Insights

Remote code execution by fail2ban

This website uses cookies

To provide the highest level of service we use cookies on this site.
Your continued use of the site means that you agree to their use in accordance with our terms and conditions.

Jakub Żoczek

April 4, 2022

This article is about the recently published security advisory for a pretty popular software - fail2ban (CVE-2021-32749). The vulnerability, which could be massively exploited and lead to root-level code execution on multiple boxes, however this task is rather hard to achieve by regular person. It all has its roots in mailutils package and I’ve found it by a total accident when playing with mail command. 

The fail2ban analyses logs (or other data sources) in search of brute force traces in order to block such attempts based on the IP address. There are plenty of rules for different services (SSH, SMTP, HTTP, etc.). There are also defined actions which could be performed after blocking a client. One of these actions is sending an e-mail. If you search the Internet to find out how to send an e-mail from a command line, you will often get such solution:


$ echo "test e-mail" | mail -s "subject" user@example.org

That is the exact way how one of fail2ban actions is configured to send e-mails about client getting blocked (./config/action.d/mail-whois.conf):


actionban = printf %%b "Hi,\n
                                    The IP <ip> has just been banned by Fail2Ban after
                                    <failures> attempts against <name>.\n\n
                                    Here is more information about <ip> :\n
                                    `%(_whois_command)s`\n
                                    Regards,\n
                                    Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
                        

There is nothing suspicious about the above, until knowing about one specific thing that  can be found inside the mailutils manual. It is the tilde escape sequences:

The ‘~!’ escape executes specified command and returns you to mail compose mode without altering your message. When used without arguments, it starts your login shell. The ‘~|’ escape pipes the message composed so far through the given shell command and replaces the message with the output the command produced. If the command produced no output, mail assumes that something went wrong and retains the old contents of your message.

This is the way it works in real life:


jz@fail2ban:~$ cat -n pwn.txt
                         	Next line will execute command :)
                         	~! uname -a
      
                         	Best,
                         	JZ
                        jz@fail2ban:~$ cat pwn.txt | mail -s "whatever" whatever@whatever.com
                        Linux fail2ban 4.19.0-16-cloud-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
                        jz@fail2ban:~$

If you get back to the previously mentioned fail2ban e-mail action you can notice there is a whois output attached to the e-mail body. So if we could add some tilde escape sequence to whois output of our IP address - well, it should end up with code execution. As root.


What are our options? 

As attackers we need to control the whois output - how to achieve that? Well, the first thing which came into my mind was to kindly ask my ISP to contact RIPE and make a pretty custom entry for my particular IP address. Unfortunately - it doesn’t work like that. RIPE/ARIN/APNIC and others put entries for whole IP classes as minimum, not for particular one IP address. Also, I’m more than sure that achieving it is extremely hard in a formal way, plus the fact that putting malicious payload as a whois entry would make people ask questions.


Is there a way to start my own whois server? Surprisingly  – there is, and you can find a couple of them running over the Internet. By digging whois related RFC you can find information about an attribute called ReferralServer. If your whois client will find such an attribute in the response, it will query the server that was set in the value to get more information about the IP address or domain. Just take a look what happens when getting whois for 157.5.7.5 IP address:

$ whois 157.5.7.5
      
                        #
                        # ARIN WHOIS data and services are subject to the Terms of Use
                        # available at: https://www.arin.net/resources/registry/whois/tou/
                        #
                        # If you see inaccuracies in the results, please report at
                        # https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
                        #
                        # Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
                        #
      
      
                        NetRange:       157.1.0.0 - 157.14.255.255
                        CIDR:           157.4.0.0/14, 157.14.0.0/16, 157.1.0.0/16, 157.12.0.0/15, 157.2.0.0/15, 157.8.0.0/14
                        NetName:        APNIC-ERX-157-1-0-0
                        NetHandle:      NET-157-1-0-0-1
                        Parent:         NET157 (NET-157-0-0-0-0)
                        NetType:        Early Registrations, Transferred to APNIC
                        OriginAS:
                        Organization:   Asia Pacific Network Information Centre (APNIC)
      
                        &amp91;… cut …]
      
                        ReferralServer:  whois://whois.apnic.net
                        ResourceLink:  http://wq.apnic.net/whois-search/static/search.html
      
                        OrgTechHandle: AWC12-ARIN
                        OrgTechName:   APNIC Whois Contact
                        OrgTechPhone:  +61 7 3858 3188
                        OrgTechEmail:  search-apnic-not-arin@apnic.net
      
                        [… cut …]
      
                        Found a referral to whois.apnic.net.
      
                        % [whois.apnic.net]
                        % Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
      
                        % Information related to '157.0.0.0 - 157.255.255.255'
      
                        % Abuse contact for '157.0.0.0 - 157.255.255.255' is 'helpdesk@apnic.net'
      
                        inetnum:        157.0.0.0 - 157.255.255.255
                        netname:        ERX-NETBLOCK
                        descr:          Early registration addresses
      
                        [… cut …]
                        

In theory and while having a pretty big network you could probably ask your Regional Internet Registries to use RWhois for your network. 

On the other hand – simply imagine black hats breaking into a server running rwhois, putting a malicious entry there and then starting the attack. To be fair this scenario seems to be way easier than becoming a big company to legally have its own whois server. 


In case you’re a government and you can simply control network traffic – the task is way easier. By taking a closer look at the whois protocol, we can notice few things: 

  • it was designed really long time ago,
  • it’s pretty simple (you ask for IP or domain name and get the raw output),
  • it’s unencrypted on the network level.

By simply performing a MITM attack on an unencrypted protocol (which whois is) attackers could just put the tilde escape sequence and start an attack over multiple hosts. 


It’s worth remembering that the root problem here is mailutils which has this flaw by design. I believe a lot of people are unaware about such a feature, and there’s still plenty of software that could use the mail command this way. 

As could be noticed many times in history - security is hard and complex. Sometimes totally innocent functionality which you wouldn't ever suspect for being a threat could be a cause of dangerous vulnerability.

Other Insights

Helping secure DOMPurify

MICHAŁ BENTKOWSKI

December 21, 2020

Within last year I shared a a few writeups of my bypasses of HTML sanitizers, including: > Write-up of DOMPurify 2.0.0 bypass using mutation XSS > Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass While breaking sanitizers is fun and I thoroughly enjoy doing it, I reached a point where I began to think whether I can contribute even more and propose a fix that will kill an entire class of bypasses.

Pyscript - or rather Python in your browser + what can be done with it

Michał Bentkowski

September 10, 2022

A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in the browser is not new; the pyodide project has allowed this for a long time...

Art of bug bounty a way from JS file analysis to XSS

jAKUB żOCZEK

July 1, 2020

Summary: During my research on other bug bounty program I've found Cross-Site Scripting vulnerability in cmp3p.js file, which allows attacker to execute arbitrary javascript code in context of domain that include mentioned script. Below you can find the way of finding bug bounty vulnerabilities from the beginning to the ...

Any questions?

Happy to get a call or email
and help!

Terms and conditions
© 2023 Securitum. All rights reserved.