[10566] in bugtraq
Re: fts, du, find
daemon@ATHENA.MIT.EDU (Przemyslaw Frasunek)
Mon May 17 15:41:46 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <199951417143.18628.nwmail@venglin.gadaczka.dhs.org>
Date: Fri, 14 May 1999 19:14:02 +0200
Reply-To: venglin@lagoon.freebsd.org.pl
From: Przemyslaw Frasunek <venglin@GADACZKA.DHS.ORG>
X-To: stas@SONET.CRIMEA.UA
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199905121032.OAA12043@sonet.crimea.ua>
> 2. This bug probably applies to FreeBSD-3.1 and ever to OpenBSD and other.
Yes, I've tested it on 3.1-STABLE.
> I have no exploit and probably will no have a free time (I think
> 3 days is more than enough) for doing it, but I beleive it is
> possible to exploit this bug using carefully designed directory
> tree to execute arbitrary commands as root during
> /etc/daily->/etc/security->find.
> REMOTE ROOT EXPLOIT (POSSIBLE).
I think, that it will be hard to write an exploit. I've tested it on
my 2.2.8-RELEASE at home.
'Find' segfaults, when it tries to do:
(void)puts(entry->fts_path);
because of junk pointer to structure 'entry'. IMHO it _always_
points to 0x200291d6, so it tries to execute (IMHO) _always_ the
same commands:
0x200291d6 <puts+34>: repnz scasb %es:(%edi),%al
0x200291d7 <puts+35>: scasb %es:(%edi),%al
0x200291d8 <puts+36>: movl %ecx,%eax
0x200291d9 <puts+37>: enter $0xd0f7,$0x89
0x200291da <puts+38>: notl %eax
0x200291db <puts+39>: rorb 0x488de455(%ecx)
0x200291dc <puts+40>: movl %edx,0xffffffe4(%ebp)
0x200291dd <puts+41>: pushl %ebp
0x200291de <puts+42>: inb $0x8d,%al
0x200291df <puts+43>: leal 0xffffffff(%eax),%ecx
0x200291e0 <puts+44>: decl %eax
0x200291e1 <puts+45>: decl 0x938de84d(%ecx)
0x200291e2 <puts+46>: movl %ecx,0xffffffe8(%ebp)
0x200291e3 <puts+47>: decl %ebp
0x200291e4 <puts+48>: call 0xc1532576 <end+2705991902>
and here it segfaults.
--
* Fido: 2:480/124 ** WWW: lagoon.freebsd.org.pl/~venglin ** GSM:48-601-383657 *
* Inet: venglin@lagoon.freebsd.org.pl ** PGP:D48684904685DF43EA93AFA13BE170BF *
