Vulnerability & Exploit Database

Back to search

Tincd Post-Authentication Remote TCP Stack Buffer Overflow

This module exploits a stack buffer overflow in Tinc's tincd service. After authentication, a specially crafted tcp packet (default port 655) leads to a buffer overflow and allows to execute arbitrary code. This module has been tested with tinc-1.1pre6 on Windows XP (custom calc payload) and Windows 7 (windows/meterpreter/reverse_tcp), and tinc version 1.0.19 from the ports of FreeBSD 9.1-RELEASE # 0 and various other OS, see targets. The exploit probably works for all versions <= 1.1pre6. A manually compiled version (1.1.pre6) on Ubuntu 12.10 with gcc 4.7.2 seems to be a non-exploitable crash due to calls to __memcpy_chk depending on how tincd was compiled. Bug got fixed in version 1.0.21/1.1pre7. While writing this module it was recommended to the maintainer to start using DEP/ASLR and other protection mechanisms.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/multi/vpn/tincd_bof

Authors

  • Tobias Ospelt <tobias [at] modzero.ch>
  • Martin Schobert <schobert [at] modzero.ch>

References

Targets

  • Windows XP x86, tinc 1.1.pre6 (exe installer)
  • Windows 7 x86, tinc 1.1.pre6 (exe installer)
  • FreeBSD 9.1-RELEASE # 0 x86, tinc 1.0.19 (ports)
  • Fedora 19 x86 ROP (NX), write binary to disk payloads, tinc 1.0.20 (manual compile)
  • Fedora 19 x86 ROP (NX), CMD exec payload, tinc 1.0.20 (manual compile)
  • Archlinux 2013.04.01 x86, tinc 1.0.20 (manual compile)
  • OpenSuse 11.2 x86, tinc 1.0.20 (manual compile)
  • Pidora 18 ARM ROP(NX)/ASLR brute force, write binary to disk payloads, tinc 1.0.20 (manual compile with restarting daemon)
  • Pidora 18 ARM ROP(NX)/ASLR brute force, CMD exec payload, tinc 1.0.20 (manual compile with restarting daemon)
  • Crash only: Ubuntu 12.10 x86, tinc 1.1.pre6 (apt-get or manual compile)
  • Crash only: Fedora 16 x86, tinc 1.0.19 (yum)
  • Crash only: OpenSuse 11.2 x86, tinc 1.0.16 (rpm package)
  • Crash only: Debian 7.3 ARM, tinc 1.0.19 (apt-get)

Platforms

  • windows
  • bsd
  • linux
  • unix

Architectures

  • x86
  • cmd
  • armle

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/vpn/tincd_bof msf exploit(tincd_bof) > show targets ...targets... msf exploit(tincd_bof) > set TARGET <target-id> msf exploit(tincd_bof) > show options ...show and set options... msf exploit(tincd_bof) > exploit

Related Vulnerabilities