exploit the possibilities

calife284.txt

calife284.txt
Posted Feb 27, 2004
Authored by DownBload

Calife versions 2.8.4c and 2.8.5 has a heap memory corruption vulnerability which can lead to local privilege escalation.

tags | advisory, local
MD5 | 6030b170dd39d3b94fd5f3a5363a792d

calife284.txt

Change Mirror Download


Calife heap corrupt / potential local root exploit
--------------------------------------------------
by Leon Juranic a.k.a DownBload <downbload@hotmail.com> / II-Labs


Version affected(tested): calife-2.8.4c and calife-2.8.5
- calife can be found at packages.debian.org, FreeBSD 5.0 (security), ...

>From `man calife`:
...
Description:
Calife requests user's own password for becoming login (or root, if no login is provided), and switches to that user and group ID after verify-ing proper rights to do so. A shell is then executed. If calife is exe-cuted by root, no password is requested and a shell with the appropriate user ID is executed.
...

[downbload@localhost downbload]$ ls -al `whereis calife`
ls: calife:: No such file or directory
-r-------- 1 root wheel 159 Feb 19 15:54 /etc/calife.auth
-rwsr-xr-x 1 root wheel 575623 Feb 5 14:49 /usr/local/bin/calife

[downbload@localhost downbload]$ calife luser
Password: "A" x 3000
Password: real_user_password
Segmentation fault
[downbload@localhost downbload]$

- "A" x 3000 will corrupt the heap.
- If real_user_password isn't correct, calife will do exit()
- If attacker wants to exploit calife, there must be at least one user "available" in /etc/calife.auth


/root/calife-2.8.4c/db.c
------------------------
...
char got_pass = 0;
char * pt_pass, * pt_enc,
* user_pass, * enc_pass, salt [10];

user_pass = (char *) xalloc (l_size);
enc_pass = (char *) xalloc (l_size);
...
for ( i = 0; i < 3; i ++ )
{
pt_pass = (char *) getpass ("Password:");
memset (user_pass, '\0', l_size);
strcpy (user_pass, pt_pass); // <- BAD CODE
pt_enc = (char *) crypt (user_pass, calife->pw_passwd);
memset (enc_pass, '\0', l_size);
strcpy (enc_pass, pt_enc);
}
...
free (user_pass); // <- FUN CODE ;-)
free (enc_pass); // <- FUN CODE ;-)
...

------------------------

We can pass very long password string to calife and corrupt it's heap (overwrite boundary tags).
However, it isn't easy to exploit this bug, because every newline, backspace, etc. character from user input will affect exploitation (e.g. backspace char will delete one char from user input - exploitation string).

Greetz to h4z4rd, BoyScout, finis, Fr1c, lucious, manikal, Gorans, slash, j0e, smak, Bojan, wootz...

Bye.
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    1 Files
  • 26
    Sep 26th
    1 Files
  • 27
    Sep 27th
    20 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close