Re: top (procps-2.0.7-25) vulnerability

["KF (lists)" <kf_lists () digitalmunition com>]

So... I guess the real question is if you run it over and over and over 
again does libsafe fail?

http://www.security.nnov.ru/Idocument360.html

-KF


Ayaz Ahmed Khan wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> WINNY THOMAS typed:
>
>  
>
> > While running top on a tool of mine to do a profiling test the top
> > command ran into a segmentation fault. I could find two instance
> > where the command could misbehave
> >
> > 1.  if you have junk data inside a file .toprc in your home
> > directory
> > 2.  if your environmental variable HOME is set to a string that’s
> > greater than 1024.
> >
> > I managed to spawn a shell out of top command by exploiting the
> > second issue. If you compile and run the exploit code which I am
> > including in the mail body you will get a shell. Incase you don’t
> > you could pass parameters to the program as follows to adjust the
> > offset.  The vulnerability detail is included in the code comment
> >
> > [winnythomas@r8 WinnyThomas]$ ./putshellcode 1001
> > sh-2.05b$ exit
> > exit
> > [winnythomas@r8 WinnyThomas]$ ./putshellcode 120
> > Illegal instruction
> > [winnythomas@r8 WinnyThomas]$ ./putshellcode 1010
> > sh-2.05b$ exit
> > exit
> >
> > in most of the test I did on the vulnerable code I got shell on my
> > system without passing any parameter to the program (that is the
> > hardcoded offset of 1111 in my program worked well on my system)
> >
> > /* PoC */ --snipped--
> >    
>
> Nice.  With Libsafe guarding against attempts to write across stack
> boundaries on my system, I get this:
>
>   ayaz[1]:~/programming/exploits/misc> ./top-local-shell
>   Libsafe version 2.0.16
>   Detected an attempt to write across stack boundary.
>   Terminating /usr/bin/top.
>       uid=1001  euid=1001  pid=1189
>   Call stack:
>       0x400189c0  /lib/libsafe.so.2.0.16
>       0x40018ab4  /lib/libsafe.so.2.0.16
>       0x8049a76   /usr/bin/top
>       0x8049cda   /usr/bin/top
>       0x4008ed01  /lib/libc-2.3.2.so
>   Overflow caused by strcpy()
>   Killed
>
> It tells me that strcpy() is the culprit--as of usual.
>
> - -- 
> Ayaz Ahmed Khan                            http://fast-ce.org/ayaz/
>
>   I was going through some code from 2002, frustrated at
>        the lack of comments, cursing the moron who
>   put this spaghetti together, only to realize later that
>          I was the moron who had written it.
>
>                   -- CowboyRobot wrote on /.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (GNU/Linux)
> Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
> iQEVAwUBQn921QFi6bOwa2ADAQLltwf+PnSF5HGoSiCl1GjoUptvzfLmajcXOUWx
> Hq/SIE2TQCi8/U8NmaukYOcD8hJNfR3x1Wxw8LyGHkSOXO4woE/+Nbi6d5DDNX+N
> kS3pGA6ORwxFhyz77Y+cdKlPSa3UIBJS+PQC22e517KYXzwo30nlTF/MTz9/tVyj
> KhBjexg5i2vsPThgOZ+6N2AN5N5Emp2j0FPIOGnADsnaOBME/afbZj95Rd2LFZJW
> axbyKdjwj6z+1zs982+u9Qk53cgdAWbt1rl0gfY9So5gLRTHbNy0NX7xBIZzAgsp
> cLukWq4Lh5RLwM4FB6+UN75JticHTTwEkvMggSDk24loKqseuQPXSQ==
> =eAtw
> -----END PGP SIGNATURE-----
>
>
>
>