Hi bugtraq. I read the zen-parse's advisory about the 'potential' overflow, as he said, in xinetd-2.1.8.9pre11-1 and I tried to work around it. First of all we have to remember that the bof occurs _only_ if, in the configuration file of the daemon, there is an entry like this: log_on_success = HOST PID USERID this option can be set as a default for all the services or just for some of them. 'USERID' means that xinetd will do an auth request to the identd daemon of the remote client host using a service provided by xinetd, as described in the rfc 1413. This option is not present in the default installation from the tar.gz release. Of course I wrote a fake_identd ready to answer to xinetd auth requests for exploiting this vuln. I found that the ebp register can be overwritten for a maximum of 2 bytes, 1 byte of overflow and 1 byte of \x00, termination string. This happens in particular conditions, that is only if our source port is 1 and the service we want to connect is at a port such as 23. If we try to overflow with more bytes, the string will result too long and the bof won't occur at all. Surely it is quite hard to exploit. But an one-byte overflow is enough for us to get a root shell. klog explained this kind of exploitation some time ago. He wrote that, at the end of the bugged function, "%ebp is moved into %esp, which is incremented by 4 since %ebp is poped from the stack just before the RET.", and that "When the processor returns from a procedure, it only pops the first word on the stack, guessing it is the original %eip. But if we alter %esp, we can make the processor pop any value from the stack as if it was %eip, and thus changing the execution flow." Exactly what we'll do. The lsb of the ebp will be set to 0x00 through the overflow. So at that addr increased by 0x04 we will write a pointer pointing to the nop padding before the shellcode, which will be executed, without crashing the daemon. Fortunately, we are able to write to that memory location, as it is part of the buffer to overflow. Of course an executable stack is needed. On my Red Hat 6.2 box: [root@localhost exploit]# ./xinetd0x69 -h localhost xinetd-2.1.8.9pre11-1 exploit by qitest1 +Host: localhost as: Red Hat 6.2 with xinetd-2.1.8.9pre11-1 +Using: retaddr = 0xbffff44b and sc_addr_pos = 985... ok +Starting fake_identd... fake_identd forking into background +Causing an auth request to our fake_identd done +Enjoy your root shell... 0x69 =) uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Linux localhost 2.2.18 #3 SMP Fri Mar 16 22:20:42 CET 2001 i586 unknown bye -- /* qitest1 http://qitest1.cjb.net * * ``Ut tensio, sic vis. 69 tecum sis.'' * * main(){if(unsatisfied == 69) try_come(in);} */
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 12:21:29 PDT