lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: xenzeo at gardener.com (Lennart Hansen)
Subject: new BIG vulnerability in libc found!!!!!

**************************************
*        strcpy is vulnerable        *
*                by                  *
*        MEAT-EATER SECURITY         *
*  a subdivision of UNIFIX security  *
*                                    *
*       "pass the bacon, Goober"     *
**************************************

Affected Procucts:
    Every UNIX systen with libc (or something like that)
    known to mankind EXCEPT openBSD!

Authors:
    Xenzeo (Ablazed, Ultralaser, Lennart A Hansen)
    Futte  (Pussy Laybourne, Robert B?low, futte@...te.dk)
    Cybermike (HotWater-Oracle, Mikkel Christensen, mail@...asecurity.dk)

Problem:
    From the man-page:
    char * stpcpy(char *dst, const char *src);
    The stpcpy() and strcpy() functions copy the string src to dst (including
    the terminating `\0' character.)
    
    This all sounds good and useful BUT... if the length of *src is greater than
    the length of *dest you are in serious trouble!
    Allow us to demonstrate.

    -------------------- VULN CODE EXAMPLE -------------------


    #include <stdio.h>
    void foo() {
       puts("MEAT-EATER SECURITY");
    }
    void* funktion(char *str) {
       char buffer[256];
       strcpy(buffer, str);
       return (&foo)+9;
    }
    int main() {
       char buffer[1024];
       int return_value;
       int i;
       for (i = 0; i < 252; i++) {
          buffer[i] = 'A';
       }
       return_value=(funktion("r00t")-9);
       do {
          strncpy(buffer+i, &return_value,4);
       } while((i+=4) < 1000);
       while((i++)<1020) {
          buffer[i]='\0';
       }
       funktion(buffer);
       return 9;
    }

    -------------------- VULN CODE EXAMPLE -------------------
    <~>$ gcc -o 0wned lennart4real.c -09 --omit-frame-pointer  (th4nkz t0 truti for cumpajl instrukctions)
    gcc: unrecognized option `-09'
    lennart4real.c: In function `main':
    lennart4real.c:21: warning: assignment makes integer from pointer without a cast
    lennart4real.c:23: warning: passing arg 2 of `strncpy' from incompatible pointer type
    <~>$ ./0wned
    MEAT-EATER SECURITY
    MEAT-EATER SECURITY
    [...]
    MEAT-EATER SECURITY
    Segmentation fault (core dumped)
    <~>$
    As you see this is definately not good! Our research in MEAT-EATER SECURITY shows that we can exploit
    this bug in strcpy!!!! Allow us to elaborate.
    IF YOU OVERWRITE THE BUFFER (WHICH IS LOCATED IN A STACK-FRAME (that's why I ommit frame pointers)) YOU
    ARE ABLE TO INJECT ARBITRARY DATA IN THE MEMORY - MUCH LIKE YOU COULD DO IF YOU HAVE ROOT ACCESS TO /dev/kmem.
    EVEN MORE: YOU ARE ABLE TO OVERWRITE REGISTERS IN THE CPU AND THEREBY EXECUTING YOUR OWN EVIL CODE!!!!!!!
    You could for example override the AX register with a false value forcing the CPU to delete files or give
    you a ROOT sh3ll on the victims computer! REMEMBER ALWAYS TO SUID YOUR PROGRAM TO ROOT BEFORE THE VICTIM
    RUNS IT! Shell code example:

    -------------------- SHELL CODE EXAMPLE -------------------    
    push eip           ;extended ip adresse of victim
    MOV AX,linux 
    MOV BX,exec        ;we runs an shell ;+)
    mov ecx,'/bin/sh'
    int 21h 
    jmp $shell
    -------------------- SHELL CODE EXAMPLE -------------------    
    No explanation needed! You should now have a ROOT shell!!!!!!!!

Vender status:
    WE AT MEAT-EATER SECURITY BELIEVE IN FREE INFORMATION!!!!

Solutions:
    Avoid linking with libc and/or stop using strcpy and strncpy.
    Use openBSD 4 real!
    In every shell code replace all INT with NOP (THIS IS THE SAFE!)
    And remember folks: Hackers don't 0wn people, exploits do! WATCH OUT, WHITEHATS!!!!!

Gr33tz:
    Shoutz outz to Truti (http://packetstormsecurity.nl/docs/hack/bypass_blackicedefender_zonealarm.txt)
    www.spywarefri.dk (DANISH HACKER TEAM)
-- 
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm


Powered by blists - more mailing lists