|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Calife heap corrupt / potential local root exploit
From: DownBload (downbload
hotmail.com)
Date: Fri Feb 27 2004 - 03:19:21 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Calife heap corrupt / potential local root exploit
--------------------------------------------------
by Leon Juranic a.k.a DownBload <downbloadhotmail.com> / II-Labs
Version affected(tested): calife-2.8.4c and calife-2.8.5
- calife can be found at packages.debian.org, FreeBSD 5.0 (security), ...
From `man calife`:
...
Description:
Calife requests user's own password for becoming login (or root, if no login is provided), and switches to that user and group ID after verify-ing proper rights to do so. A shell is then executed. If calife is exe-cuted by root, no password is requested and a shell with the appropriate user ID is executed.
...
[downbloadlocalhost downbload]$ ls -al `whereis calife`
ls: calife:: No such file or directory
-r-------- 1 root wheel 159 Feb 19 15:54 /etc/calife.auth
-rwsr-xr-x 1 root wheel 575623 Feb 5 14:49 /usr/local/bin/calife
[downbloadlocalhost downbload]$ calife luser
Password: "A" x 3000
Password: real_user_password
Segmentation fault
[downbloadlocalhost downbload]$
- "A" x 3000 will corrupt the heap.
- If real_user_password isn't correct, calife will do exit()
- If attacker wants to exploit calife, there must be at least one user "available" in /etc/calife.auth
/root/calife-2.8.4c/db.c
------------------------
...
char got_pass = 0;
char * pt_pass, * pt_enc,
* user_pass, * enc_pass, salt [10];
user_pass = (char *) xalloc (l_size);
enc_pass = (char *) xalloc (l_size);
...
for ( i = 0; i < 3; i ++ )
{
pt_pass = (char *) getpass ("Password:");
memset (user_pass, '\0', l_size);
strcpy (user_pass, pt_pass); // <- BAD CODE
pt_enc = (char *) crypt (user_pass, calife->pw_passwd);
memset (enc_pass, '\0', l_size);
strcpy (enc_pass, pt_enc);
}
...
free (user_pass); // <- FUN CODE ;-)
free (enc_pass); // <- FUN CODE ;-)
...
------------------------
We can pass very long password string to calife and corrupt it's heap (overwrite boundary tags).
However, it isn't easy to exploit this bug, because every newline, backspace, etc. character from user input will affect exploitation (e.g. backspace char will delete one char from user input - exploitation string).
Greetz to h4z4rd, BoyScout, finis, Fr1c, lucious, manikal, Gorans, slash, j0e, smak, Bojan, wootz...
Bye.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]