Debian Bug report logs - #506179
no-ip: remote code execution vulnerability

version graph

Package: no-ip; Maintainer for no-ip is (unknown);

Reported by: Raphael Geissert <atomo64@gmail.com>

Date: Wed, 19 Nov 2008 02:48:02 UTC

Severity: grave

Tags: security

Found in version no-ip/2.1.1-4

Fixed in version no-ip/2.1.7-11

Done: Andres Mejia <mcitadel@gmail.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#506179; Package no-ip. (Wed, 19 Nov 2008 02:48:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Raphael Geissert <atomo64@gmail.com>
To: submit@bugs.debian.org
Subject: no-ip: remote code execution vulnerability
Date: Tue, 18 Nov 2008 20:43:25 -0600
[Message part 1 (text/plain, inline)]
Source: no-ip
Severity: grave
Version: 2.1.1-4
Tags: security

Hi,

An exploit[1] has been published for the no-ip DUC.

At the moment there's no much other information than the one provided in the 
exploit, which I can summarise as:

The exploit relies on DNS poisoning or man in the middle attacks to fake the 
server's response.
Once this has been done the exploit waits for an IP check, to then prepare the 
shellcode to send which is requires the knowledge of the memory offset of the 
buffer which must of course be static and determined for each build. 
After the client receives a faked IP to force a update the exploit delivers 
the shellcode, which is executed because of a buffer overflow when processing 
the server's response.

If you fix the vulnerability please also make sure to include the CVE id when 
one is assigned in the changelog entry.

[1]http://www.milw0rm.com/exploits/7151

Cheers,
-- 
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#506179; Package no-ip. (Wed, 19 Nov 2008 18:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Avi Rozen <avi.rozen@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Wed, 19 Nov 2008 18:57:02 GMT) Full text and rfc822 format available.

Message #8 received at 506179@bugs.debian.org (full text, mbox):

From: Avi Rozen <avi.rozen@gmail.com>
To: Raphael Geissert <atomo64@gmail.com>, 506179@bugs.debian.org
Subject: Re: Bug#506179: no-ip: remote code execution vulnerability
Date: Wed, 19 Nov 2008 20:54:24 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've pushed a fix[1] for this vulnerability, based on analysis of the
exploit and the no-ip client code, and some limited local experiments.

Note that I couldn't get a working reverse shell - I suspect the
exploit itself is buggy, but I have no time to debug it...

Thanks,
Avi.

[1]http://git.debian.org/?p=collab-maint/no-ip.git;a=commit;h=60ed93621ff36d9731ba5d9f9336d6eb91122302

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkkYN8ACgkQwK8SobAxNVkBvgCfUlSZ6kxGrAGZYb7kfls7GzMG
ZGMAoN04Qv0rHxuEtjopoK3bnx6+zFhx
=RugG
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#506179; Package no-ip. (Thu, 20 Nov 2008 18:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Thu, 20 Nov 2008 18:27:04 GMT) Full text and rfc822 format available.

Message #13 received at 506179@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Avi Rozen <avi.rozen@gmail.com>, 506179@bugs.debian.org
Cc: Raphael Geissert <atomo64@gmail.com>
Subject: Re: Bug#506179: no-ip: remote code execution vulnerability
Date: Thu, 20 Nov 2008 19:20:26 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Avi Rozen <avi.rozen@gmail.com> [2008-11-19 20:17]:
[...] 
> [1]http://git.debian.org/?p=collab-maint/no-ip.git;a=commit;h=60ed93621ff36d9731ba5d9f9336d6eb91122302

Looks good please upload.
BTW, you should use size_t instead of int for a length 
field. In this case it doesn't matter as you catch len = 0 
before it can become negative....

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#506179; Package no-ip. (Thu, 20 Nov 2008 21:00:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Avi Rozen <avi.rozen@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Thu, 20 Nov 2008 21:00:08 GMT) Full text and rfc822 format available.

Message #18 received at 506179@bugs.debian.org (full text, mbox):

From: Avi Rozen <avi.rozen@gmail.com>
To: Nico Golde <nion@debian.org>
Cc: 506179@bugs.debian.org, Raphael Geissert <atomo64@gmail.com>
Subject: Re: Bug#506179: no-ip: remote code execution vulnerability
Date: Thu, 20 Nov 2008 22:58:54 +0200
Nico Golde wrote:
> Looks good please upload.
>   

Thanks, but I'm just the resident code monkey ;-)
Otavio should upload.

> BTW, you should use size_t instead of int for a length 
> field.
>   

True. Pushed a fix.

Cheers,
Avi.






Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#506179; Package no-ip. (Fri, 21 Nov 2008 01:42:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andres Mejia <mcitadel@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Fri, 21 Nov 2008 01:42:03 GMT) Full text and rfc822 format available.

Message #23 received at 506179@bugs.debian.org (full text, mbox):

From: Andres Mejia <mcitadel@gmail.com>
To: 506179@bugs.debian.org
Subject: Fwd: Bug#506179: no-ip: remote code execution vulnerability
Date: Thu, 20 Nov 2008 20:38:25 -0500
[Message part 1 (text/plain, inline)]
I'll upload to unstable. Will someone be handling the upload to stable?

-- 
Regards,
Andres
[signature.asc (application/pgp-signature, inline)]

Reply sent to Andres Mejia <mcitadel@gmail.com>:
You have taken responsibility. (Fri, 21 Nov 2008 01:57:06 GMT) Full text and rfc822 format available.

Notification sent to Raphael Geissert <atomo64@gmail.com>:
Bug acknowledged by developer. (Fri, 21 Nov 2008 01:57:07 GMT) Full text and rfc822 format available.

Message #28 received at 506179-close@bugs.debian.org (full text, mbox):

From: Andres Mejia <mcitadel@gmail.com>
To: 506179-close@bugs.debian.org
Subject: Bug#506179: fixed in no-ip 2.1.7-11
Date: Fri, 21 Nov 2008 01:47:03 +0000
Source: no-ip
Source-Version: 2.1.7-11

We believe that the bug you reported is fixed in the latest version of
no-ip, which is due to be installed in the Debian FTP archive:

no-ip_2.1.7-11.diff.gz
  to pool/main/n/no-ip/no-ip_2.1.7-11.diff.gz
no-ip_2.1.7-11.dsc
  to pool/main/n/no-ip/no-ip_2.1.7-11.dsc
noip2_2.1.7-11_i386.deb
  to pool/main/n/no-ip/noip2_2.1.7-11_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 506179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Andres Mejia <mcitadel@gmail.com> (supplier of updated no-ip package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 20 Nov 2008 19:25:31 -0500
Source: no-ip
Binary: noip2
Architecture: source i386
Version: 2.1.7-11
Distribution: unstable
Urgency: high
Maintainer: Otavio Salvador <otavio@debian.org>
Changed-By: Andres Mejia <mcitadel@gmail.com>
Description: 
 noip2      - client for dynamic DNS service
Closes: 506179
Changes: 
 no-ip (2.1.7-11) unstable; urgency=high
 .
   [ Avi Rozen ]
   * Fixed grave bug: remote code execution vulnerability. (Closes: #506179)
Checksums-Sha1: 
 e5638fbd316614435c4292668b44a5d9faa0e479 1203 no-ip_2.1.7-11.dsc
 850c0be4085e780227d3fb9058b5f4791b9ffd95 20579 no-ip_2.1.7-11.diff.gz
 cd1cab0704ade07afd75688d7170f9cb300f0156 74284 noip2_2.1.7-11_i386.deb
Checksums-Sha256: 
 a9495f5b9d10421b0f554eee4396774cdfa79eaafdffd15d53c4ab39cb2d4cb3 1203 no-ip_2.1.7-11.dsc
 1714618c7a096e83b43df6d6f126705fa411a93b6adf5e2926445b3c8e712eb1 20579 no-ip_2.1.7-11.diff.gz
 0150ca40510dea4cf6a5a484ef51774d040da098f857ad5554360d1ac5f8bf7b 74284 noip2_2.1.7-11_i386.deb
Files: 
 2ec242cee97ce90ce47d96ac13d99208 1203 net optional no-ip_2.1.7-11.dsc
 6a276b86a434503feaaed058d4c3afd9 20579 net optional no-ip_2.1.7-11.diff.gz
 517fb1245e07e3acb120ba96d148d46b 74284 net optional noip2_2.1.7-11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkmEa0ACgkQgsFbAuXxMZa0uwCfV5SMR2nhArMLjNEgsYX48K4u
2moAoKL+z+kI8SsM8vi0XbD3oA27iijI
=OBs0
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>:
Bug#506179; Package no-ip. (Mon, 01 Dec 2008 15:03:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>. (Mon, 01 Dec 2008 15:03:05 GMT) Full text and rfc822 format available.

Message #33 received at 506179@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: 506179@bugs.debian.org
Subject: this is CVE-2008-5297
Date: Mon, 1 Dec 2008 16:01:17 +0100 (CET)
Hi,

This is CVE-2008-5297. Please mention it in any changelogs, retroactively
if needed.

thanks,
Thijs






Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 10:08:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 16:57:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.