Bugtraq mailing list archives

[linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996

From: juphoff () tarsier cv nrao edu (Jeff Uphoff)
Date: Thu, 4 Jul 1996 13:10:16 -0500


Red Hat 3.0.3 and Slackware 3.0 (the only distributions I've checked so
far) appear safe: by default, they do not install rdist setuid--though
the version that comes with them (rdist-6.1.0) would be vulnerable if
made setuid (by hand) after installation, for whatever strange reason.
(I've inspected the code, and the unchecked buffer is rather obvious.)

Note that there is no need to install rdist setuid if it is compiled to
use rsh vice rcmd(); rsh is the (safe) default, and is the compilation
method used by both Red Hat and Slackware.

Anyone care to take a look at other Linux distributions to check for
default installations that are configured for setuid/rcmd()?

--Up.

------- start of forwarded message (RFC 934 encapsulation) -------
From: "[8LGM] Security Team" <8lgm () 8lgm org>
To: 8lgm-advisories () 8lgm org
Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996
Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST)

=============================================================================
 Virtual Domain Hosting Services provided by The FOURnet Information Network
              mail webserv () FOUR net or see http://www.four.net
=============================================================================
             libC/Inside provided by Electris Software Limited
         mail electris () electris com or see http://www.electris.com
=============================================================================

                  [8lgm]-Advisory-26.UNIX.rdist.20-3-1996

PROGRAM:

        rdist

VULNERABLE VERSIONS:

        Solaris 2.*
        SunOS 4.1.*
        Potentially all versions running setuid root.

DESCRIPTION:

        rdist creates an error message based on a user provided string,
        without checking bounds on the buffer used.  This buffer is
        on the stack, and can therefore be used to execute arbitrary
        instructions.

IMPACT:

        Local users can obtain superuser privileges.

EXPLOIT:

        A program was developed to verify this bug on a SunOS 4.1.3 machine,
        and succeeded in obtaining a shell running uid 0 from rdist.

DETAILS:

        Consider the following command, running as user bin.

        # rdist -d TestString -d TestString
        rdist: line 1: TestString redefined
        distfile: No such file or directory
        #

        Using libC/Inside, the following trace was obtained:-

        -----------------------------------------------------------------------
        libC/Inside Shared Library Tracing.  V1.0 (Solaris 2.5).
        Copyright (C) 1996, Electris Software Limited, All Rights Reserved.

                Tracing started Thu May  9 00:04:19 1996

                Pid is 18738
                Log file is /tmp/Inside.18738
                Log file descriptor is 3

                uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys)

                Program is rdist

        _start+0x30->atexit(call_fini)
        return(0)
        _start+0x3c->atexit(_fini)
        return(0)
        main+0x28->getuid()
        return(2)
        main+0x38->seteuid(2)
        return(0)
        main+0x5c->getuid()
        return(2)
        main+0x64->getpwuid(2)
        return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \
        pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell=""))
        main+0xb0->strcpy(user, "bin")
        return("bin")
        main+0xc4->strcpy(homedir, "/usr/bin")
        return("/usr/bin")
        main+0xd4->gethostname(host, 32)
        return(0)
        (Arg 0 = "legless")
        main+0x10c->strcmp("-d", "-Server")
        return(17)
        define+0x30->strchr("TestString", '=')
        return((null))
        lookup+0x11c->malloc(16)
        return(0x33220)
        main+0x10c->strcmp("-d", "-Server")
        return(17)
        define+0x30->strchr("TestString", '=')
        return((null))
        lookup+0x88->strcmp("TestString", "TestString")
        return(0)
        lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString")
        return(20)
                (Arg 0 = "TestString redefined")
        yyerror+0x1c->fflush(stdout)
        return(0)
        lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \
                 "TestString redefined")
        return(36)
        main+0x444->mktemp("/tmp/rdistXXXXXX")
        return("/tmp/rdista004_m")
        main+0x4d8->fopen("distfile", "r")
        return((null))
        main+0x4fc->fopen("Distfile", "r")
        return((null))
        main+0x560->perror("distfile")
        return()
        main+0x568->exit(1)
        -----------------------------------------------------------------------

        At lookup+0xcc, sprintf() copies the string provided to an address
        on the stack.  rdist does not check the length of this string,
        so a large string would overwrite the stack.

FIX:

        Use a version of rdist that does not require setuid root privileges.

        Obtain a patch from your vendor.

STATUS UPDATE:

        The file:

        [8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README

        will be created on www.8lgm.org.  This will contain updates on
        any further versions which are found to be vulnerable, and any
        other information received pertaining to this advisory.

- -----------------------------------------------------------------------

FEEDBACK AND CONTACT INFORMATION:

        majordomo () 8lgm org      (Mailing list requests - try 'help'
                                 for details)

        8lgm () 8lgm org           (Everything else)

8LGM FILESERVER:

        All [8LGM] advisories may be obtained via the [8LGM] fileserver.
        For details, 'echo help | mail 8lgm-fileserver () 8lgm org'

8LGM WWW SERVER:

        [8LGM]'s web server can be reached at http://www.8lgm.org.
        This contains details of all 8LGM advisories and other useful
        information.
===========================================================================


- --
- -----------------------------------------------------------------------
$ echo help | mail 8lgm-fileserver () 8lgm org  (Fileserver help)
majordomo () 8lgm org                           (Request to be added to list)
8lgm () 8lgm org                                (General enquiries)
******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
[8LGM] uses libC/Inside - the worlds leading security analysis tool
   now available to the public. Visit http:://www.electris.com
------- end -------

Current thread:

[linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 Jeff Uphoff (Jul 04)
- Re: [linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 Michael Shields (Jul 05)
- CERT Advisory CA-96.13 - Vulnerability in the dip program CERT Advisory (Jul 09)
  - Re: CERT Advisory CA-96.13 - Vulnerability in the dip program Efrain Torres (Jul 09)
  - FIRST Conference & Workshop Plans Ron Freund (Jul 09)
  - rdist exploit [bsdi] Brian Mitchell (Jul 09)
    - Re: rdist exploit [bsdi] Brian Tao (Jul 11)
    - Re: rdist exploit [bsdi] Damien Sorder (Jul 11)
    - Re: rdist exploit [bsdi] jaeger (Jul 12)
    - Re: rdist exploit [bsdi] Andrew N. Edmond (Jul 13)
    - Re: rdist exploit [bsdi] Andy Dills (Jul 13)

(Thread continues...)