lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: cyberpixl at gmail.com (cyberpixl) Subject: new BIG vulnerability in libc found!!!!! is this a joke? =P On Wed, 09 Mar 2005 15:09:36 -0500, Lennart Hansen <xenzeo@...dener.com> wrote: > ************************************** > * strcpy is vulnerable * > * by * > * MEAT-EATER SECURITY * > * a subdivision of UNIFIX security * > * * > * "pass the bacon, Goober" * > ************************************** > > Affected Procucts: > Every UNIX systen with libc (or something like that) > known to mankind EXCEPT openBSD! > > Authors: > Xenzeo (Ablazed, Ultralaser, Lennart A Hansen) > Futte (Pussy Laybourne, Robert B?low, futte@...te.dk) > Cybermike (HotWater-Oracle, Mikkel Christensen, mail@...asecurity.dk) > > Problem: > From the man-page: > char * stpcpy(char *dst, const char *src); > The stpcpy() and strcpy() functions copy the string src to dst (including > the terminating `\0' character.) > > This all sounds good and useful BUT... if the length of *src is greater than > the length of *dest you are in serious trouble! > Allow us to demonstrate. > > -------------------- VULN CODE EXAMPLE ------------------- > > #include <stdio.h> > void foo() { > puts("MEAT-EATER SECURITY"); > } > void* funktion(char *str) { > char buffer[256]; > strcpy(buffer, str); > return (&foo)+9; > } > int main() { > char buffer[1024]; > int return_value; > int i; > for (i = 0; i < 252; i++) { > buffer[i] = 'A'; > } > return_value=(funktion("r00t")-9); > do { > strncpy(buffer+i, &return_value,4); > } while((i+=4) < 1000); > while((i++)<1020) { > buffer[i]='\0'; > } > funktion(buffer); > return 9; > } > > -------------------- VULN CODE EXAMPLE ------------------- > <~>$ gcc -o 0wned lennart4real.c -09 --omit-frame-pointer (th4nkz t0 truti for cumpajl instrukctions) > gcc: unrecognized option `-09' > lennart4real.c: In function `main': > lennart4real.c:21: warning: assignment makes integer from pointer without a cast > lennart4real.c:23: warning: passing arg 2 of `strncpy' from incompatible pointer type > <~>$ ./0wned > MEAT-EATER SECURITY > MEAT-EATER SECURITY > [...] > MEAT-EATER SECURITY > Segmentation fault (core dumped) > <~>$ > As you see this is definately not good! Our research in MEAT-EATER SECURITY shows that we can exploit > this bug in strcpy!!!! Allow us to elaborate. > IF YOU OVERWRITE THE BUFFER (WHICH IS LOCATED IN A STACK-FRAME (that's why I ommit frame pointers)) YOU > ARE ABLE TO INJECT ARBITRARY DATA IN THE MEMORY - MUCH LIKE YOU COULD DO IF YOU HAVE ROOT ACCESS TO /dev/kmem. > EVEN MORE: YOU ARE ABLE TO OVERWRITE REGISTERS IN THE CPU AND THEREBY EXECUTING YOUR OWN EVIL CODE!!!!!!! > You could for example override the AX register with a false value forcing the CPU to delete files or give > you a ROOT sh3ll on the victims computer! REMEMBER ALWAYS TO SUID YOUR PROGRAM TO ROOT BEFORE THE VICTIM > RUNS IT! Shell code example: > > -------------------- SHELL CODE EXAMPLE ------------------- > push eip ;extended ip adresse of victim > MOV AX,linux > MOV BX,exec ;we runs an shell ;+) > mov ecx,'/bin/sh' > int 21h > jmp $shell > -------------------- SHELL CODE EXAMPLE ------------------- > No explanation needed! You should now have a ROOT shell!!!!!!!! > > Vender status: > WE AT MEAT-EATER SECURITY BELIEVE IN FREE INFORMATION!!!! > > Solutions: > Avoid linking with libc and/or stop using strcpy and strncpy. > Use openBSD 4 real! > In every shell code replace all INT with NOP (THIS IS THE SAFE!) > And remember folks: Hackers don't 0wn people, exploits do! WATCH OUT, WHITEHATS!!!!! > > Gr33tz: > Shoutz outz to Truti (http://packetstormsecurity.nl/docs/hack/bypass_blackicedefender_zonealarm.txt) > www.spywarefri.dk (DANISH HACKER TEAM) > -- > ___________________________________________________________ > Sign-up for Ads Free at Mail.com > http://promo.mail.com/adsfreejump.htm > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://www.secunia.com/ >
Powered by blists - more mailing lists