Terminatorx and Exploitable

Terminatorx Exploitable0x333 OUTSIDERS SECURITY LABS - www.0x333.org -~~~~~~~~~ contents ~~~~~~~~~ 0x0 Info 0x1 Description 0x2 Stack Overflow in Switch (1) 0x3 Stack Overflow in Switch (2) 0x4 Stack Overflow in $LADSPA_PATH 0x5 Format String Bug in tx_note() 0x6 Solutions 0x7 Vendor Contact[0x0 Info] author : c0wboy mail : c0wboy@tiscali.it date : 7 November 2003 advisory : outsiders-terminatorX-001.txt vendor : http://terminatorx.cx/ category : stack overflow, format bug platform : linux, unix[0x1 Description] From terminatorXs offcial web page : "terminatorX is a realtime audio synthesizer that allows you to "scratch" on digitally sampled audio data (*.wav, *.au, *.ogg, *.mp3, etc.)" . In...
Nội dung trích xuất từ tài liệu:
Terminatorx and ExploitableTerminatorx Exploitable0x333 OUTSIDERS SECURITY LABS -- www.0x333.org -~~~~~~~~~ contents ~~~~~~~~~0x0 Info0x1 Description0x2 Stack Overflow in Switch (1)0x3 Stack Overflow in Switch (2)0x4 Stack Overflow in $LADSPA_PATH0x5 Format String Bug in tx_note()0x6 Solutions0x7 Vendor Contact[0x0 Info]author : c0wboymail : c0wboy@tiscali.itdate : 7 November 2003advisory : outsiders-terminatorX-001.txtvendor : http://terminatorx.cx/category : stack overflow, format bugplatform : linux, unix[0x1 Description]From terminatorXs offcial web page : terminatorX is a realtime audio synthesizer that allowsyou to scratch on digitally sampled audio data (*.wav, *.au, *.ogg, *.mp3, etc.) . In Lastversion (3.8.1) there are still lots of bugs, that could be used by user to execute arbitrarycodes with root privileges.[0x2 Stack Overflow in Switch (1)]It is possible to overflow a static buffer, by passing a long string after switch -f(or --file). In function parse_args() (src/main.cc) we find the follow piece of code:if ((strcmp(argv[i], -f) == 0) || (strcmp(argv[i], --file) == 0)) {++i;globals.startup_set = argv[i];The variable globals.startup_set will contain our (long) string. After this the variablewill be passed to function load_tt_part() (src/tX_mastergui.cc) which is called by main():int main(int argc, char **argv){...if (globals.startup_set) {while (gtk_events_pending()) gtk_main_iteration(); gdk_flush();tX_cursor::set_cursor(tX_cursor::WAIT_CURSOR);load_tt_part(globals.startup_set);.../* src/tX_mastergui.cc */void load_tt_part(char * buffer){char idbuff[256];char wbuf[PATH_MAX];...strcpy(globals.tables_filename, buffer);...strcpy(idbuff, Failed to access file: );strcat(idbuff, globals.tables_filename);...In load_tt_part() our string will first be copied in globals.tables_filename, that willoverflow the static buffer idbuff[256]. User could overwrite eip and executes arbitrary code.[0x3 Stack Overflow in Switch (2)]This case is similar to the first one. Here we can overflow a static buffer by passing along string after option -r (or --rc-file). In function parse_args() (src/main.cc) wefind the vulnerable code:if ((strcmp(argv[i], -r) == 0) || (strcmp(argv[i], --rc-file) == 0)) {...globals.alternate_rc = argv[i];In function get_rc_name() (src/tX_global.c) there is an unchecked strcpy() that will overflowa static buffer (passed to this function as argument) with the content of globals.alternate_rcvariable:void get_rc_name(char *buffer){strcpy(buffer,);if (globals.alternate_rc) {strcpy(buffer, globals.alternate_rc);...This bug can be used to overwrite the eip, and execute arbitrary code.[0x4 Stack Overflow in $LADSPA_PATH]In file tX_ladspa.cc, its possible overflow a static buffer by setting a long $LADSPA_PATHenvironment variable. As we had before, there is an unchecked strcpy(), in this case a long stringwill overflow ladspa_path[PATH_MAX]:void LADSPA_Plugin :: init (){char *ladspa_path_ptr;char ladspa_path[PATH_MAX];.../* Finding the LADSPA Path */ladspa_path_ptr=getenv(LADSPA_PATH);...else strcpy(ladspa_path, ladspa_path_ptr);...By overflowing ladspa_path[PATH_MAX], eip will be overwritten, allowing the execution ofarbitrary code.[0x5 Format String Bug in tx_note()]There is a format string bug in function tx_note(), that can be found in src/tX_mastergui.cc. Theproblem exists in function gtk_message_dialog_new(). User can control the contents of messagevariable, and set it to special format string parameters (for example lots of %x). Heres thevulnerable code :void tx_note(const char *message, bool isError){char buffer[4096]=terminatorX ;if (isError) {strcat(buffer, note: );} else {strcat(buffer, error: );}strcat(buffer, message);GtkWidget *dialog=gtk_message_dialog_new(GTK_WINDOW(main_window),GTK_DIALOG_DESTROY_WITH_PARENT,isError ? GTK_MESSAGE_ERROR : GTK_MESSAGE_INFO, GTK_BUTTONS_CLOSE, message);gtk_dialog_run(GTK_DIALOG(dialog)); /* |_____ fmt bug */gtk_widget_destroy(dialog);}It is possible to exploit this bug, by passing a crafted string after witch -f (or --file). TerminatorXwill be run, but it will display a warning-windows showing memory addresses. There will be a segfault.[c0wboy@0x333 src]$ ./terminatorX -f %x%x%x%x%x%x%nterminatorX Release 3.81 - Copyright © 1999-2003 by Alexander KnigterminatorX comes with ABSOLUTELY NO WARRANTY - for details read the license.* tX_error: set_capabilities(): failed to set caps: Operation not permitted.+ tX_warning: engine_thread_entry(): cant set SCHED_FIFO -> lacking capabilities.+ tX_warning: engine_thread_entry() - engine has no realtime priority scheduling.+ tX_warning: LADSPA_PATH not set. Trying /usr/lib/ladspa:/usr/local/lib/ladspa* tX_error: tX: Error: couldnt access directory /usr/lib/ladspa.+ tX_warning: Plugin Stereo Amplifier disable ...