NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Vuln-Dev> 2005-q2

Re: top (procps-2.0.7-25) vulnerability

From: Ayaz Ahmed Khan (ayazpakcon.org)
Date: Mon May 09 2005 - 09:42:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

WINNY THOMAS typed:

> While running top on a tool of mine to do a profiling test the top
> command ran into a segmentation fault. I could find two instance
> where the command could misbehave
>
> 1. if you have junk data inside a file .toprc in your home
> directory
> 2. if your environmental variable HOME is set to a string that’s
> greater than 1024.
>
> I managed to spawn a shell out of top command by exploiting the
> second issue. If you compile and run the exploit code which I am
> including in the mail body you will get a shell. Incase you don’t
> you could pass parameters to the program as follows to adjust the
> offset. The vulnerability detail is included in the code comment
>
> [winnythomasr8 WinnyThomas]$ ./putshellcode 1001
> sh-2.05b$ exit
> exit
> [winnythomasr8 WinnyThomas]$ ./putshellcode 120
> Illegal instruction
> [winnythomasr8 WinnyThomas]$ ./putshellcode 1010
> sh-2.05b$ exit
> exit
>
> in most of the test I did on the vulnerable code I got shell on my
> system without passing any parameter to the program (that is the
> hardcoded offset of 1111 in my program worked well on my system)
>
> /* PoC */ --snipped--

Nice. With Libsafe guarding against attempts to write across stack
boundaries on my system, I get this:

   ayaz[1]:~/programming/exploits/misc> ./top-local-shell
   Libsafe version 2.0.16
   Detected an attempt to write across stack boundary.
   Terminating /usr/bin/top.
       uid=1001 euid=1001 pid=1189
   Call stack:
       0x400189c0 /lib/libsafe.so.2.0.16
       0x40018ab4 /lib/libsafe.so.2.0.16
       0x8049a76 /usr/bin/top
       0x8049cda /usr/bin/top
       0x4008ed01 /lib/libc-2.3.2.so
   Overflow caused by strcpy()
   Killed

It tells me that strcpy() is the culprit--as of usual.

- --
Ayaz Ahmed Khan http://fast-ce.org/ayaz/

   I was going through some code from 2002, frustrated at
        the lack of comments, cursing the moron who
   put this spaghetti together, only to realize later that
          I was the moron who had written it.

-- CowboyRobot wrote on /.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iQEVAwUBQn921QFi6bOwa2ADAQLltwf+PnSF5HGoSiCl1GjoUptvzfLmajcXOUWx
Hq/SIE2TQCi8/U8NmaukYOcD8hJNfR3x1Wxw8LyGHkSOXO4woE/+Nbi6d5DDNX+N
kS3pGA6ORwxFhyz77Y+cdKlPSa3UIBJS+PQC22e517KYXzwo30nlTF/MTz9/tVyj
KhBjexg5i2vsPThgOZ+6N2AN5N5Emp2j0FPIOGnADsnaOBME/afbZj95Rd2LFZJW
axbyKdjwj6z+1zs982+u9Qk53cgdAWbt1rl0gfY9So5gLRTHbNy0NX7xBIZzAgsp
cLukWq4Lh5RLwM4FB6+UN75JticHTTwEkvMggSDk24loKqseuQPXSQ==
=eAtw
-----END PGP SIGNATURE-----

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]