lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <E1GmoMU-000AuF-00.dead-code-crew-mail-ru@f41.mail.ru>
Date: Wed, 22 Nov 2006 12:25:46 +0300
From: dead code crew <dead.code.crew@...l.ru>
To: full-disclosure@...ts.grok.org.uk
Subject: *BSD banner INT overflow vulnerability

 .=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
 |                     ______                     |
 |                  .-"      "-.                  |
 |                 /   banner   \                 |
 |     _          |              |          _     |
 |    ( \         |,  .-.  .-.  ,|         / )    |
 |     > "=._     | )(__/  \__)( |     _.=" <     |
 |    (_/"=._"=._ |/     /\     \| _.="_.="\_)    |
 |           "=._"(_     ^^     _)"_.="           |
 |               "=\__|ICRAPI|__/="               |
 |              _.="| \ICODEI/ |"=._              |
 |    _     _.="_.="\          /"=._"=._     _    |
 |   ( \_.="_.="     `--------`     "=._"=._/ )   |
 |    > _.="                            "=._ <    |
 |   (_/          security threat           \_)   |
 |                !W A R N I N G!                 |
 '-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-='
 
 Advisor                                       0x01
 Free\Net\OpenBSD banner int overflow vulnerability
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x01. B4ckgr0und

 [...]
 prints a large, high quality banner on the standard 
 output.  If the message is omitted, it prompts for 
 and reads one line of its standard input.
 [...]

 Vulnerable banner appears in Free/Net/OpenBSD, 
 Debian and it's pretty possible that other distros
 also uses this software.

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x02. Vuln3r4b1l1ty

 usr.bin/banner/banner.c 

 ...
 char	print[DWIDTH];
 ...
	for (i = 0; i < width; i++) {
		j = i * 132 / width;
		print[j] = 1;
	}
 ... 

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x03. 4n4lys1s

 This vulnerability may lead to local root compromise
 in cases when banner has set suid bit. Default 
 Debian/FreeBSD/NetBSD/OpenBSD installation seems to 
 be vulerable ( Ex. Attacker can overwrite GOT section ). 
 ( By default banner hasn't got set suid bit )

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x04. P0C

 %uname -sir
 FreeBSD 6.1-RELEASE GENERIC
 %gdb banner
 (gdb) r -w 17000000
 Program received signal SIGSEGV, Segmentation fault.
 0x01010101 in ?? ()

 :o *ph34r*

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x05. S0lut10n

 BEWARE! Uninstall vulnerable banner version or turn
 off suid bit while patch is not released.

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x05. Cr3d17z
 
 ThAnXz GoEs To:

 God, our families, my dog BL0B, ph34r_man, Katarzyna
 Cichopek, Free/Net/OpenBSD crew, Crap LINUX, 4LL R0M4N14N
 4nd 7urkiSh HACKERZ! #hack.ro,#hack.ru,#hack.bg,#hack.vu,
 #hack.tt, #hack.uganda, #hack.hawaii, #hack.us, #hack.it,
 #hack.de, #hack.pl, #hack.cl, #hack.cn, #evil, #evil.ru

 F00ckZ goes tO:

 NULL pointer ant letter 'z'

 PS. Stop audit PHP crap, audit the real code......

    . 0 x d 3 4 d c 0 d 3 . c r 3 w . 2 o o 6 .       
           E v i l  i s  i n s i d e  U S
               dead.code.crew@...l.ru
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