Oct 20 2011

Researching UnrealIRCd

When I was a teenager I remember using IRC a lot. I remember a short period of time that I wanted to have my own IRC server, So I looked for an IRCd and found UnrealIRCd. I’ve quickly installed it on my computer, and start sharing my brand new IRC server with friends (So what if I only had 56k connection?).

Today, I’m a bit older, And I’m no longer interested in owning the greatest IRC server of all times (It could be nice though). But still, I’ve decided to grab a look on that old open source project, security wise.

After a quick look, I’ve found a local stack overflow vulnerability while parsing the configuration file.

The bug

Apparently, when UnrealIRCd writes configuration error to the log file, it doesn’t check the length of the message. The vulnerable function is:

void config_error(char *format, ...)
	va_list		ap;
	char		buffer[1024];
	char		*ptr;

	va_start(ap, format);
	vsprintf(buffer, format, ap);
	if ((ptr = strchr(buffer, '\n')) != NULL)
		*ptr = '\0';
	if (!loop.ircd_booted)
#ifndef _WIN32
		fprintf(stderr, "[error] %s\n", buffer);
		win_log("[error] %s", buffer);
		ircd_log(LOG_ERROR, "config error: %s", buffer);
	sendto_realops("error: %s", buffer);
	/* We cannot live with this */
	config_error_flag = 1;

As you can see in line 8, the unsafe function vsprintf is being called with an output buffer of 1024 bytes. And we all know what will happen if the output message will be long longer than 1024 bytes… STACK OVERFLOW!

But can we control the log message? Yes we can.

How to exploit?

At first, we need to find a message in which we can control the whole message / part of the message.

After installing and running of UnrealIRCd, I’ve found out that the example configuration file throws several errors (I’ve downloaded the version with no SSL, and the example configuration uses SSL). So I got a nice message telling me one of the links (indicating the link name) got an error. I’ve decided to remove the SSL option from the link information and add a new option named “DiGMi”. Meaning, now in my configuration I’ve got a section which looks like this:

link            DiGMi.org
	username	*;
	bind-ip 	*;
	port 		7029;
	hub             *;
	password-connect "LiNk";
	password-receive "LiNk";
	class           servers;
		options {
			/* Note: You should not use autoconnect when linking services */

After running the server, I got the following error message:

[error] unrealircd.conf:324: Unknown link option 'DiGMi'

So, we can even control the message, lets try to overflow!

Instead of DiGMi I’ve written a lot of “A”s (like every good hacker does) and started debugging the server using OllyDbg. Sadly, I’ve found out that the server was compiled with security cookies so such a simple method for exploitation won’t work.

Overriding the SEH

Because I couldn’t just change the return address on the stack, I had to find another way to set the EIP register. A good way to do so in windows is overriding the SEH (Structured Exception Handler).

The SEH is located on the stack and it’s functionality is to tell the OS which code to run in case of exception. I’ve scrolled all the way down in the stack view in OllyDbg and found the SEH just sitting there, few thousands of bytes away, waiting to be override.

Can we override so much? – Why not? What’s limiting us?

So I’ve again added a lot of “A”s to my newly made option, and after 2266 of them I was just about to override the exception handler address, so instead of “A”s I switched to “B”s (just to mark the location.

But its not enough. We only changed the exception handler, but if no exception is thrown it won’t do us any good. so we need to throw an exception, how can we do that?

That’s right, Just keep on overriding until we fill the whole stack. And so I did. After overriding enough bytes OllyDbg finally gave me the wonderful message telling me:Look at that EIP...

(Remember thos 4 “B”s?)

Meaning now I can control EIP…

At that point I’ve stopped working on it because the next steps are a bit boring, and it should be easy enough to inject my own code to the software. Because it’s not a remote exploitation, it is just not interesting enough to continue looking into it.

Oct 11 2011

A wrong grasp of security – The conclusion

Few days a go, I’ve written about a bad licensing design and mentioned I’ve send the company email regarding their problem and recommended a way to improve their licensing method. Today I’ve received a “thank you” response and they told me how they plan to fix it using some third party licensing modules (why build something your self, if someone already have done that?).

Of course, I wasn’t going to use the cracked version of the product and I’ve sent them a request to purchase this product (in a different email). I’ve received a response to that email as well and the response as following:

Hi again DiGMi,

I know you now have the key by decompiling the code and appreciate the feedback and honesty. Please continue to use the key as you wish as a token of our appreciation.

For future reference, the option to remove branding is now available:

Thanks again and best wishes,
John Doe

The conclusion: Doing the right thing can benefit you in many ways, even financially

Oct 8 2011

A wrong grasp of security

Lately, I’ve started using Sitefinity CMS (A cool .NET CMS system by Telerik, a bit expensive though). Anyway, like many other CMS providers, they have their own marketplace where you can buy modules and widgets for your CMS.

I was interested in one of the widgets that was developed by a third-party company (In order to prevent abuse, the name of the company won’t be mentioned). I was glad to find out that they provide the widget for free, so I’ve just download it and installed it in my development environment. As I restarted the CMS and tried to use the widget, I discovered something my mom used to say to me as a child “There are no free gifts”. And of course, under the widget there was a copyright notice indicating this is a free version and links to the company’s site where you can buy the product without this advertisement.

Now, just to make it clear, If I’ll be using this product, I will buy it. But still, I wanted to look around see how hard will it be to remove this annoying advertisement. Sitefinity is written in .NET, So this widget as well was written in .NET. Meaning: Reflector can be a great help. And it was. I’ve analysed the provided DLL with reflector and was amazed when I’ve dound the BrandLicense class inside the DLL.

This class contains static method named ValidatedLicense which looks more or less like the following:

public static bool ValidatedLicense(/* ... */){
 // ...
 return (ConfigurationManager.AppSettings["WidgetName.License"] == "12345678901234567890123456789012");

The license key and appsetting key was modified, At least the key is not that easy.

So, basically the first thing I’ve tried was to add to my web.configĀ the following lines:

 <add key="WidgetName.License" value="12345678901234567890123456789012"/>

And as I’ve restarted the CMS and looked at the place the widget was located, I found out the advertisement was gone.

I’ve sent an email to the company who created this widget telling them how easy it was to crack it and that they will probably want to use asymmetric encryption in order to store the key, And also they should at least try to obfuscate the code so it won’t be that easy. I’m hoping they will fix it soon.