[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1GmoMU-000AuF-00.dead-code-crew-mail-ru@f41.mail.ru>
Date: Wed, 22 Nov 2006 12:25:46 +0300
From: dead code crew <dead.code.crew@...l.ru>
To: full-disclosure@...ts.grok.org.uk
Subject: *BSD banner INT overflow vulnerability
.=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
| ______ |
| .-" "-. |
| / banner \ |
| _ | | _ |
| ( \ |, .-. .-. ,| / ) |
| > "=._ | )(__/ \__)( | _.=" < |
| (_/"=._"=._ |/ /\ \| _.="_.="\_) |
| "=._"(_ ^^ _)"_.=" |
| "=\__|ICRAPI|__/=" |
| _.="| \ICODEI/ |"=._ |
| _ _.="_.="\ /"=._"=._ _ |
| ( \_.="_.=" `--------` "=._"=._/ ) |
| > _.=" "=._ < |
| (_/ security threat \_) |
| !W A R N I N G! |
'-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-='
Advisor 0x01
Free\Net\OpenBSD banner int overflow vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
0x01. B4ckgr0und
[...]
prints a large, high quality banner on the standard
output. If the message is omitted, it prompts for
and reads one line of its standard input.
[...]
Vulnerable banner appears in Free/Net/OpenBSD,
Debian and it's pretty possible that other distros
also uses this software.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
0x02. Vuln3r4b1l1ty
usr.bin/banner/banner.c
...
char print[DWIDTH];
...
for (i = 0; i < width; i++) {
j = i * 132 / width;
print[j] = 1;
}
...
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
0x03. 4n4lys1s
This vulnerability may lead to local root compromise
in cases when banner has set suid bit. Default
Debian/FreeBSD/NetBSD/OpenBSD installation seems to
be vulerable ( Ex. Attacker can overwrite GOT section ).
( By default banner hasn't got set suid bit )
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
0x04. P0C
%uname -sir
FreeBSD 6.1-RELEASE GENERIC
%gdb banner
(gdb) r -w 17000000
Program received signal SIGSEGV, Segmentation fault.
0x01010101 in ?? ()
:o *ph34r*
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
0x05. S0lut10n
BEWARE! Uninstall vulnerable banner version or turn
off suid bit while patch is not released.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
0x05. Cr3d17z
ThAnXz GoEs To:
God, our families, my dog BL0B, ph34r_man, Katarzyna
Cichopek, Free/Net/OpenBSD crew, Crap LINUX, 4LL R0M4N14N
4nd 7urkiSh HACKERZ! #hack.ro,#hack.ru,#hack.bg,#hack.vu,
#hack.tt, #hack.uganda, #hack.hawaii, #hack.us, #hack.it,
#hack.de, #hack.pl, #hack.cl, #hack.cn, #evil, #evil.ru
F00ckZ goes tO:
NULL pointer ant letter 'z'
PS. Stop audit PHP crap, audit the real code......
. 0 x d 3 4 d c 0 d 3 . c r 3 w . 2 o o 6 .
E v i l i s i n s i d e U S
dead.code.crew@...l.ru
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists