Calife heap corrupt / potential local root exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Calife heap corrupt / potential local root exploit
From: DownBload <downbload@xxxxxxxxxxx>
Date: 27 Feb 2004 09:19:21 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


Calife heap corrupt / potential local root exploit
--------------------------------------------------
by Leon Juranic a.k.a DownBload <downbload@xxxxxxxxxxx> / II-Labs


Version affected(tested): calife-2.8.4c and calife-2.8.5
- calife can be found at packages.debian.org, FreeBSD 5.0 (security), ...

>From `man calife`:
...
Description:
     Calife requests user's own password for becoming login (or root, if no 
login is provided), and switches to that user and group ID after verify-ing 
proper rights to do so.  A shell is then executed.  If calife is exe-cuted by 
root, no password is requested and a shell with the appropriate user ID is 
executed.
...

[downbload@localhost downbload]$ ls -al `whereis calife`
ls: calife:: No such file or directory
-r--------    1 root     wheel         159 Feb 19 15:54 /etc/calife.auth
-rwsr-xr-x    1 root     wheel      575623 Feb  5 14:49 /usr/local/bin/calife

[downbload@localhost downbload]$ calife luser
Password: "A" x 3000
Password: real_user_password
Segmentation fault
[downbload@localhost downbload]$

- "A" x 3000 will corrupt the heap.
- If real_user_password isn't correct, calife will do exit()
- If attacker wants to exploit calife, there must be at least one user 
"available" in /etc/calife.auth


/root/calife-2.8.4c/db.c
------------------------
        ...
        char    got_pass = 0;
        char    * pt_pass, * pt_enc,
                * user_pass, * enc_pass, salt [10];

        user_pass = (char *) xalloc (l_size);
        enc_pass = (char *) xalloc (l_size);
        ...
        for ( i = 0; i < 3; i ++ )
        {
            pt_pass = (char *) getpass ("Password:");
            memset (user_pass, '\0', l_size);
            strcpy (user_pass, pt_pass); // <- BAD CODE
            pt_enc = (char *) crypt (user_pass, calife->pw_passwd);
            memset (enc_pass, '\0', l_size);
            strcpy (enc_pass, pt_enc);
        }
        ...
        free (user_pass);    // <-  FUN CODE ;-)
        free (enc_pass);     // <-  FUN CODE ;-)
        ...

------------------------

We can pass very long password string to calife and corrupt it's heap 
(overwrite boundary tags).
However, it isn't easy to exploit this bug, because every newline, backspace, 
etc. character from user input will affect exploitation (e.g. backspace char 
will delete one char from user input - exploitation string).

Greetz to h4z4rd, BoyScout, finis, Fr1c, lucious, manikal, Gorans, slash, j0e, 
smak, Bojan, wootz...

Bye.

Prev by Date: [SECURITY] [DSA 450-1] New Linux 2.4.19 packages fix several local root exploits (mips)
Next by Date: iDEFENSE Security Advisory 02.27.04b: Microsoft Internet Explorer Cross Frame Scripting Restriction Bypass
Previous by thread: [SECURITY] [DSA 450-1] New Linux 2.4.19 packages fix several local root exploits (mips)
Next by thread: Re: Calife heap corrupt / potential local root exploit
Index(es):
- Date
- Thread