InterSec LLC
but may be freely distributed with the conditions that:

a) no fee is charged
b) appropriate credit is given.
c) distribution of the advisory does not break NDA's issued by GIS.
Global InterSec LLC 2002







Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »