/* typespeed server <=v0.4.1 remote root vulnerability! */ /* by: bazarr */ /* bazarr@ziplip.com */ /* bazarr episode #5 */ ---------------------- PREFACE >caddis< i just be messing wid you man relax --- caddis :No such nick/channel after reading tutorial on html programmering , i have redesigned website it now cover all features of real website. it have many a cool content now! http://geocities.com/rrazab after a long series of elaborate emails wid lcamtuf it has become apparent dat it is up to me and him to save full disclosure from blackhats. we are forming a group called FHAB or fire hot asian boys(it a house hold name). at the moment it is me lcamtuf and a half mexican from alaska- who just idles in #!FHAB all day long. tuf in da process of auditing many a opensshd functions while i be auditing many a setgid uucp true64 applications. together we form ultimate team and we able to find all blackhat bugs around da entire globe and stop dem from hacking anymore openbsd devlopers. dis be an advisory for remote typespeed vulnerability on debian x.x and everyone else around da world. lets take a look at man page output: DESCRIPTION Typespeed gives your fingers' cps (total and correct), typoratio and some points to compare with your friends. Typespeed's idea is ripped from ztspeed (a dos game made by Zorlim). Idea of the game should be clear to anyone, just type and type it fast, or be a lewser. Notice: the speed of words going across the screen has been changed in version 0.4.0. Scores are not comparable with older versions now. See the README file for more detailed information. now many a security researcher may remember dat martin@debian security team released advisory for typespeed and he got rid of all buffer overflows in typespeed. WRONG. typespeed did have many a command line overflows but a glance at da source code and i spot elaborate remote buffer overflow bug. now we all know dat typespeed was science project for college student who now is off at programming job and dont care about typespeed anymore. so he cannot be expected to deliver patch for typespeed. it is up to debian to deliver da patch. i be glad he got B+ for typespeed though. lets take a look at terminal session for a second: thuglife@debian$ pwd /home/thuglife/.elm/pornstash thuglife@debian$ ls -al /usr/games/typespeed -rwxr-sr-x 1 root games 32092 Jan 4 2002 /usr/games/typespeed thuglife@debian$ now some of you thinking dat 'oh wow another gid games bug , go audit qpopper or somthing you jackass' and to that i say: shut up high on PCP voice in my head, because dis is remote gid games not local! and i'll audit qpopper when i finish UNP (not including xti part) ... dis be a remote gid games bug , it 0day too so you be able to hack many a boxes wid it. now i am off to da land of source code where der be many a nice bugs to take care of and release back into wild where dey can roam free from blackhat abuse. dis be a copy and paste out of my bug file (it encrypted so dont hack my box to steal dis unless you can break rot96 devloped by me) #109 file: /usr/games/typespeed , remote bug martin missed src location: network.c code snip: void net_swapscore(int typesock, stats_struct *stat,stats_struct *stat2) { char buf[60]; int x,i; char *temp,*temp2; char *number; sprintf(buf,"SCORE: %d %f %f %f\n",stat->score,stat->speed,stat->totalspeed,stat->ratio); i=send(typesock, buf, strlen(buf), 0); strcpy(buf," "); //HACKLOG what da hell is dis! while(1) { i = recv(typesock, buf, 59, MSG_PEEK); if (i == -1 && errno != EWOULDBLOCK) { endcursestuff(); perror("recv()"); exit(1); } if (i > 0) { recv(typesock, buf, strlen(buf) + 1, 0); if(strstr(buf,"SCORE:") > 0) { break; } } } number=malloc(10*sizeof(char)); //HACKLOG dis mallocs ten cuz sizeof(char) garonteed to be 1 byte (it 2 bytes on mips i dink) temp=malloc(80*sizeof(char)); //HACKLOG dis mallocs 80 i=0; for(x=7;x<=strlen(buf);x++) { temp[i]=buf[x]; //HACKLOG temp 80 bytes so it can hold big 59 byte buf i++; } strncpy(number,temp,strcspn(temp," ")); //HACKLOG strncpy so it secure stat2->score=strtol(number, NULL, 10); //HACKLOG WAIT , STRNCPY BUT IT USE STRCSPN , WHAT DA HELL IS STRCSPN free(number); THE REST BE USELESS after period of 9 hours studying strcspn() manpage i am able to report dat der be a buffer overflow in typespeed. here copy and paste of strcspn() manpage: ... size_t strcspn(const char *s, const char *reject); .... DISCRIPTION: ... The strcspn() function calculates the length of the initial segment of s which consists entirely of characters not in reject. dis mean dat we can overflow buffer 'number' with buffer 'temp' which is buffer 'buf' and buffer 'buf' is 60 bytes while buffer number is 10. dis mean dat we have heap overflow on our hands and dis is serious issue. ALPHA TANGO WHISKY NINER WE GOT A CODE ZERO BUFFER OVEFLOW IN CODE. see i prove dat just cuz author use strncpy does not mean dat he secure from attack of buf too big attack. ---------------------- PATCH too many a bugs in typespeed to patch dis year , sorry! but if you really want to den go talk to martin , it his job not mine! i just report da bugs not patch dem, i am like mean bus driver i wont help you if im on my lunch break! ---------------------- XPLOIT it possible to code xploit using small read code but i not wasting time on dis sorry. ---------------------- VENDORS NOTIFYED dis aint my job! ---------------------- VENDORS VULNERABLE debian 3.0 - default install!#$ FreeBSD - ports? NetBSD - ports? OpenBSD - ports? all user who have typespeed installed. (whole globe) ---------------------- ADVANCE WARNING irix you in trouble in next episode(lsd not only kid on block wid commerical unix!) would you belive dat der has been patches buy deb team wich actually added locally xploitable bugs to gain root on multiple distros wid? it may be too early in bazarr season to discuss dis issue , sorry! it confidential! debian be a great gnu linux distro despite security holes. it wonderful. i use it forever. ---------------------- GREETS irc-bazarr - hello der fake bazarr's , i know you must like me very much to imposter me so i give you a greet. remember dat da real bazarr (me) NEVER uses public irc under name 'bazarr'. i am sorry for abuse caused by fake bazarrs but dat aint me sorry. fake bazarrs include: some guy from free shell provider and bell somthing. yourname - send me email and i pick a random name to be put in here! realbazarr - it amazing dat young boy wid twinkle in his eye and foot in his ass can gain so much fame so quickly. documentry - im sad to report dat ring member documentry has to come to an end because dave censor too much. dat mean you missing many a cool ring member captures such as da palmers capture which prove he a wild one. *palmers* i cannot get rid of the impression that you are the only one who knows about your ring >palmers< ok you playing hard ball >palmers< i can be your best friend or your worst enemy >palmers< its a long cold road to travel down *palmers* oh, what do you mean by that? >palmers< nothing i just kidding! ---------------------- BYE remember dat i am constantly working on more and more bleeding edge security vulnerablitys for dis communtity. it a change from my-hello-world-ftpd fmt string and cross site scripting vulnerabilitys reported by 24 year old fl4ppyw1lly@hotmail.com. i be exposing more buffer too big attacks , int too big attacks , the revolutionary int too small attack, and the very private size_t -1 attack which will be discussed in detail very very soon in a paper i be writing intitled "Is my buffer too small?" and will be placed in /misc on my wonderful website , so plz check dat often! bye guys i have to go now it has been fun. though it time for me to clean my room and feed my ginnie pig named fuzbal , the class let me take him home for a week, but i never give him back. never. -bazarr