lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <046b01c52b53$785455c0$5746370a@nsp.local>
From: venom at gen-x.co.nz (VeNoMouS)
Subject: new BIG vulnerability in libc found!!!!!

well DUH
----- Original Message ----- 
From: "cyberpixl" <cyberpixl@...il.com>
To: "Lennart Hansen" <xenzeo@...dener.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Sent: Friday, March 18, 2005 12:27 PM
Subject: Re: [Full-disclosure] new BIG vulnerability in libc found!!!!!


is this a joke? =P

On Wed, 09 Mar 2005 15:09:36 -0500, Lennart Hansen <xenzeo@...dener.com> 
wrote:
> **************************************
> *        strcpy is vulnerable        *
> *                by                  *
> *        MEAT-EATER SECURITY         *
> *  a subdivision of UNIFIX security  *
> *                                    *
> *       "pass the bacon, Goober"     *
> **************************************
>
> Affected Procucts:
>     Every UNIX systen with libc (or something like that)
>     known to mankind EXCEPT openBSD!
>
> Authors:
>     Xenzeo (Ablazed, Ultralaser, Lennart A Hansen)
>     Futte  (Pussy Laybourne, Robert B?low, futte@...te.dk)
>     Cybermike (HotWater-Oracle, Mikkel Christensen, mail@...asecurity.dk)
>
> Problem:
>     From the man-page:
>     char * stpcpy(char *dst, const char *src);
>     The stpcpy() and strcpy() functions copy the string src to dst 
> (including
>     the terminating `\0' character.)
>
>     This all sounds good and useful BUT... if the length of *src is 
> greater than
>     the length of *dest you are in serious trouble!
>     Allow us to demonstrate.
>
>     -------------------- VULN CODE EXAMPLE -------------------
>
>     #include <stdio.h>
>     void foo() {
>        puts("MEAT-EATER SECURITY");
>     }
>     void* funktion(char *str) {
>        char buffer[256];
>        strcpy(buffer, str);
>        return (&foo)+9;
>     }
>     int main() {
>        char buffer[1024];
>        int return_value;
>        int i;
>        for (i = 0; i < 252; i++) {
>           buffer[i] = 'A';
>        }
>        return_value=(funktion("r00t")-9);
>        do {
>           strncpy(buffer+i, &return_value,4);
>        } while((i+=4) < 1000);
>        while((i++)<1020) {
>           buffer[i]='\0';
>        }
>        funktion(buffer);
>        return 9;
>     }
>
>     -------------------- VULN CODE EXAMPLE -------------------
>     <~>$ gcc -o 0wned lennart4real.c -09 --omit-frame-pointer  (th4nkz t0 
> truti for cumpajl instrukctions)
>     gcc: unrecognized option `-09'
>     lennart4real.c: In function `main':
>     lennart4real.c:21: warning: assignment makes integer from pointer 
> without a cast
>     lennart4real.c:23: warning: passing arg 2 of `strncpy' from 
> incompatible pointer type
>     <~>$ ./0wned
>     MEAT-EATER SECURITY
>     MEAT-EATER SECURITY
>     [...]
>     MEAT-EATER SECURITY
>     Segmentation fault (core dumped)
>     <~>$
>     As you see this is definately not good! Our research in MEAT-EATER 
> SECURITY shows that we can exploit
>     this bug in strcpy!!!! Allow us to elaborate.
>     IF YOU OVERWRITE THE BUFFER (WHICH IS LOCATED IN A STACK-FRAME (that's 
> why I ommit frame pointers)) YOU
>     ARE ABLE TO INJECT ARBITRARY DATA IN THE MEMORY - MUCH LIKE YOU COULD 
> DO IF YOU HAVE ROOT ACCESS TO /dev/kmem.
>     EVEN MORE: YOU ARE ABLE TO OVERWRITE REGISTERS IN THE CPU AND THEREBY 
> EXECUTING YOUR OWN EVIL CODE!!!!!!!
>     You could for example override the AX register with a false value 
> forcing the CPU to delete files or give
>     you a ROOT sh3ll on the victims computer! REMEMBER ALWAYS TO SUID YOUR 
> PROGRAM TO ROOT BEFORE THE VICTIM
>     RUNS IT! Shell code example:
>
>     -------------------- SHELL CODE EXAMPLE -------------------
>     push eip           ;extended ip adresse of victim
>     MOV AX,linux
>     MOV BX,exec        ;we runs an shell ;+)
>     mov ecx,'/bin/sh'
>     int 21h
>     jmp $shell
>     -------------------- SHELL CODE EXAMPLE -------------------
>     No explanation needed! You should now have a ROOT shell!!!!!!!!
>
> Vender status:
>     WE AT MEAT-EATER SECURITY BELIEVE IN FREE INFORMATION!!!!
>
> Solutions:
>     Avoid linking with libc and/or stop using strcpy and strncpy.
>     Use openBSD 4 real!
>     In every shell code replace all INT with NOP (THIS IS THE SAFE!)
>     And remember folks: Hackers don't 0wn people, exploits do! WATCH OUT, 
> WHITEHATS!!!!!
>
> Gr33tz:
>     Shoutz outz to Truti 
> (http://packetstormsecurity.nl/docs/hack/bypass_blackicedefender_zonealarm.txt)
>     www.spywarefri.dk (DANISH HACKER TEAM)
> --
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://www.secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