Source: no-ip
Severity: grave
Version: 2.1.1-4
Tags: security
Hi,
An exploit[1] has been published for the no-ip DUC.
At the moment there's no much other information than the one provided in the
exploit, which I can summarise as:
The exploit relies on DNS poisoning or man in the middle attacks to fake the
server's response.
Once this has been done the exploit waits for an IP check, to then prepare the
shellcode to send which is requires the knowledge of the memory offset of the
buffer which must of course be static and determined for each build.
After the client receives a faked IP to force a update the exploit delivers
the shellcode, which is executed because of a buffer overflow when processing
the server's response.
If you fix the vulnerability please also make sure to include the CVE id when
one is assigned in the changelog entry.
[1]http://www.milw0rm.com/exploits/7151
Cheers,
--
Raphael Geissert - Debian Maintainer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>: Bug#506179; Package no-ip.
(Wed, 19 Nov 2008 18:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Avi Rozen <avi.rozen@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>.
(Wed, 19 Nov 2008 18:57:02 GMT) (full text, mbox, link).
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I've pushed a fix[1] for this vulnerability, based on analysis of the
exploit and the no-ip client code, and some limited local experiments.
Note that I couldn't get a working reverse shell - I suspect the
exploit itself is buggy, but I have no time to debug it...
Thanks,
Avi.
[1]http://git.debian.org/?p=collab-maint/no-ip.git;a=commit;h=60ed93621ff36d9731ba5d9f9336d6eb91122302
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkkkYN8ACgkQwK8SobAxNVkBvgCfUlSZ6kxGrAGZYb7kfls7GzMG
ZGMAoN04Qv0rHxuEtjopoK3bnx6+zFhx
=RugG
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>: Bug#506179; Package no-ip.
(Thu, 20 Nov 2008 18:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>.
(Thu, 20 Nov 2008 18:27:04 GMT) (full text, mbox, link).
Hi,
* Avi Rozen <avi.rozen@gmail.com> [2008-11-19 20:17]:
[...]
> [1]http://git.debian.org/?p=collab-maint/no-ip.git;a=commit;h=60ed93621ff36d9731ba5d9f9336d6eb91122302
Looks good please upload.
BTW, you should use size_t instead of int for a length
field. In this case it doesn't matter as you catch len = 0
before it can become negative....
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Information forwarded
to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>: Bug#506179; Package no-ip.
(Thu, 20 Nov 2008 21:00:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Avi Rozen <avi.rozen@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>.
(Thu, 20 Nov 2008 21:00:08 GMT) (full text, mbox, link).
Nico Golde wrote:
> Looks good please upload.
>
Thanks, but I'm just the resident code monkey ;-)
Otavio should upload.
> BTW, you should use size_t instead of int for a length
> field.
>
True. Pushed a fix.
Cheers,
Avi.
Information forwarded
to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>: Bug#506179; Package no-ip.
(Fri, 21 Nov 2008 01:42:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Andres Mejia <mcitadel@gmail.com>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>.
(Fri, 21 Nov 2008 01:42:03 GMT) (full text, mbox, link).
Source: no-ip
Source-Version: 2.1.7-11
We believe that the bug you reported is fixed in the latest version of
no-ip, which is due to be installed in the Debian FTP archive:
no-ip_2.1.7-11.diff.gz
to pool/main/n/no-ip/no-ip_2.1.7-11.diff.gz
no-ip_2.1.7-11.dsc
to pool/main/n/no-ip/no-ip_2.1.7-11.dsc
noip2_2.1.7-11_i386.deb
to pool/main/n/no-ip/noip2_2.1.7-11_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 506179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andres Mejia <mcitadel@gmail.com> (supplier of updated no-ip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 20 Nov 2008 19:25:31 -0500
Source: no-ip
Binary: noip2
Architecture: source i386
Version: 2.1.7-11
Distribution: unstable
Urgency: high
Maintainer: Otavio Salvador <otavio@debian.org>
Changed-By: Andres Mejia <mcitadel@gmail.com>
Description:
noip2 - client for dynamic DNS service
Closes: 506179
Changes:
no-ip (2.1.7-11) unstable; urgency=high
.
[ Avi Rozen ]
* Fixed grave bug: remote code execution vulnerability. (Closes: #506179)
Checksums-Sha1:
e5638fbd316614435c4292668b44a5d9faa0e479 1203 no-ip_2.1.7-11.dsc
850c0be4085e780227d3fb9058b5f4791b9ffd95 20579 no-ip_2.1.7-11.diff.gz
cd1cab0704ade07afd75688d7170f9cb300f0156 74284 noip2_2.1.7-11_i386.deb
Checksums-Sha256:
a9495f5b9d10421b0f554eee4396774cdfa79eaafdffd15d53c4ab39cb2d4cb3 1203 no-ip_2.1.7-11.dsc
1714618c7a096e83b43df6d6f126705fa411a93b6adf5e2926445b3c8e712eb1 20579 no-ip_2.1.7-11.diff.gz
0150ca40510dea4cf6a5a484ef51774d040da098f857ad5554360d1ac5f8bf7b 74284 noip2_2.1.7-11_i386.deb
Files:
2ec242cee97ce90ce47d96ac13d99208 1203 net optional no-ip_2.1.7-11.dsc
6a276b86a434503feaaed058d4c3afd9 20579 net optional no-ip_2.1.7-11.diff.gz
517fb1245e07e3acb120ba96d148d46b 74284 net optional noip2_2.1.7-11_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkmEa0ACgkQgsFbAuXxMZa0uwCfV5SMR2nhArMLjNEgsYX48K4u
2moAoKL+z+kI8SsM8vi0XbD3oA27iijI
=OBs0
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Otavio Salvador <otavio@debian.org>: Bug#506179; Package no-ip.
(Mon, 01 Dec 2008 15:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Otavio Salvador <otavio@debian.org>.
(Mon, 01 Dec 2008 15:03:05 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.