lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: xenzeo at gardener.com (Lennart Hansen) Subject: new BIG vulnerability in libc found!!!!! ************************************** * strcpy is vulnerable * * by * * MEAT-EATER SECURITY * * a subdivision of UNIFIX security * * * * "pass the bacon, Goober" * ************************************** Affected Procucts: Every UNIX systen with libc (or something like that) known to mankind EXCEPT openBSD! Authors: Xenzeo (Ablazed, Ultralaser, Lennart A Hansen) Futte (Pussy Laybourne, Robert B?low, futte@...te.dk) Cybermike (HotWater-Oracle, Mikkel Christensen, mail@...asecurity.dk) Problem: From the man-page: char * stpcpy(char *dst, const char *src); The stpcpy() and strcpy() functions copy the string src to dst (including the terminating `\0' character.) This all sounds good and useful BUT... if the length of *src is greater than the length of *dest you are in serious trouble! Allow us to demonstrate. -------------------- VULN CODE EXAMPLE ------------------- #include <stdio.h> void foo() { puts("MEAT-EATER SECURITY"); } void* funktion(char *str) { char buffer[256]; strcpy(buffer, str); return (&foo)+9; } int main() { char buffer[1024]; int return_value; int i; for (i = 0; i < 252; i++) { buffer[i] = 'A'; } return_value=(funktion("r00t")-9); do { strncpy(buffer+i, &return_value,4); } while((i+=4) < 1000); while((i++)<1020) { buffer[i]='\0'; } funktion(buffer); return 9; } -------------------- VULN CODE EXAMPLE ------------------- <~>$ gcc -o 0wned lennart4real.c -09 --omit-frame-pointer (th4nkz t0 truti for cumpajl instrukctions) gcc: unrecognized option `-09' lennart4real.c: In function `main': lennart4real.c:21: warning: assignment makes integer from pointer without a cast lennart4real.c:23: warning: passing arg 2 of `strncpy' from incompatible pointer type <~>$ ./0wned MEAT-EATER SECURITY MEAT-EATER SECURITY [...] MEAT-EATER SECURITY Segmentation fault (core dumped) <~>$ As you see this is definately not good! Our research in MEAT-EATER SECURITY shows that we can exploit this bug in strcpy!!!! Allow us to elaborate. IF YOU OVERWRITE THE BUFFER (WHICH IS LOCATED IN A STACK-FRAME (that's why I ommit frame pointers)) YOU ARE ABLE TO INJECT ARBITRARY DATA IN THE MEMORY - MUCH LIKE YOU COULD DO IF YOU HAVE ROOT ACCESS TO /dev/kmem. EVEN MORE: YOU ARE ABLE TO OVERWRITE REGISTERS IN THE CPU AND THEREBY EXECUTING YOUR OWN EVIL CODE!!!!!!! You could for example override the AX register with a false value forcing the CPU to delete files or give you a ROOT sh3ll on the victims computer! REMEMBER ALWAYS TO SUID YOUR PROGRAM TO ROOT BEFORE THE VICTIM RUNS IT! Shell code example: -------------------- SHELL CODE EXAMPLE ------------------- push eip ;extended ip adresse of victim MOV AX,linux MOV BX,exec ;we runs an shell ;+) mov ecx,'/bin/sh' int 21h jmp $shell -------------------- SHELL CODE EXAMPLE ------------------- No explanation needed! You should now have a ROOT shell!!!!!!!! Vender status: WE AT MEAT-EATER SECURITY BELIEVE IN FREE INFORMATION!!!! Solutions: Avoid linking with libc and/or stop using strcpy and strncpy. Use openBSD 4 real! In every shell code replace all INT with NOP (THIS IS THE SAFE!) And remember folks: Hackers don't 0wn people, exploits do! WATCH OUT, WHITEHATS!!!!! Gr33tz: Shoutz outz to Truti (http://packetstormsecurity.nl/docs/hack/bypass_blackicedefender_zonealarm.txt) www.spywarefri.dk (DANISH HACKER TEAM) -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm
Powered by blists - more mailing lists