|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: top (procps-2.0.7-25) vulnerability
From: KF (lists) (kf_lists
digitalmunition.com)
Date: Tue May 10 2005 - 14:28:28 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
So... I guess the real question is if you run it over and over and over
again does libsafe fail?
http://www.security.nnov.ru/Idocument360.html
-KF
Ayaz Ahmed Khan wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>WINNY THOMAS typed:
>
>
>
>>While running top on a tool of mine to do a profiling test the top
>>command ran into a segmentation fault. I could find two instance
>>where the command could misbehave
>>
>>1. if you have junk data inside a file .toprc in your home
>>directory
>>2. if your environmental variable HOME is set to a string that’s
>>greater than 1024.
>>
>>I managed to spawn a shell out of top command by exploiting the
>>second issue. If you compile and run the exploit code which I am
>>including in the mail body you will get a shell. Incase you don’t
>>you could pass parameters to the program as follows to adjust the
>>offset. The vulnerability detail is included in the code comment
>>
>>[winnythomasr8 WinnyThomas]$ ./putshellcode 1001
>>sh-2.05b$ exit
>>exit
>>[winnythomasr8 WinnyThomas]$ ./putshellcode 120
>>Illegal instruction
>>[winnythomasr8 WinnyThomas]$ ./putshellcode 1010
>>sh-2.05b$ exit
>>exit
>>
>>in most of the test I did on the vulnerable code I got shell on my
>>system without passing any parameter to the program (that is the
>>hardcoded offset of 1111 in my program worked well on my system)
>>
>>/* PoC */ --snipped--
>>
>>
>
>Nice. With Libsafe guarding against attempts to write across stack
>boundaries on my system, I get this:
>
> ayaz[1]:~/programming/exploits/misc> ./top-local-shell
> Libsafe version 2.0.16
> Detected an attempt to write across stack boundary.
> Terminating /usr/bin/top.
> uid=1001 euid=1001 pid=1189
> Call stack:
> 0x400189c0 /lib/libsafe.so.2.0.16
> 0x40018ab4 /lib/libsafe.so.2.0.16
> 0x8049a76 /usr/bin/top
> 0x8049cda /usr/bin/top
> 0x4008ed01 /lib/libc-2.3.2.so
> Overflow caused by strcpy()
> Killed
>
>It tells me that strcpy() is the culprit--as of usual.
>
>- --
>Ayaz Ahmed Khan http://fast-ce.org/ayaz/
>
> I was going through some code from 2002, frustrated at
> the lack of comments, cursing the moron who
> put this spaghetti together, only to realize later that
> I was the moron who had written it.
>
> -- CowboyRobot wrote on /.
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.2.3 (GNU/Linux)
>Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
>iQEVAwUBQn921QFi6bOwa2ADAQLltwf+PnSF5HGoSiCl1GjoUptvzfLmajcXOUWx
>Hq/SIE2TQCi8/U8NmaukYOcD8hJNfR3x1Wxw8LyGHkSOXO4woE/+Nbi6d5DDNX+N
>kS3pGA6ORwxFhyz77Y+cdKlPSa3UIBJS+PQC22e517KYXzwo30nlTF/MTz9/tVyj
>KhBjexg5i2vsPThgOZ+6N2AN5N5Emp2j0FPIOGnADsnaOBME/afbZj95Rd2LFZJW
>axbyKdjwj6z+1zs982+u9Qk53cgdAWbt1rl0gfY9So5gLRTHbNy0NX7xBIZzAgsp
>cLukWq4Lh5RLwM4FB6+UN75JticHTTwEkvMggSDk24loKqseuQPXSQ==
>=eAtw
>-----END PGP SIGNATURE-----
>
>
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]