*BSD banner INT overflow vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: *BSD banner INT overflow vulnerability
From: Gruzicki Wlodek <dead.code.crew@xxxxxxx>
Date: Wed, 22 Nov 2006 12:17:44 +0300
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: Gruzicki Wlodek <dead.code.crew@xxxxxxx>


 .=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-.
 |                     ______                     |
 |                  .-"      "-.                  |
 |                 /   banner   \                 |
 |     _          |              |          _     |
 |    ( \         |,  .-.  .-.  ,|         / )    |
 |     > "=._     | )(__/  \__)( |     _.=" <     |
 |    (_/"=._"=._ |/     /\     \| _.="_.="\_)    |
 |           "=._"(_     ^^     _)"_.="           |
 |               "=\__|ICRAPI|__/="               |
 |              _.="| \ICODEI/ |"=._              |
 |    _     _.="_.="\          /"=._"=._     _    |
 |   ( \_.="_.="     `--------`     "=._"=._/ )   |
 |    > _.="                            "=._ <    |
 |   (_/          security threat           \_)   |
 |                !W A R N I N G!                 |
 '-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-='
 
 Advisor                                       0x01
 Free\Net\OpenBSD banner int overflow vulnerability
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x01. B4ckgr0und

 [...]
 prints a large, high quality banner on the standard 
 output.  If the message is omitted, it prompts for 
 and reads one line of its standard input.
 [...]

 Vulnerable banner appears in Free/Net/OpenBSD, 
 Debian and it's pretty possible that other distros
 also uses this software.

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x02. Vuln3r4b1l1ty

 usr.bin/banner/banner.c 

 ...
 char   print[DWIDTH];
 ...
        for (i = 0; i < width; i++) {
                j = i * 132 / width;
                print[j] = 1;
        }
 ... 

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x03. 4n4lys1s

 This vulnerability may lead to local root compromise
 in cases when banner has set suid bit. Default 
 Debian/FreeBSD/NetBSD/OpenBSD installation seems to 
 be vulerable ( Ex. Attacker can overwrite GOT section ). 
 ( By default banner hasn't got set suid bit )

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x04. P0C

 %uname -sir
 FreeBSD 6.1-RELEASE GENERIC
 %gdb banner
 (gdb) r -w 17000000
 Program received signal SIGSEGV, Segmentation fault.
 0x01010101 in ?? ()

 :o *ph34r*

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x05. S0lut10n

 BEWARE! Uninstall vulnerable banner version or turn
 off suid bit while patch is not released.

 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 0x05. Cr3d17z
 
 ThAnXz GoEs To:

 God, our families, my dog BL0B, ph34r_man, Katarzyna
 Cichopek, Free/Net/OpenBSD crew, Crap LINUX, 4LL R0M4N14N
 4nd 7urkiSh HACKERZ! #hack.ro,#hack.ru,#hack.bg,#hack.vu,
 #hack.tt, #hack.uganda, #hack.hawaii, #hack.us, #hack.it,
 #hack.de, #hack.pl, #hack.cl, #hack.cn, #evil, #evil.ru

 F00ckZ goes tO:

 NULL pointer ant letter 'z'

 PS. Stop audit PHP crap, audit the real code......

    . 0 x d 3 4 d c 0 d 3 . c r 3 w . 2 o o 6 .       
           E v i l  i s  i n s i d e  U S
               dead.code.crew@xxxxxxx

Follow-Ups:
- Re: *BSD banner INT overflow vulnerability
  - From: Steve Shockley

Prev by Date: RE: LS-20061113 - CA BrightStor ARCserve Backup Remote Buffer Overflow Vulnerability
Next by Date: Secunia Research: PassGo SSO Plus Insecure Default Directory Permissions
Previous by thread: [USN-381-1] Firefox vulnerabilities
Next by thread: Re: *BSD banner INT overflow vulnerability
Index(es):
- Date
- Thread