CORE-20020620: Inktomi Traffic Server Buffer Overflow

[Iván Arce <core.lists.bugtraq () core-sdi com>]

          CORE SECURITY TECHNOLOGIES
                   http://www.corest.com

                      Vulnerability Report For
                        Inktomi Traffic Server


Date Published: 2002-07-02

Advisory ID: CORE-20020620

Bugtraq ID: 5098

CVE CAN: None currently assigned.

Title: Inktomi Traffic Server traffic_manager local overflow.

Class: Boundary error condition (buffer overflow)

Remotely Exploitable: NO

Locally Exploitable: Yes

Vendors contacted:

 Inktomi Corporation (INKT)
 . Inital email sent: 2002-06-21
 . Acknowledged reception of initial contact: 2002-06-24
 . Official response and fix information: 2002-07-01

Release mode: COORDINATED RELEASE

*Vulnerability Description*

Inktomi's  Traffic Server product provides transparent web caching,
access control and content filtering. It is available for Linux, Solaris
and Windows platforms. A vulnerability that could allow a local attacker to
gain root access has been discovered in the unix version of the software.


Problem: Buffer overflow in traffic_manager executable

The traffic_manager executable is used to manage Traffic Server,
it is installed setuid-root by default under the [installpath]/bin
directory.
When traffic_manager is executed with a long command line argument,
a buffer overflow occurs.
This vulnerability can be exploited locally to gain root access.

A local exploit module is available for CORE IMPACT customers in
the July 2002 update pack.

*Vulnerable Packages/Systems*

The local root vulnerability in traffic_manager exists
in all current and previous revisions of Inktomi Traffic Server,
Traffic Edge and Media-IXT.

 Current product revisions are:
  Media-IXT 3.0.4
  Traffic Server / Media-IXT 4.0.18
  Traffic Server / Media-IXT 4.0.20
  Traffic Server / Media-IXT 5.1.3
  Traffic Server / Media-IXT 5.2.0-R
  Traffic Server / Media-IXT 5.2.1
  Traffic Server / Media-IXT 5.2.2
  Traffic Edge 1.1.2 (Traffic Server 5.2.1)
  Traffic Edge 1.5.0 (Traffic Server 5.5)

*Solution/Vendor Information/Workaround*

The buffer overflow error in the "-path" option of the
traffic_manager command will be corrected to remove the
vulnerability in all future maintenance releases of
Traffic Server, Media-IXT and Traffic Edge.

The identified vulnerability applies to command-line
execution of bin/traffic_manager, so the risk applies only
to shell sessions already connected to the proxy host as
non-privileged users.  The vulnerability does not affect
network services or access and cannot grant remote access to
the proxy host.

If you wish to block this local vulnerability, remove the
setuid bit from the traffic_manager executable.  When
traffic_manager is not setuid root, the proxy will not be able
to directly serve 'privileged' port numbers less than 1024.

Some proxy configurations will require ARM config/ipnat.conf

Please refer to Inktomi's note on the bug at
http://support.inktomi.com/kb/070202-003.html
with specific instructions on how to reconfigure the
products to operate properly without the SUID flag set
on the binary.

Contact emailsupport () inktomi com for assistance

*Credits*

This vulnerability was discovered by Juliano Rizzo of the
Security Consulting Services team at CORE SECURITY TECHNOLOGIES

We would like to thank Warren Brown from Inktomi Product Support
for the quick response to the issue.

*Technical Description - Exploit/Concept Code*

Traffic Manager installs the traffic_manager program as a root
owned file with the set user id bit set.

Below are the lines from install.sh that makes traffic_manager
setuid-root.

----
  # Adjust setuid commands
  chown root ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
  chmod 4755 ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
  if [ -d ${InstallDir}/bin/debug ] ; then
    chown root ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
    chmod 4755 ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
  fi

----
The overflow occurs when a string longer than 1700 bytes is passed
as argument to the -path option. The exploitability has been confirmed
under Solaris platform.

/inktomi/5.1.3/bin# ./traffic_manager -path `perl -e 'print "A"x1720'` <
[TrafficManager] ==> Kernel Sig 11; Reason: 1
[TrafficManager] ==> Cleaning up and reissuing signal #11
Abort(coredump)

truss output:
open64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
fstat(3, 0xFFBEC130)                            = 0
time()                                          = 1024660377
getpid()                                        = 27458 [27457]
putmsg(3, 0xFFBEB7E8, 0xFFBEB7DC, 0)            = 0
open("/var/run/syslog_door", O_RDONLY)          Err#2 ENOENT
    Incurred fault #5, FLTACCESS  %pc = 0xFF0CF2E0
      siginfo: SIGBUS BUS_ADRALN addr=0x41414149
    Received signal #10, SIGBUS [caught]
      siginfo: SIGBUS BUS_ADRALN addr=0x41414149

Replacing 0x41414141 for a valid stack address and building the right
string it is posible to execute arbitrary code with root privileges.


DISCLAIMER:

The contents of this advisory are copyright (c) 2002 CORE SECURITY
TECHNOLOGIES
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

$Id: InktomiTS-pathbof-advisory.txt,v 1.5 2002/07/02 21:11:40 iarce Exp $

---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce () corest com>