Vulnerability Development mailing list archives
Re: top (procps-2.0.7-25) vulnerability
From: Ayaz Ahmed Khan <ayaz () pakcon org>
Date: Mon, 9 May 2005 20:42:29 +0600 (PKST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 WINNY THOMAS typed:
While running top on a tool of mine to do a profiling test the top command ran into a segmentation fault. I could find two instance where the command could misbehave 1. if you have junk data inside a file .toprc in your home directory 2. if your environmental variable HOME is set to a string thats greater than 1024. I managed to spawn a shell out of top command by exploiting the second issue. If you compile and run the exploit code which I am including in the mail body you will get a shell. Incase you dont you could pass parameters to the program as follows to adjust the offset. The vulnerability detail is included in the code comment [winnythomas@r8 WinnyThomas]$ ./putshellcode 1001 sh-2.05b$ exit exit [winnythomas@r8 WinnyThomas]$ ./putshellcode 120 Illegal instruction [winnythomas@r8 WinnyThomas]$ ./putshellcode 1010 sh-2.05b$ exit exit in most of the test I did on the vulnerable code I got shell on my system without passing any parameter to the program (that is the hardcoded offset of 1111 in my program worked well on my system) /* PoC */ --snipped--
Nice. With Libsafe guarding against attempts to write across stack boundaries on my system, I get this: ayaz[1]:~/programming/exploits/misc> ./top-local-shell Libsafe version 2.0.16 Detected an attempt to write across stack boundary. Terminating /usr/bin/top. uid=1001 euid=1001 pid=1189 Call stack: 0x400189c0 /lib/libsafe.so.2.0.16 0x40018ab4 /lib/libsafe.so.2.0.16 0x8049a76 /usr/bin/top 0x8049cda /usr/bin/top 0x4008ed01 /lib/libc-2.3.2.so Overflow caused by strcpy() Killed It tells me that strcpy() is the culprit--as of usual. - -- Ayaz Ahmed Khan http://fast-ce.org/ayaz/ I was going through some code from 2002, frustrated at the lack of comments, cursing the moron who put this spaghetti together, only to realize later that I was the moron who had written it. -- CowboyRobot wrote on /. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iQEVAwUBQn921QFi6bOwa2ADAQLltwf+PnSF5HGoSiCl1GjoUptvzfLmajcXOUWx Hq/SIE2TQCi8/U8NmaukYOcD8hJNfR3x1Wxw8LyGHkSOXO4woE/+Nbi6d5DDNX+N kS3pGA6ORwxFhyz77Y+cdKlPSa3UIBJS+PQC22e517KYXzwo30nlTF/MTz9/tVyj KhBjexg5i2vsPThgOZ+6N2AN5N5Emp2j0FPIOGnADsnaOBME/afbZj95Rd2LFZJW axbyKdjwj6z+1zs982+u9Qk53cgdAWbt1rl0gfY9So5gLRTHbNy0NX7xBIZzAgsp cLukWq4Lh5RLwM4FB6+UN75JticHTTwEkvMggSDk24loKqseuQPXSQ== =eAtw -----END PGP SIGNATURE-----
Current thread:
- top (procps-2.0.7-25) vulnerability WINNY THOMAS (May 09)
- Re: top (procps-2.0.7-25) vulnerability Ayaz Ahmed Khan (May 10)
- Re: top (procps-2.0.7-25) vulnerability KF (lists) (May 10)
- Re: top (procps-2.0.7-25) vulnerability KF (lists) (May 10)
- Re: top (procps-2.0.7-25) vulnerability Ayaz Ahmed Khan (May 10)