Full Disclosure mailing list archives
Re: new BIG vulnerability in libc found!!!!!
From: "VeNoMouS" <venom () gen-x co nz>
Date: Fri, 18 Mar 2005 13:43:14 +1300
well DUH----- Original Message ----- From: "cyberpixl" <cyberpixl () gmail com>
To: "Lennart Hansen" <xenzeo () gardener com> Cc: <full-disclosure () lists grok org uk> Sent: Friday, March 18, 2005 12:27 PM Subject: Re: [Full-disclosure] new BIG vulnerability in libc found!!!!! is this a joke? =POn Wed, 09 Mar 2005 15:09:36 -0500, Lennart Hansen <xenzeo () gardener com> wrote:
************************************** * strcpy is vulnerable * * by * * MEAT-EATER SECURITY * * a subdivision of UNIFIX security * * * * "pass the bacon, Goober" * ************************************** Affected Procucts: Every UNIX systen with libc (or something like that) known to mankind EXCEPT openBSD! Authors: Xenzeo (Ablazed, Ultralaser, Lennart A Hansen) Futte (Pussy Laybourne, Robert Bülow, futte () futte dk) Cybermike (HotWater-Oracle, Mikkel Christensen, mail () metasecurity dk) Problem: From the man-page: char * stpcpy(char *dst, const char *src);The stpcpy() and strcpy() functions copy the string src to dst (includingthe terminating `\0' character.)This all sounds good and useful BUT... if the length of *src is greater thanthe length of *dest you are in serious trouble! Allow us to demonstrate. -------------------- VULN CODE EXAMPLE ------------------- #include <stdio.h> void foo() { puts("MEAT-EATER SECURITY"); } void* funktion(char *str) { char buffer[256]; strcpy(buffer, str); return (&foo)+9; } int main() { char buffer[1024]; int return_value; int i; for (i = 0; i < 252; i++) { buffer[i] = 'A'; } return_value=(funktion("r00t")-9); do { strncpy(buffer+i, &return_value,4); } while((i+=4) < 1000); while((i++)<1020) { buffer[i]='\0'; } funktion(buffer); return 9; } -------------------- VULN CODE EXAMPLE -------------------<~>$ gcc -o 0wned lennart4real.c -09 --omit-frame-pointer (th4nkz t0 truti for cumpajl instrukctions)gcc: unrecognized option `-09' lennart4real.c: In function `main':lennart4real.c:21: warning: assignment makes integer from pointer without a cast lennart4real.c:23: warning: passing arg 2 of `strncpy' from incompatible pointer type<~>$ ./0wned MEAT-EATER SECURITY MEAT-EATER SECURITY [...] MEAT-EATER SECURITY Segmentation fault (core dumped) <~>$As you see this is definately not good! Our research in MEAT-EATER SECURITY shows that we can exploitthis bug in strcpy!!!! Allow us to elaborate.IF YOU OVERWRITE THE BUFFER (WHICH IS LOCATED IN A STACK-FRAME (that's why I ommit frame pointers)) YOU ARE ABLE TO INJECT ARBITRARY DATA IN THE MEMORY - MUCH LIKE YOU COULD DO IF YOU HAVE ROOT ACCESS TO /dev/kmem. EVEN MORE: YOU ARE ABLE TO OVERWRITE REGISTERS IN THE CPU AND THEREBY EXECUTING YOUR OWN EVIL CODE!!!!!!! You could for example override the AX register with a false value forcing the CPU to delete files or give you a ROOT sh3ll on the victims computer! REMEMBER ALWAYS TO SUID YOUR PROGRAM TO ROOT BEFORE THE VICTIMRUNS IT! Shell code example: -------------------- SHELL CODE EXAMPLE ------------------- push eip ;extended ip adresse of victim MOV AX,linux MOV BX,exec ;we runs an shell ;+) mov ecx,'/bin/sh' int 21h jmp $shell -------------------- SHELL CODE EXAMPLE ------------------- No explanation needed! You should now have a ROOT shell!!!!!!!! Vender status: WE AT MEAT-EATER SECURITY BELIEVE IN FREE INFORMATION!!!! Solutions: Avoid linking with libc and/or stop using strcpy and strncpy. Use openBSD 4 real! In every shell code replace all INT with NOP (THIS IS THE SAFE!)And remember folks: Hackers don't 0wn people, exploits do! WATCH OUT, WHITEHATS!!!!!Gr33tz:Shoutz outz to Truti (http://packetstormsecurity.nl/docs/hack/bypass_blackicedefender_zonealarm.txt)www.spywarefri.dk (DANISH HACKER TEAM) -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://www.secunia.com/
Current thread:
- new BIG vulnerability in libc found!!!!! Lennart Hansen (Mar 09)
- Re: new BIG vulnerability in libc found!!!!! Macy Gasp (Mar 10)
- Re: new BIG vulnerability in libc found!!!!! Harry de Grote (Mar 10)
- Re: new BIG vulnerability in libc found!!!!! cyberpixl (Mar 17)
- Re: new BIG vulnerability in libc found!!!!! VeNoMouS (Mar 17)