Exploit PoC for librelp/rsyslog CVE-2018-1000140.

Author: kevinbackhouse

rsyslog/CVE-2018-1000140_snprintf_librelp/Dockerfile

@@ -0,0 +1,60 @@
+FROM ubuntu:artful
+
+RUN apt-get update && \
+    apt-get install -y \
+      sudo tmux screen emacs git gdb net-tools \
+      python python3 build-essential gcc \
+      cmake bison flex libprotobuf-c-dev libreadline-dev libsqlite3-dev \
+      libssl-dev libunwind-dev libz1 libz-dev make gawk protobuf-c-compiler \
+      uuid-dev liblz4-tool liblz4-dev libprotobuf-c1 libsqlite3-0 \
+      libuuid1 libz1 tzdata ncurses-dev tcl bc dh-autoreconf pkg-config \
+      libgnutls28-dev libcurl4-gnutls-dev python-docutils libgcrypt20-dev \
+      iproute2 nmap gnutls-bin
+
+RUN mkdir /opt/work
+COPY build-all.sh /opt/work/
+COPY benevolent/ /opt/work/benevolent/
+COPY malicious/ /opt/work/malicious/
+WORKDIR /opt/work
+
+RUN git clone https://github.com/rsyslog/libee.git
+RUN git clone https://github.com/rsyslog/libestr.git
+RUN git clone https://github.com/rsyslog/libfastjson.git
+RUN git clone https://github.com/rsyslog/liblogging.git
+RUN git clone https://github.com/rsyslog/librelp.git
+RUN git clone https://github.com/rsyslog/rsyslog.git
+
+# Checkout versions with the bug
+WORKDIR /opt/work/libee
+RUN git checkout 1569d91bf33101f012cfc5b25beea68f2c6e25f2
+WORKDIR /opt/work/libestr
+RUN git checkout 75ea6e3b5a2187dbe48e7f5cec82311ca3a09c22
+WORKDIR /opt/work/libfastjson
+RUN git checkout v0.99.8
+WORKDIR /opt/work/liblogging
+RUN git checkout 5602f9dacbfc8e1912aa25f9e27be6aac13ac4ce
+WORKDIR /opt/work/librelp
+RUN git checkout v1.2.14
+WORKDIR /opt/work/rsyslog
+RUN git checkout v8.33.1
+
+WORKDIR /opt/work
+RUN ./build-all.sh
+
+# switch over to the 'semmle_build' user, since root access is no longer required
+RUN addgroup semmle_build --gid 1001
+RUN adduser semmle_build --disabled-password --uid 1001 --gid 1001
+RUN adduser semmle_build sudo
+RUN echo "semmle_build:x" | chpasswd
+RUN chown -R semmle_build:semmle_build /opt/work
+
+USER semmle_build
+ENV HOME /opt/work
+WORKDIR /opt/work/benevolent/certs
+RUN pwd 1>&2
+RUN ls -al 1>&2
+RUN ./create-certs.sh
+WORKDIR /opt/work/malicious/kevcertz
+RUN pwd
+RUN ./create-certz.sh
+WORKDIR /opt/work/

