[FDSA] Multiple Vulnerabilities in Fred Diggle Software Foundation Execve Exploit

["Fredrick Diggle" <fdiggle () gmail com>]

Fred Diggle Security Advisory 12.14.07
Dec 14, 2007

I. BACKGROUND

The Fred Diggle Software Foundation recently released very priv8 0day
exploit code which exploits a design flaw in the execve system call which
could allow an attacker to execute arbitrary commands under the context of
their user. It was reported to Fred Diggle that this exploit was vulnerable
to several serious design flaws. The most severe of these could allow a user
to leverage the Fred Diggle exploit to run arbitrary commands as themselves.

<http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/setexpression.asp>II.
DESCRIPTION

The first vulnerability relates to the usage of a vulnerable libc system
call wrapper "execve", this system call contains a vulnerability whereby an
attacker could execute arbitrary commands as himself.

The second vulnerability relates to the programs behavior when sent a
SIGSEGV. According to independent researchers the Fred Diggle Inc. exploit
appears to contain a buffer overflow type exploit thing. This has not been
confirmed as Fred Diggle does not really understand all this mumbo jumbo
about signals and buffers.

III. ANALYSIS

Exploitation of this vulnerability would allow an attacker to execute
arbitrary commands in the context of the user.

IV. DETECTION

As of December 14th, 2007, Fred Diggle testing shows that all versions of
the execve system call exploit are vulnerable. However, the software appears
to only be exploitable when compiled using the "DIGGLEISAWESOME" option.

V. WORKAROUND

Fred Diggle Software Foundation suggest the following temporary workaround.

# shutdown -h now

VI. VENDOR RESPONSE

Fred Diggle doesn;t have to respond to himself, Fred Diggle is above that
crap.

VII. DISCLOSURE TIMELINE

12/14/2007 Found out about it and disclosed immediately to Full Disclosure

VIII. CREDIT

This vulnerability was reported to Fred Diggle Software Foundation by Joey
Mengele (joey.mengele () hushmail com).


LEGAL NOTICES

Copyright (c) 2007 Fred Diggle Software Foundation, Inc.
CISSP, PHD, MCSE, CCNA, CEH, FDCA (Fred Diggle Certifiably Awesome)


Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of Fred Diggle.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
 There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.


On Dec 13, 2007 10:47 PM, Joey Mengele <joey.mengele () hushmail com> wrote:

> Dead Fred Diggler,
>
> You are not as much of an expert as you may have thought. Any
> foolish teenager can break software, but it takes a computer
> science degree to design software. For example, I have found a
> design flaw vulnerability (DFV) in your exploit. By passing a
> specially crafted argument to the program, an attacker can execute
> arbitrary code with Diggler privileges.
>
> I have also uncovered several race conditions. If one executes the
> command 'pkill -11' on the program, for example, memory corruption
> seems to occur, and most modern operating systems output the buffer
> overflow code:
>
> Segmentation fault
>
> I hope you consult with experts before being so hasty to post your
> attempt at a technical rant. LOLOL.
>
> J
>
> On Thu, 13 Dec 2007 23:20:21 -0500 Fredrick Diggle
> <fdiggle () gmail com> wrote:
> > You should post this to milw0rm as it can always use quality
> > exploit code
> > like this. I also have some priv8 code which I would like to
> > disclose which
> > is the same type of vulnerability.
> >
> > /*
> > * Author: Fredrick Diggle
> > * Vuln: execve system call allows arbitrary code execution
> > * Status: VERY PRIV8
> > * DO NOT RELEASE OR FRED DIGGLE WILL EAT YOUR FAMILY
> > */
> > #include <stdlib.h>
> > #include <stdio.h>
> > #include <unistd.h>
> > #define INFINITY 73
> > #ifdef DIGGLEISAWESOME
> > int main(int argc, char **argv) {
> >   if (argc < 2) { fprintf(stderr, "usage: %s [command to
> > run]\n\tPRIV8 Fred
> > Diggle 0day\n", argv[0]); return INFINITY; }
> >   execve(argv[1], &argv[1], 0);
> > }
> > #endif
> >
> >
> >
> > On Dec 13, 2007 8:57 PM, kcope <kingcope () gmx net> wrote:
> >
> > > exploiting "features"
> > >
> > > (see attached)
> > >
> > > - -kcope / 2007
> > >
> > > --
> > > Psssst! Schon vom neuen GMX MultiMessenger gehört?
> > > Der kann`s mit allen: http://www.gmx.net/de/go/multimessenger
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
>
> --
> Click for free information on accounting careers, $150/hour potential.
>
> http://tagline.hushmail.com/fc/Ioyw6h4dCeTvwa5Yr6XnbO95zlTzbYNB9VvYc0dvbs5S8csuefnbpC/
> > >
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/