**************************************
* strcpy is vulnerable *
* by *
* MEAT-EATER SECURITY *
* a subdivision of UNIFIX security *
* *
* "pass the bacon, Goober" *
**************************************
Affected Procucts:
Every UNIX systen with libc (or something like that)
known to mankind EXCEPT openBSD!
Authors:
Xenzeo (Ablazed, Ultralaser, Lennart A Hansen)
Futte (Pussy Laybourne, Robert Bülow, futte@xxxxxxxx)
Cybermike (HotWater-Oracle, Mikkel Christensen, mail@xxxxxxxxxxxxxxx)
Problem:
From the man-page:
char * stpcpy(char *dst, const char *src);
The stpcpy() and strcpy() functions copy the string src to dst
(including
the terminating `\0' character.)
This all sounds good and useful BUT... if the length of *src is
greater than
the length of *dest you are in serious trouble!
Allow us to demonstrate.
-------------------- VULN CODE EXAMPLE -------------------
#include <stdio.h>
void foo() {
puts("MEAT-EATER SECURITY");
}
void* funktion(char *str) {
char buffer[256];
strcpy(buffer, str);
return (&foo)+9;
}
int main() {
char buffer[1024];
int return_value;
int i;
for (i = 0; i < 252; i++) {
buffer[i] = 'A';
}
return_value=(funktion("r00t")-9);
do {
strncpy(buffer+i, &return_value,4);
} while((i+=4) < 1000);
while((i++)<1020) {
buffer[i]='\0';
}
funktion(buffer);
return 9;
}
-------------------- VULN CODE EXAMPLE -------------------
<~>$ gcc -o 0wned lennart4real.c -09 --omit-frame-pointer (th4nkz t0
truti for cumpajl instrukctions)
gcc: unrecognized option `-09'
lennart4real.c: In function `main':
lennart4real.c:21: warning: assignment makes integer from pointer
without a cast
lennart4real.c:23: warning: passing arg 2 of `strncpy' from
incompatible pointer type
<~>$ ./0wned
MEAT-EATER SECURITY
MEAT-EATER SECURITY
[...]
MEAT-EATER SECURITY
Segmentation fault (core dumped)
<~>$
As you see this is definately not good! Our research in MEAT-EATER
SECURITY shows that we can exploit
this bug in strcpy!!!! Allow us to elaborate.
IF YOU OVERWRITE THE BUFFER (WHICH IS LOCATED IN A STACK-FRAME (that's
why I ommit frame pointers)) YOU
ARE ABLE TO INJECT ARBITRARY DATA IN THE MEMORY - MUCH LIKE YOU COULD
DO IF YOU HAVE ROOT ACCESS TO /dev/kmem.
EVEN MORE: YOU ARE ABLE TO OVERWRITE REGISTERS IN THE CPU AND THEREBY
EXECUTING YOUR OWN EVIL CODE!!!!!!!
You could for example override the AX register with a false value
forcing the CPU to delete files or give
you a ROOT sh3ll on the victims computer! REMEMBER ALWAYS TO SUID YOUR
PROGRAM TO ROOT BEFORE THE VICTIM
RUNS IT! Shell code example:
-------------------- SHELL CODE EXAMPLE -------------------
push eip ;extended ip adresse of victim
MOV AX,linux
MOV BX,exec ;we runs an shell ;+)
mov ecx,'/bin/sh'
int 21h
jmp $shell
-------------------- SHELL CODE EXAMPLE -------------------
No explanation needed! You should now have a ROOT shell!!!!!!!!
Vender status:
WE AT MEAT-EATER SECURITY BELIEVE IN FREE INFORMATION!!!!
Solutions:
Avoid linking with libc and/or stop using strcpy and strncpy.
Use openBSD 4 real!
In every shell code replace all INT with NOP (THIS IS THE SAFE!)
And remember folks: Hackers don't 0wn people, exploits do! WATCH OUT,
WHITEHATS!!!!!
Gr33tz:
Shoutz outz to Truti
(http://packetstormsecurity.nl/docs/hack/bypass_blackicedefender_zonealarm.txt)
www.spywarefri.dk (DANISH HACKER TEAM)
--
___________________________________________________________
Sign-up for Ads Free at Mail.com
http://promo.mail.com/adsfreejump.htm
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://www.secunia.com/