| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050309200936.541911F50B1@ws1-2.us4.outblaze.com>
From: xenzeo at gardener.com (Lennart Hansen)
Subject: new BIG vulnerability in libc found!!!!!
**************************************
* strcpy is vulnerable *
* by *
* MEAT-EATER SECURITY *
* a subdivision of UNIFIX security *
* *
* "pass the bacon, Goober" *
**************************************
Affected Procucts:
Every UNIX systen with libc (or something like that)
known to mankind EXCEPT openBSD!
Authors:
Xenzeo (Ablazed, Ultralaser, Lennart A Hansen)
Futte (Pussy Laybourne, Robert B?low, futte@...te.dk)
Cybermike (HotWater-Oracle, Mikkel Christensen, mail@...asecurity.dk)
Problem:
From the man-page:
char * stpcpy(char *dst, const char *src);
The stpcpy() and strcpy() functions copy the string src to dst (including
the terminating `\0' character.)
This all sounds good and useful BUT... if the length of *src is greater than
the length of *dest you are in serious trouble!
Allow us to demonstrate.
-------------------- VULN CODE EXAMPLE -------------------
#include <stdio.h>
void foo() {
puts("MEAT-EATER SECURITY");
}
void* funktion(char *str) {
char buffer[256];
strcpy(buffer, str);
return (&foo)+9;
}
int main() {
char buffer[1024];
int return_value;
int i;
for (i = 0; i < 252; i++) {
buffer[i] = 'A';
}
return_value=(funktion("r00t")-9);
do {
strncpy(buffer+i, &return_value,4);
} while((i+=4) < 1000);
while((i++)<1020) {
buffer[i]='\0';
}
funktion(buffer);
return 9;
}
-------------------- VULN CODE EXAMPLE -------------------
<~>$ gcc -o 0wned lennart4real.c -09 --omit-frame-pointer (th4nkz t0 truti for cumpajl instrukctions)
gcc: unrecognized option `-09'
lennart4real.c: In function `main':
lennart4real.c:21: warning: assignment makes integer from pointer without a cast
lennart4real.c:23: warning: passing arg 2 of `strncpy' from incompatible pointer type
<~>$ ./0wned
MEAT-EATER SECURITY
MEAT-EATER SECURITY
[...]
MEAT-EATER SECURITY
Segmentation fault (core dumped)
<~>$
As you see this is definately not good! Our research in MEAT-EATER SECURITY shows that we can exploit
this bug in strcpy!!!! Allow us to elaborate.
IF YOU OVERWRITE THE BUFFER (WHICH IS LOCATED IN A STACK-FRAME (that's why I ommit frame pointers)) YOU
ARE ABLE TO INJECT ARBITRARY DATA IN THE MEMORY - MUCH LIKE YOU COULD DO IF YOU HAVE ROOT ACCESS TO /dev/kmem.
EVEN MORE: YOU ARE ABLE TO OVERWRITE REGISTERS IN THE CPU AND THEREBY EXECUTING YOUR OWN EVIL CODE!!!!!!!
You could for example override the AX register with a false value forcing the CPU to delete files or give
you a ROOT sh3ll on the victims computer! REMEMBER ALWAYS TO SUID YOUR PROGRAM TO ROOT BEFORE THE VICTIM
RUNS IT! Shell code example:
-------------------- SHELL CODE EXAMPLE -------------------
push eip ;extended ip adresse of victim
MOV AX,linux
MOV BX,exec ;we runs an shell ;+)
mov ecx,'/bin/sh'
int 21h
jmp $shell
-------------------- SHELL CODE EXAMPLE -------------------
No explanation needed! You should now have a ROOT shell!!!!!!!!
Vender status:
WE AT MEAT-EATER SECURITY BELIEVE IN FREE INFORMATION!!!!
Solutions:
Avoid linking with libc and/or stop using strcpy and strncpy.
Use openBSD 4 real!
In every shell code replace all INT with NOP (THIS IS THE SAFE!)
And remember folks: Hackers don't 0wn people, exploits do! WATCH OUT, WHITEHATS!!!!!
Gr33tz:
Shoutz outz to Truti (http://packetstormsecurity.nl/docs/hack/bypass_blackicedefender_zonealarm.txt)
www.spywarefri.dk (DANISH HACKER TEAM)
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
Powered by blists - more mailing lists