Re: top (procps-2.0.7-25) vulnerability

[Ayaz Ahmed Khan <ayaz () pakcon org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WINNY THOMAS typed:

> While running top on a tool of mine to do a profiling test the top
> command ran into a segmentation fault. I could find two instance
> where the command could misbehave
>
> 1.  if you have junk data inside a file .toprc in your home
> directory
> 2.  if your environmental variable HOME is set to a string that’s
> greater than 1024.
>
> I managed to spawn a shell out of top command by exploiting the
> second issue. If you compile and run the exploit code which I am
> including in the mail body you will get a shell. Incase you don’t
> you could pass parameters to the program as follows to adjust the
> offset.  The vulnerability detail is included in the code comment
>
> [winnythomas@r8 WinnyThomas]$ ./putshellcode 1001
> sh-2.05b$ exit
> exit
> [winnythomas@r8 WinnyThomas]$ ./putshellcode 120
> Illegal instruction
> [winnythomas@r8 WinnyThomas]$ ./putshellcode 1010
> sh-2.05b$ exit
> exit
>
> in most of the test I did on the vulnerable code I got shell on my
> system without passing any parameter to the program (that is the
> hardcoded offset of 1111 in my program worked well on my system)
>
> /* PoC */ --snipped--

Nice.  With Libsafe guarding against attempts to write across stack
boundaries on my system, I get this:

   ayaz[1]:~/programming/exploits/misc> ./top-local-shell
   Libsafe version 2.0.16
   Detected an attempt to write across stack boundary.
   Terminating /usr/bin/top.
       uid=1001  euid=1001  pid=1189
   Call stack:
       0x400189c0  /lib/libsafe.so.2.0.16
       0x40018ab4  /lib/libsafe.so.2.0.16
       0x8049a76   /usr/bin/top
       0x8049cda   /usr/bin/top
       0x4008ed01  /lib/libc-2.3.2.so
   Overflow caused by strcpy()
   Killed

It tells me that strcpy() is the culprit--as of usual.

- -- 
Ayaz Ahmed Khan                            http://fast-ce.org/ayaz/

   I was going through some code from 2002, frustrated at
        the lack of comments, cursing the moron who
   put this spaghetti together, only to realize later that
          I was the moron who had written it.

                   -- CowboyRobot wrote on /.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iQEVAwUBQn921QFi6bOwa2ADAQLltwf+PnSF5HGoSiCl1GjoUptvzfLmajcXOUWx
Hq/SIE2TQCi8/U8NmaukYOcD8hJNfR3x1Wxw8LyGHkSOXO4woE/+Nbi6d5DDNX+N
kS3pGA6ORwxFhyz77Y+cdKlPSa3UIBJS+PQC22e517KYXzwo30nlTF/MTz9/tVyj
KhBjexg5i2vsPThgOZ+6N2AN5N5Emp2j0FPIOGnADsnaOBME/afbZj95Rd2LFZJW
axbyKdjwj6z+1zs982+u9Qk53cgdAWbt1rl0gfY9So5gLRTHbNy0NX7xBIZzAgsp
cLukWq4Lh5RLwM4FB6+UN75JticHTTwEkvMggSDk24loKqseuQPXSQ==
=eAtw
-----END PGP SIGNATURE-----