rsyslog/CVE-2018-1000140_snprintf_librelp/README.md

@@ -0,0 +1,68 @@
+# Docker
+
+To build and run the Dockerfile:
+
+```
+docker build . -t kev-rsyslog
+docker network create -d bridge --subnet 172.25.0.0/16 kev-rsyslog-network
+```
+
+In terminal 1, start a container for the server:
+
+```
+docker run --network=kev-rsyslog-network --ip=172.25.0.10 -h rsyslog-server -i -t kev-rsyslog
+```
+
+If you want to use `gdb` to see the server crash, then start the server like this:
+
+```
+docker run --network=kev-rsyslog-network --ip=172.25.0.10 -h rsyslog-server --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -i -t kev-rsyslog
+```
+
+In terminal 2, start a container for the benevolent client:
+
+```
+docker run --network=kev-rsyslog-network --ip=172.25.0.20 -h rsyslog-client -i -t kev-rsyslog
+```
+
+In the docker container for the benevolent client (terminal 1):
+
+```
+sudo rsyslogd -f benevolent/rsyslog-server.conf
+```
+
+In the docker container for the server (terminal 2), start the benevolent client:
+
+```
+sudo rsyslogd -f benevolent/rsyslog-client.conf
+```
+
+To see that the client has connected to the server:
+
+```
+sudo netstat -ntp
+```
+
+This will show something like this:
+
+```
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
+tcp       90      0 172.25.0.20:38866       172.25.0.10:2514        ESTABLISHED 28/rsyslogd
+```
+
+In terminal 3, start a container for the malicious client:
+
+```
+docker run --network=kev-rsyslog-network --ip=172.25.0.30 -h rsyslog-client -i -t kev-rsyslog
+```
+
+In the docker container for the malicious client (terminal 3):
+
+```
+sudo rsyslogd -f malicious/rsyslog-client.conf
+```
+
+
+Instructions for using TLS with rsyslog:
+
+https://www.rsyslog.com/using-tls-with-relp/

rsyslog/CVE-2018-1000140_snprintf_librelp/benevolent/certs/ca.config

@@ -0,0 +1,46 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = dn
+x509_extensions     = san
+req_extensions      = san
+extensions          = san
+prompt              = no
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+private_key   = root-ca-key.pem
+certificate   = root-ca.pem
+new_certs_dir = new_certs
+database      = root-ca.index
+default_md    = sha256
+serial        = root-ca.serial
+email_in_dn   = no
+default_days  = 365
+policy        = policy
+
+[ policy ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+
+[ dn ]
+countryName         = US
+stateOrProvinceName = CA
+localityName        = San Francisco
+organizationName    = Wholesome Certifications Inc.
+commonName          = wholesomecertifications.com
+emailAddress        = webmaster@wholesomecertifications.com
+
+[ san ]
+basicConstraints     = CA:TRUE
+subjectAltName       = @alt_names
+subjectKeyIdentifier = hash
+
+[ alt_names ]
+DNS.1 = *.wholesomecertifications.com
+DNS.2 = *.wholesomecerts.com

rsyslog/CVE-2018-1000140_snprintf_librelp/benevolent/certs/clean.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+# Delete all auto-generated files.
+
+rm -f *~
+rm -rf new_certs
+rm -f root-ca*
+rm -f server-*.pem
+rm -f client-*.pem

rsyslog/CVE-2018-1000140_snprintf_librelp/benevolent/certs/client.config

@@ -0,0 +1,45 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = dn
+x509_extensions     = client_ext
+req_extensions      = client_ext
+extensions          = client_ext
+prompt              = no
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+private_key   = root-ca-key.pem
+certificate   = root-ca.pem
+new_certs_dir = new_certs
+database      = root-ca.index
+default_md    = sha256
+serial        = root-ca.serial
+email_in_dn   = no
+default_days  = 365
+policy        = policy
+
+[ policy ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+
+[ dn ]
+countryName         = US
+stateOrProvinceName = CA
+localityName        = San Francisco
+organizationName    = Wholesome Computing Inc.
+commonName          = client.wholesomecomputing.com
+emailAddress        = webmaster@wholesomecomputing.com
+
+[ client_ext ]
+basicConstraints     = CA:FALSE
+subjectAltName       = @alt_names
+subjectKeyIdentifier = hash
+
+[ alt_names ]
+DNS.1 = *.wholesomecomputing.com

