Vulnerability Development mailing list archives
Re: top (procps-2.0.7-25) vulnerability
From: "KF (lists)" <kf_lists () digitalmunition com>
Date: Tue, 10 May 2005 15:28:28 -0400
So... I guess the real question is if you run it over and over and over again does libsafe fail?
http://www.security.nnov.ru/Idocument360.html -KF Ayaz Ahmed Khan wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 WINNY THOMAS typed:While running top on a tool of mine to do a profiling test the top command ran into a segmentation fault. I could find two instance where the command could misbehave 1. if you have junk data inside a file .toprc in your home directory 2. if your environmental variable HOME is set to a string that’s greater than 1024. I managed to spawn a shell out of top command by exploiting the second issue. If you compile and run the exploit code which I am including in the mail body you will get a shell. Incase you don’t you could pass parameters to the program as follows to adjust the offset. The vulnerability detail is included in the code comment [winnythomas@r8 WinnyThomas]$ ./putshellcode 1001 sh-2.05b$ exit exit [winnythomas@r8 WinnyThomas]$ ./putshellcode 120 Illegal instruction [winnythomas@r8 WinnyThomas]$ ./putshellcode 1010 sh-2.05b$ exit exit in most of the test I did on the vulnerable code I got shell on my system without passing any parameter to the program (that is the hardcoded offset of 1111 in my program worked well on my system) /* PoC */ --snipped--Nice. With Libsafe guarding against attempts to write across stack boundaries on my system, I get this: ayaz[1]:~/programming/exploits/misc> ./top-local-shell Libsafe version 2.0.16 Detected an attempt to write across stack boundary. Terminating /usr/bin/top. uid=1001 euid=1001 pid=1189 Call stack: 0x400189c0 /lib/libsafe.so.2.0.16 0x40018ab4 /lib/libsafe.so.2.0.16 0x8049a76 /usr/bin/top 0x8049cda /usr/bin/top 0x4008ed01 /lib/libc-2.3.2.so Overflow caused by strcpy() Killed It tells me that strcpy() is the culprit--as of usual.- -- Ayaz Ahmed Khan http://fast-ce.org/ayaz/I was going through some code from 2002, frustrated at the lack of comments, cursing the moron who put this spaghetti together, only to realize later that I was the moron who had written it. -- CowboyRobot wrote on /. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iQEVAwUBQn921QFi6bOwa2ADAQLltwf+PnSF5HGoSiCl1GjoUptvzfLmajcXOUWx Hq/SIE2TQCi8/U8NmaukYOcD8hJNfR3x1Wxw8LyGHkSOXO4woE/+Nbi6d5DDNX+N kS3pGA6ORwxFhyz77Y+cdKlPSa3UIBJS+PQC22e517KYXzwo30nlTF/MTz9/tVyj KhBjexg5i2vsPThgOZ+6N2AN5N5Emp2j0FPIOGnADsnaOBME/afbZj95Rd2LFZJW axbyKdjwj6z+1zs982+u9Qk53cgdAWbt1rl0gfY9So5gLRTHbNy0NX7xBIZzAgsp cLukWq4Lh5RLwM4FB6+UN75JticHTTwEkvMggSDk24loKqseuQPXSQ== =eAtw -----END PGP SIGNATURE-----
Current thread:
- top (procps-2.0.7-25) vulnerability WINNY THOMAS (May 09)
- Re: top (procps-2.0.7-25) vulnerability Ayaz Ahmed Khan (May 10)
- Re: top (procps-2.0.7-25) vulnerability KF (lists) (May 10)
- Re: top (procps-2.0.7-25) vulnerability KF (lists) (May 10)
- Re: top (procps-2.0.7-25) vulnerability Ayaz Ahmed Khan (May 10)