Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

More Buffer Overflows in Digital Unix

From: lamontg () RAVEN GENOME WASHINGTON EDU (Lamont Granquist)
Date: Fri, 19 Feb 1999 14:18:18 -0800

1. No return-into-libc exploit for Digital Unix

   I didn't understand the return-into-libc method really prior to my
   previous BUGTRAQ post.  Since then, I understand it a bit more and
   Solar Designer has informed me that such attacks will be very
   difficult due to the passing of parameters in registers on this
   architecture.  So, things look better for 3.x admins, although AFAIK
   you can still just shove some shellcode into a buffer that gets
   malloc()'d and then return into it.

2. Incorrect patch installation instructions in SSRT0583U.tar.gz

   The initial patch installation instructions for SSRT0583U for 'at' and
   'inc' had incorrect instructions which would leave exploitable suid
   root binaries lying around if they were followed to the letter, e.g:

   # cp /patches/at at.new
   # chown root:bin at.new
   # chmod 4755 at.new
   # ln at at.orig
   # mv at.new at

   These were later changed to read:

   # cp /patches/at at.new
   # chown root:bin at.new
   # chmod 4755 at.new
   # ln at at.orig
   # mv at.new at
   # chmod 400 at.orig

   The MD5 checksums on the patch files are/were:

   bf03f67cf0ec69e335ba9dcc0cf88c13  SSRT0583U.tar.gz (old)
   d1da354134b0335548aa7f436414d94a  SSRT0583U.tar.gz (corrected)

   To be sure you're okay:

   # chmod 400 /usr/bin/at.orig /usr/bin/mh/inc.orig /usr/shlib/libmh.so.orig

   The patches are available at:

   ftp://xfer.service.digital.com/to_customer/SSRT0583U.tar.gz

3. DIGITAL NetWorker for DIGITAL UNIX, Version 4.4

   There exists an exploitable buffer overflow in the program nsralist
   which in version 4.4. is setuid root.  I have reports that the more
   current 5.2 version does not install this program suid root.  To check
   for this vulnerability:

   % ls -l /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist
   -rws--x--x   1 root     system    565248 Nov 26  1997 /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist
   % /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist -R `perl -e 'print "a" x 4000'`
   nsralist: RPC error, Program not registered
   Segmentation fault

   The fix is to strip the suid root bits off of everything in that
   directory, and to upgrade to version 5.2 or later.

   Obviously, "BRX440" contains the version number and other possibly
   exploitable versions may be in different directories, so:

   % find /usr/opt -name nsralist -exec ls -la \{\} \;

   Or better just scan your entire machine for suid/sgid files.

4. /usr/bin/rdist CA-96.14.rdist_vul

   This bug was apparently first described in CA-91.20.rdist.vulnerability,
   then CA-94.04.SunOS.rdist.vulnerability and later in CA-96.14.rdist_vul.
   This was a bug in common code which DEC apparently claimed to have
   fixed with patches to OSF 3.2C and prior platforms and which should
   have been included in all the 4.0 releases.  Unfortunately, 4.0D with
   patch kit #3 still has this bug:

   % /usr/bin/rdist -d `perl -e 'print "a" x 300'` -d `perl -e 'print "a" x 300'`
   rdist: line 1: 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 redefined
   Segmentation fault

   Luckily, this is difficult to exploit because the "..aaa redefined" is
   what gets pushed onto the stack which means that either you jump to a
   location in memory with no 0x00's or else you overwrite the ra with
   the tail end of "redefined" which probably means 0x164656369 as the
   most useful address and *I* cannot figure out how to get code into that
   location.  This lets one mess around with the return address way too
   much, though.  If anyone figures out how to exploit this please let me
   know.

   Exploit code for this advisory on rootshell.com includes code for
   IRIX (irix-buffer.txt 6/15/97 for 'ordist') and FreeBSD (rdist-ex.c
   8/26/96).

   Thanks for suggesting this one goes out to minus- on #phrack

5. /usr/bin/rdist CA-97.23.rdist

   In the CERT advisory on this subject, Digital claimed "This reported
   problem is not present for Digital's ULTRIX or Digital UNIX Operating
   Systems Software."  This is entirely inaccurate:

   % /usr/bin/rdist -d bleh=`perl -e 'print "a" x 8200'` -c /tmp/ '${bleh}'
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   rdist: line 1: Pathname too long
   Segmentation fault

   (again you need to do this from a reasonably recent version of tcsh
   which will not choke on `perl -e 'print "a" x 8200'` with a "Word too
   long" error)

   Exploitation of this bug is completely straight-forwards, although the
   script that I included with /usr/bin/mh/inc will need to be modified.
   This buffer overflow exists on all version of Digital Unix from 4.0
   up through 4.0D with patch kit #3.  Digital is aware of this problem
   and is working on patches, but I strongly suggest that admins take
   the suggestions offered in the CERT advisory CA-97.23.rdist:

   1. strip the suid root bits off of /usr/bin/rdist
   2. install the rdist version from http://www.magnicomp.com/rdist/
      which does not run suid root (www.magnicomp.com is the new home
      of the supported version of rdist which used to be at USC).

   Exploit code for this advisory in the BUGTRAQ archives includes
   code for Solaris 2.5-2.6 and is at:

   http://geek-girl.com/bugtraq/1998_3/0522.html

   Thanks for this one go out to minus- on #phrack and _daveg_ for
   reminding me after i'd gotten all frustrated over CA-96.14 that
   there was a 2nd CERT advisory on rdist and for digging up the Solaris
   exploit for me.

6. Exploit code

   Sorry.  No exploit code for the script kiddies this time.  Exploitation
   of #3 and #5 are entirely-straight forwards.  If anyone (CERT???) needs
   exploit code for legitimate testing purposes, just send me e-mail.

7. Patches

   Compaq has been made aware of the problem.  Patches should be
   forthcoming.  Admins are, however, advised not to wait for the
   patches.  NetWorker should be upgraded or the suid root bits
   stripped off of it (this might impair functionality, contact Compaq
   if you really need to know if you can do this) and the publically
   available non-suid rdist version should be used in place of the suid
   root one provided with Digital Unix.

   Yes I released this prior to the patches being made available.  I
   do so because entirely satisfactory work-arounds exist, in fact
   "work-arounds" exist which are ultimately better than any patch that
   Compaq releases which still keeps rdist suid root.  The only way
   Compaq could come out with something better would be to develop a
   non-exec-stack work-around for 4.0 or to distribute privaleged
   code binaries which had been compiled with something like StackGuard.
   Unfortunately, I don't see Compaq doing this.

8. Reminder

   There are undoubtably many buffer overflows still to be found in
   Digital Unix.  Reduce your privaleged code to a minimum:

   a. find all suid/sgid programs, strip the ones that aren't used and
      wrap the ones that are.
   b. hunt down all daemon processes and turn off the ones that you don't
      use -- use nmap, netstat -an and lsof.

--
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Previous By Date Next
Previous By Thread Next

Current thread: