104673 2003-06-13  20:27  /3 rader/ KF <dotslash@snosoft.com>
Importerad: 2003-06-13  20:27  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5204>
Ärende: SRT2003-06-12-0853 - ike-scan local root format string issue
(104673) /KF <dotslash@snosoft.com>/----------------
Bilaga (text/plain) i text 104674
104674 2003-06-13  20:27  /130 rader/ KF <dotslash@snosoft.com>
Bilagans filnamn: "SRT2003-06-12-0853.txt"
Importerad: 2003-06-13  20:27  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <5205>
Bilaga (text/plain) till text 104673
Ärende: Bilaga (SRT2003-06-12-0853.txt) till: SRT2003-06-12-0853 - ike-scan local root format string issue
Secure Network Operations, Inc.           http://www.secnetops.com
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com

Our Mission:
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.

Quick Summary:
Advisory Number         : SRT2003-06-12-0853
Product                 : ike-scan
Version                 : 1.0 & 1.1
Vendor                  : http://www.nta-monitor.com/ike-scan/
Class                   : Local
Criticality             : Low
Operating System(s)     : *nix, cygwin

High Level Explanation
High Level Description  : Local format string issue in logging functions
What to do              : Please upgrade ike-scan to version 1.2

Technical Details
Proof Of Concept Status : Secure Network Operations does have PoC code
Low Level Description   : 

In the course of performing security assessments and penetration tests 
for their customers, http://www.nta-monitor.com has found that VPN 
systems often provide full access to the internal network which makes 
them tempting targets to an attacker.

In addition, many people assume that their VPN servers are invisible
and  impenetrable which is a dangerous assumption given that research
at NTA  shows that IPsec VPN systems can be discovered and the
manufacturer  identified.

When this potential for discovery and identification is combined with
the fact that several VPN vulnerabilities have been reported in the
past  few months, it would seem to be only a matter of time before
hackers  start to target VPN systems.

With this in mind, NTA took the decision to raise awareness of this 
serious industry problem by producing a white paper on how VPN servers 
can be detected and identified, combined with the development of a 
security-auditing program "ike-scan."

The concepts behind ike-scan can be located in the following pdf.

In a default configuration ike-scan is not suid root. The suid bit is
not set during the install. As an admin you may have been tricked by a 
user that was perhaps higher on the food chain than you and he really 
wanted to use ike-scan so you had to chmod +s /usr/local/bin/ike-scan
for him. In other words there is potential for this to be exploited. 

[root@Immunity root]# su - nobody sh-2.05$ /usr/local/bin/ike-scan ERROR: Could not bind UDP socket to local port 500 You need
to be root, or ike-scan must be suid root to bind to ports below
1024.  Only one process may bind to a given port at any one time.
bind: Permission denied

Recently I started using
(http://www.wirex.com/shop/index.php/cPath/25) Immunix 7+ from the
Wirex folks and lets just say my night has been  ruined a few times
due to their products protection measures. As an  example after
compiling the new version of ike-scan to show how it was no  longer
exploitable, I found that I was unable to pop items off the  stack as
an example. If I were at work rather than home I would show the
example however... FormatGuard kinda threw a wrench into that
idea. =].

[root@Immunity ike-scan-1.1]# ./ike-scan %x ike-scan[7372]: ImmunixOS
format error - mismatch of 0 in syslog() called  by err_print

Even though I am the one finding the vulnerabilities, I certainly
enjoy  having Immunix tell me about the exact function being
exploited when I run  the PoC code that was created for a non
protected machine.

After ike-scan is updated to version 1.2 you should see the following
in  your system logs if someone were to attempt to exploit ike-scan.

Jun 12 20:32:11 Immunity ike-scan[8827]: Starting: /usr/local/bin/ike-scan %x
[root@Immunity ike-scan-1.2]# /usr/local/bin/ike-scan %x
gethostbyname: No such file or directory

If you were on a regular redhat 7.0 machine exploitation would be as 

[root@Immunity ike-scan-1.1]# head 0x82-eat_ike-scan.c

** ike-scan local root exploit
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** [x82@xpl017elz bin]$ ls -al ike-scan
** -rwsr-xr-x   1 root     root       100554 Jun  2 06:23 ike-scan
** [x82@xpl017elz bin]$ ./0x82-eat_ike-scan
**  [+] make /tmp/x82 code.
**  [+] Auto Brute-force mode: gethostbyname: Success
**  [+] Ok, exploited successfully.
**  [+] It's shell !
** bash#

Vendor Status   : This issue was promptly addressed by the vendor fixes
are available at http://www.nta-monitor.com/ike-scan/download.htm
Please upgrade to ike-scan 1.2.

Bugtraq URL     : to be assigned 

This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
(104674) /KF <dotslash@snosoft.com>/------(Ombruten)