OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tamer Sahin (tssecurityoffice.net)
Date: Sun Dec 23 2001 - 18:14:09 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Multiple Vendor rlogin Buffer Overflow Vulnerability (Revised)

    Type:
    Buffer Overflow

    Release Date:
    December 24, 2001

    Summary:
    rlogin starts a terminal session on a remote host host. A buffer
    overflow vulnerability exists in the rlogin. This advisory originally
    posted to the Bugtraq mailing list by Roger Espel Llima
    <espelclipper.ens.fr> Wed, 4 Dec 1996.

    RedHat Linux 7.0:
    ============
    [tstakedown ts]$ uname -a
    Linux takedown 2.2.16-22 #1 Tue Aug 22 16:49:06 EDT 2000 i686 unknown

    [tstakedown ts]$ ./rlogin-exp
    copyright LAST STAGE OF DELIRIUM oct 1997 poland //lsd-pl.net/
    /usr/bsd/rlogin for irix 5.2 5.3 6.2 6.3 IP:17,19,20,21,22,32

    Segmentation fault (core dumped)

    [tstakedown ts]$ gdb -core=core
    GNU gdb 5.0
    Copyright 2000 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and
    you are
    welcome to change it and/or distribute copies of it under certain
    conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for
    details.
    This GDB was configured as "i386-redhat-linux".
    Core was generated by `./rlogin-exp'.
    Program terminated with signal 11, Segmentation fault.
    #0 0x804990c in ?? ()
    (gdb) info all
    eax 0x3f 63
    ecx 0x40138840 1075021888
    edx 0x0 0
    ebx 0x4013a824 1075030052
    esp 0xbfffd3dc 0xbfffd3dc
    ebp 0xbffffb38 0xbffffb38
    esi 0xbffffba4 -1073742940
    edi 0x0 0
    eip 0x804990c 0x804990c
    eflags 0x282 642
    cs 0x23 35
    ss 0x2b 43
    ds 0x2b 43
    es 0x2b 43
    fs 0x2b 43
    gs 0x2b 43
    st0 0 (raw 0x00000000000000000000)
    st1 0 (raw 0x00000000000000000000)
    st2 0 (raw 0x00000000000000000000)
    st3 0 (raw 0x00000000000000000000)
    st4 0 (raw 0x00000000000000000000)
    st5 0 (raw 0x00000000000000000000)
    st6 0 (raw 0x00000000000000000000)
    st7 0 (raw 0x00000000000000000000)
    fctrl 0x0 0
    fstat 0x0 0
    ftag 0x0 0
    fiseg 0x0 0
    fioff 0x0 0
    foseg 0x0 0
    fooff 0x0 0
    fop 0x0 0

    OpenBSD 3.0:
    =========
    rootts:/home/ts$ uname -a
    OpenBSD ts 3.0 ts#0 i386

    rootts:/home/ts$ ./rlogin-exp
    copyright LAST STAGE OF DELIRIUM oct 1997 poland //lsd-pl.net/
    /usr/bsd/rlogin for irix 5.2 5.3 6.2 6.3 IP:17,19,20,21,22,32

    Segmentation fault (core dumped)

    rootts:/home/ts$ gdb -core=rlogin-exp.core
    GNU gdb 4.16.1
    Copyright 1996 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and
    you are
    welcome to change it and/or distribute copies of it under certain
    conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for
    details.
    This GDB was configured as "i386-unknown-openbsd3.0".
    Core was generated by `rlogin-exp'.
    Program terminated with signal 11, Segmentation fault.
    #0 0x2110 in ?? ()
    (gdb) info all
    eax 0x3f 63
    ecx 0x400a0fbc 1074401212
    edx 0x0 0
    ebx 0xdfbfdca4 -541074268
    esp 0xdfbfb4d8 0xdfbfb4d8
    ebp 0xdfbfdc14 0xdfbfdc14
    esi 0xdfbfdc54 -541074348
    edi 0xdfbfdc58 -541074344
    eip 0x2110 0x2110
    eflags 0x282 642
    cs 0x17 23
    ss 0x1f 31
    ds 0x1f 31
    es 0x1f 31
    fs 0x1f 31
    gs 0x1f 31

    OpenBSD 2.9:
    ==========
    tsts:/home/ts$ uname -a
    OpenBSD ts 2.9 ts#1 i386

    rootts:/home/ts$ ./rlogin-exp
    copyright LAST STAGE OF DELIRIUM oct 1997 poland //lsd-pl.net/
    /usr/bsd/rlogin for irix 5.2 5.3 6.2 6.3 IP:17,19,20,21,22,32

    Segmentation fault (core dumped)

    rootts:/home/ts$ gdb -core=rlogin-exp.core
    GNU gdb 4.16.1
    Copyright 1996 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and
    you are
    welcome to change it and/or distribute copies of it under certain
    conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for
    details.
    This GDB was configured as "i386-unknown-openbsd2.9".
    Core was generated by `rlogin-exp'.
    Program terminated with signal 11, Segmentation fault.
    #0 0x2110 in ?? ()
    (gdb) info all
    eax 0x3f 63
    ecx 0x400a1048 1074401352
    edx 0x0 0
    ebx 0xdfbfdcac -541074260
    esp 0xdfbfb4e4 0xdfbfb4e4
    ebp 0xdfbfdc20 0xdfbfdc20
    esi 0xdfbfdc60 -541074336
    edi 0xdfbfdc64 -541074332
    eip 0x2110 0x2110
    eflags 0x286 646
    cs 0x17 23
    ss 0x1f 31
    ds 0x1f 31
    es 0x1f 31
    fs 0x1f 31
    gs 0x1f 31

    You can get root privileges (with some code) now.

    Exploit:
    http://www.securityoffice.net/downloads/rlogin-exp.c

    Tested:
    RedHat Linux 7.0
    OpenBSD 2.9
    OpenBSD 3.0

    Vulnerable:
    RedHat Linux 7.0
    OpenBSD 2.9
    OpenBSD 3.0

    Disclaimer:
    http://www.securityoffice.net is not responsible for the misuse or
    illegal use of any of the information and/or the software listed on
    this security advisory.

    Author:
    Tamer Sahin
    tssecurityoffice.net
    http://www.securityoffice.net

    Tamer Sahin
    http://www.securityoffice.net
    PGP Key ID: 0x2B5EDCB0 Fingerprint:
    B96A 5DFC E0D9 D615 8D28 7A1B BB8B A453 2B5E DCB0

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPCZXMbuLpFMrXtywEQJJsQCeNgy7k4bSAZMBqt5KeAjyt5WXdbgAoMjR
    CG6hjKSQG235nWj7GjIs+1f8
    =gO+h
    -----END PGP SIGNATURE-----