rsyslog/CVE-2018-1000140_snprintf_librelp/benevolent/certs/create-certs.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+mkdir new_certs
+touch root-ca.index
+touch root-ca.index.attr
+echo 00 > root-ca.crlnum
+openssl rand -hex 16 > root-ca.serial
+
+# create self-signed certificate
+openssl req -config ca.config -new -x509 -sha256 -newkey rsa:2048 -nodes \
+    -keyout root-ca-key.pem -days 365 -out root-ca.pem
+
+# Create signing request for the server
+openssl req -config server.config -new -sha256 -newkey rsa:2048 -nodes \
+    -keyout server-key.pem -days 365 -out server-request.pem
+
+# Create signed certificate for the server
+openssl ca -config server.config -batch -days 365 -extensions server_ext -out server-cert.pem -infiles server-request.pem
+
+# Create signing request for the client
+openssl req -config client.config -new -sha256 -newkey rsa:2048 -nodes \
+    -keyout client-key.pem -days 365 -out client-request.pem
+
+# Create signed certificate for the client
+openssl ca -config client.config -batch -days 365 -extensions client_ext -out client-cert.pem -infiles client-request.pem

rsyslog/CVE-2018-1000140_snprintf_librelp/benevolent/certs/server.config

@@ -0,0 +1,45 @@
+[ req ]
+default_bits        = 2048
+distinguished_name  = dn
+x509_extensions     = server_ext
+req_extensions      = server_ext
+extensions          = server_ext
+prompt              = no
+
+[ ca ]
+default_ca = ca_default
+
+[ ca_default ]
+private_key   = root-ca-key.pem
+certificate   = root-ca.pem
+new_certs_dir = new_certs
+database      = root-ca.index
+default_md    = sha256
+serial        = root-ca.serial
+email_in_dn   = no
+default_days  = 365
+policy        = policy
+
+[ policy ]
+countryName             = optional
+stateOrProvinceName     = optional
+localityName            = optional
+organizationName        = optional
+organizationalUnitName  = optional
+commonName              = supplied
+
+[ dn ]
+countryName         = US
+stateOrProvinceName = CA
+localityName        = San Francisco
+organizationName    = Wholesome Computing Inc.
+commonName          = server.wholesomecomputing.com
+emailAddress        = webmaster@wholesomecomputing.com
+
+[ server_ext ]
+basicConstraints     = CA:FALSE
+subjectAltName       = @alt_names
+subjectKeyIdentifier = hash
+
+[ alt_names ]
+DNS.1 = *.wholesomecomputing.com

rsyslog/CVE-2018-1000140_snprintf_librelp/benevolent/rsyslog-client.conf

@@ -0,0 +1,12 @@
+module(load="imuxsock")
+module(load="omrelp")
+module(load="imtcp")
+input(type="imtcp" port="514")
+action(type="omrelp" target="172.25.0.10" port="2514"
+  tls="on"
+  tls.caCert="/opt/work/benevolent/certs/root-ca.pem"
+  tls.myCert="/opt/work/benevolent/certs/client-cert.pem"
+  tls.myPrivKey="/opt/work/benevolent/certs/client-key.pem"
+  tls.authmode="name"
+  tls.permittedpeer=["server.wholesomecomputing.com"]
+ )

rsyslog/CVE-2018-1000140_snprintf_librelp/benevolent/rsyslog-server.conf

@@ -0,0 +1,14 @@
+$DebugFile /opt/work/log.txt
+$DebugLevel 2
+
+module(load="imuxsock")
+module(load="imrelp" ruleset="relp")
+input(type="imrelp" port="2514"
+  tls="on"
+  tls.caCert="/opt/work/benevolent/certs/root-ca.pem"
+  tls.myCert="/opt/work/benevolent/certs/server-cert.pem"
+  tls.myPrivKey="/opt/work/benevolent/certs/server-key.pem"
+  tls.authMode="name"
+  tls.permittedpeer=["client.wholesomecomputing.com"]
+ )
+ruleset (name="relp") { action(type="omfile" file="/var/log/relp_log") }

rsyslog/CVE-2018-1000140_snprintf_librelp/build-all.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+buildone() {
+  cd $1
+  autoreconf -fvi
+  ./configure $2 --enable-debug
+  make
+  make install
+  cd ..
+}
+
+buildone libestr
+buildone libee
+buildone libfastjson
+buildone liblogging
+buildone librelp --prefix=/usr
+buildone rsyslog --enable-relp