Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: new BIG vulnerability in libc found!!!!!

From: "VeNoMouS" <venom () gen-x co nz>
Date: Fri, 18 Mar 2005 13:43:14 +1300
well DUH
----- Original Message ----- From: "cyberpixl" <cyberpixl () gmail com> 
To: "Lennart Hansen" <xenzeo () gardener com>
Cc: <full-disclosure () lists grok org uk>
Sent: Friday, March 18, 2005 12:27 PM
Subject: Re: [Full-disclosure] new BIG vulnerability in libc found!!!!!


is this a joke? =P
On Wed, 09 Mar 2005 15:09:36 -0500, Lennart Hansen <xenzeo () gardener com> wrote: 
**************************************
*        strcpy is vulnerable        *
*                by                  *
*        MEAT-EATER SECURITY         *
*  a subdivision of UNIFIX security  *
*                                    *
*       "pass the bacon, Goober"     *
**************************************

Affected Procucts:
    Every UNIX systen with libc (or something like that)
    known to mankind EXCEPT openBSD!

Authors:
    Xenzeo (Ablazed, Ultralaser, Lennart A Hansen)
    Futte  (Pussy Laybourne, Robert Bülow, futte () futte dk)
    Cybermike (HotWater-Oracle, Mikkel Christensen, mail () metasecurity dk)

Problem:
    From the man-page:
    char * stpcpy(char *dst, const char *src);
The stpcpy() and strcpy() functions copy the string src to dst (including 
    the terminating `\0' character.)
This all sounds good and useful BUT... if the length of *src is greater than 
    the length of *dest you are in serious trouble!
    Allow us to demonstrate.

    -------------------- VULN CODE EXAMPLE -------------------

    #include <stdio.h>
    void foo() {
       puts("MEAT-EATER SECURITY");
    }
    void* funktion(char *str) {
       char buffer[256];
       strcpy(buffer, str);
       return (&foo)+9;
    }
    int main() {
       char buffer[1024];
       int return_value;
       int i;
       for (i = 0; i < 252; i++) {
          buffer[i] = 'A';
       }
       return_value=(funktion("r00t")-9);
       do {
          strncpy(buffer+i, &return_value,4);
       } while((i+=4) < 1000);
       while((i++)<1020) {
          buffer[i]='\0';
       }
       funktion(buffer);
       return 9;
    }

    -------------------- VULN CODE EXAMPLE -------------------
<~>$ gcc -o 0wned lennart4real.c -09 --omit-frame-pointer (th4nkz t0 truti for cumpajl instrukctions) 
    gcc: unrecognized option `-09'
    lennart4real.c: In function `main':
lennart4real.c:21: warning: assignment makes integer from pointer without a cast lennart4real.c:23: warning: passing arg 2 of `strncpy' from incompatible pointer type 
    <~>$ ./0wned
    MEAT-EATER SECURITY
    MEAT-EATER SECURITY
    [...]
    MEAT-EATER SECURITY
    Segmentation fault (core dumped)
    <~>$
As you see this is definately not good! Our research in MEAT-EATER SECURITY shows that we can exploit 
    this bug in strcpy!!!! Allow us to elaborate.
IF YOU OVERWRITE THE BUFFER (WHICH IS LOCATED IN A STACK-FRAME (that's why I ommit frame pointers)) YOU ARE ABLE TO INJECT ARBITRARY DATA IN THE MEMORY - MUCH LIKE YOU COULD DO IF YOU HAVE ROOT ACCESS TO /dev/kmem. EVEN MORE: YOU ARE ABLE TO OVERWRITE REGISTERS IN THE CPU AND THEREBY EXECUTING YOUR OWN EVIL CODE!!!!!!! You could for example override the AX register with a false value forcing the CPU to delete files or give you a ROOT sh3ll on the victims computer! REMEMBER ALWAYS TO SUID YOUR PROGRAM TO ROOT BEFORE THE VICTIM 
    RUNS IT! Shell code example:

    -------------------- SHELL CODE EXAMPLE -------------------
    push eip           ;extended ip adresse of victim
    MOV AX,linux
    MOV BX,exec        ;we runs an shell ;+)
    mov ecx,'/bin/sh'
    int 21h
    jmp $shell
    -------------------- SHELL CODE EXAMPLE -------------------
    No explanation needed! You should now have a ROOT shell!!!!!!!!

Vender status:
    WE AT MEAT-EATER SECURITY BELIEVE IN FREE INFORMATION!!!!

Solutions:
    Avoid linking with libc and/or stop using strcpy and strncpy.
    Use openBSD 4 real!
    In every shell code replace all INT with NOP (THIS IS THE SAFE!)
And remember folks: Hackers don't 0wn people, exploits do! WATCH OUT, WHITEHATS!!!!! 

Gr33tz:
Shoutz outz to Truti (http://packetstormsecurity.nl/docs/hack/bypass_blackicedefender_zonealarm.txt) 
    www.spywarefri.dk (DANISH HACKER TEAM)
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: