Bugtraq mailing list archives
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from
From: juphoff () tarsier cv nrao edu (Jeff Uphoff)
Date: Wed, 3 Jul 1996 18:56:28 -0400
------- start of forwarded message (RFC 934 encapsulation) ------- From: "[8LGM] Security Team" <8lgm () 8lgm org> To: 8lgm-advisories () 8lgm org Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST) ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv () FOUR net or see http://www.four.net ============================================================================= libC/Inside provided by Electris Software Limited mail electris () electris com or see http://www.electris.com ============================================================================= [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 PROGRAM: rdist VULNERABLE VERSIONS: Solaris 2.* SunOS 4.1.* Potentially all versions running setuid root. DESCRIPTION: rdist creates an error message based on a user provided string, without checking bounds on the buffer used. This buffer is on the stack, and can therefore be used to execute arbitrary instructions. IMPACT: Local users can obtain superuser privileges. EXPLOIT: A program was developed to verify this bug on a SunOS 4.1.3 machine, and succeeded in obtaining a shell running uid 0 from rdist. DETAILS: Consider the following command, running as user bin. # rdist -d TestString -d TestString rdist: line 1: TestString redefined distfile: No such file or directory # Using libC/Inside, the following trace was obtained:- ----------------------------------------------------------------------- libC/Inside Shared Library Tracing. V1.0 (Solaris 2.5). Copyright (C) 1996, Electris Software Limited, All Rights Reserved. Tracing started Thu May 9 00:04:19 1996 Pid is 18738 Log file is /tmp/Inside.18738 Log file descriptor is 3 uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys) Program is rdist _start+0x30->atexit(call_fini) return(0) _start+0x3c->atexit(_fini) return(0) main+0x28->getuid() return(2) main+0x38->seteuid(2) return(0) main+0x5c->getuid() return(2) main+0x64->getpwuid(2) return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \ pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell="")) main+0xb0->strcpy(user, "bin") return("bin") main+0xc4->strcpy(homedir, "/usr/bin") return("/usr/bin") main+0xd4->gethostname(host, 32) return(0) (Arg 0 = "legless") main+0x10c->strcmp("-d", "-Server") return(17) define+0x30->strchr("TestString", '=') return((null)) lookup+0x11c->malloc(16) return(0x33220) main+0x10c->strcmp("-d", "-Server") return(17) define+0x30->strchr("TestString", '=') return((null)) lookup+0x88->strcmp("TestString", "TestString") return(0) lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString") return(20) (Arg 0 = "TestString redefined") yyerror+0x1c->fflush(stdout) return(0) lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \ "TestString redefined") return(36) main+0x444->mktemp("/tmp/rdistXXXXXX") return("/tmp/rdista004_m") main+0x4d8->fopen("distfile", "r") return((null)) main+0x4fc->fopen("Distfile", "r") return((null)) main+0x560->perror("distfile") return() main+0x568->exit(1) ----------------------------------------------------------------------- At lookup+0xcc, sprintf() copies the string provided to an address on the stack. rdist does not check the length of this string, so a large string would overwrite the stack. FIX: Use a version of rdist that does not require setuid root privileges. Obtain a patch from your vendor. STATUS UPDATE: The file: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. - ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo () 8lgm org (Mailing list requests - try 'help' for details) 8lgm () 8lgm org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver () 8lgm org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== - -- - ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver () 8lgm org (Fileserver help) majordomo () 8lgm org (Request to be added to list) 8lgm () 8lgm org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** [8LGM] uses libC/Inside - the worlds leading security analysis tool now available to the public. Visit http:://www.electris.com ------- end -------
Current thread:
- Solaris mailx hole Marc Mosko/jfrank/us (Jun 30)
- Re: Solaris mailx hole Andy Dills (Jul 01)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 02)
- CD4300 series BUG DANIEL .D .EZEKIEL (Jul 02)
- Re: BoS: Re: Solaris mailx hole Travis Hassloch x231 (Jul 02)
- Re: Solaris mailx hole Dave Roberts (Jul 03)
- Re: Solaris mailx hole Andy Dills (Jul 03)
- [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Jeff Uphoff (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Michael Brennen (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Mark_W_Loveless () smtp bnr com (Jul 04)
- IIS bug test Paolo Taraboi (Jul 04)
- IMAPD security problems ? Zvi Bar-Deroma (Jul 04)
- Re: IMAPD security problems ? Ian MacPhedran (Jul 04)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 01)
- <Possible follow-ups>
- Re: Solaris mailx hole Josef Buergler (Jul 02)
- Re: Solaris mailx hole Rick Otten (Jul 03)