Bugtraq mailing list archives
[linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996
From: juphoff () tarsier cv nrao edu (Jeff Uphoff)
Date: Thu, 4 Jul 1996 13:10:16 -0500
Red Hat 3.0.3 and Slackware 3.0 (the only distributions I've checked so far) appear safe: by default, they do not install rdist setuid--though the version that comes with them (rdist-6.1.0) would be vulnerable if made setuid (by hand) after installation, for whatever strange reason. (I've inspected the code, and the unchecked buffer is rather obvious.) Note that there is no need to install rdist setuid if it is compiled to use rsh vice rcmd(); rsh is the (safe) default, and is the compilation method used by both Red Hat and Slackware. Anyone care to take a look at other Linux distributions to check for default installations that are configured for setuid/rcmd()? --Up. ------- start of forwarded message (RFC 934 encapsulation) ------- From: "[8LGM] Security Team" <8lgm () 8lgm org> To: 8lgm-advisories () 8lgm org Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST) ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv () FOUR net or see http://www.four.net ============================================================================= libC/Inside provided by Electris Software Limited mail electris () electris com or see http://www.electris.com ============================================================================= [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 PROGRAM: rdist VULNERABLE VERSIONS: Solaris 2.* SunOS 4.1.* Potentially all versions running setuid root. DESCRIPTION: rdist creates an error message based on a user provided string, without checking bounds on the buffer used. This buffer is on the stack, and can therefore be used to execute arbitrary instructions. IMPACT: Local users can obtain superuser privileges. EXPLOIT: A program was developed to verify this bug on a SunOS 4.1.3 machine, and succeeded in obtaining a shell running uid 0 from rdist. DETAILS: Consider the following command, running as user bin. # rdist -d TestString -d TestString rdist: line 1: TestString redefined distfile: No such file or directory # Using libC/Inside, the following trace was obtained:- ----------------------------------------------------------------------- libC/Inside Shared Library Tracing. V1.0 (Solaris 2.5). Copyright (C) 1996, Electris Software Limited, All Rights Reserved. Tracing started Thu May 9 00:04:19 1996 Pid is 18738 Log file is /tmp/Inside.18738 Log file descriptor is 3 uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys) Program is rdist _start+0x30->atexit(call_fini) return(0) _start+0x3c->atexit(_fini) return(0) main+0x28->getuid() return(2) main+0x38->seteuid(2) return(0) main+0x5c->getuid() return(2) main+0x64->getpwuid(2) return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \ pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell="")) main+0xb0->strcpy(user, "bin") return("bin") main+0xc4->strcpy(homedir, "/usr/bin") return("/usr/bin") main+0xd4->gethostname(host, 32) return(0) (Arg 0 = "legless") main+0x10c->strcmp("-d", "-Server") return(17) define+0x30->strchr("TestString", '=') return((null)) lookup+0x11c->malloc(16) return(0x33220) main+0x10c->strcmp("-d", "-Server") return(17) define+0x30->strchr("TestString", '=') return((null)) lookup+0x88->strcmp("TestString", "TestString") return(0) lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString") return(20) (Arg 0 = "TestString redefined") yyerror+0x1c->fflush(stdout) return(0) lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \ "TestString redefined") return(36) main+0x444->mktemp("/tmp/rdistXXXXXX") return("/tmp/rdista004_m") main+0x4d8->fopen("distfile", "r") return((null)) main+0x4fc->fopen("Distfile", "r") return((null)) main+0x560->perror("distfile") return() main+0x568->exit(1) ----------------------------------------------------------------------- At lookup+0xcc, sprintf() copies the string provided to an address on the stack. rdist does not check the length of this string, so a large string would overwrite the stack. FIX: Use a version of rdist that does not require setuid root privileges. Obtain a patch from your vendor. STATUS UPDATE: The file: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. - ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo () 8lgm org (Mailing list requests - try 'help' for details) 8lgm () 8lgm org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver () 8lgm org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== - -- - ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver () 8lgm org (Fileserver help) majordomo () 8lgm org (Request to be added to list) 8lgm () 8lgm org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** [8LGM] uses libC/Inside - the worlds leading security analysis tool now available to the public. Visit http:://www.electris.com ------- end -------
Current thread:
- [linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 Jeff Uphoff (Jul 04)
- Re: [linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 Michael Shields (Jul 05)
- CERT Advisory CA-96.13 - Vulnerability in the dip program CERT Advisory (Jul 09)
- Re: CERT Advisory CA-96.13 - Vulnerability in the dip program Efrain Torres (Jul 09)
- FIRST Conference & Workshop Plans Ron Freund (Jul 09)
- rdist exploit [bsdi] Brian Mitchell (Jul 09)
- Re: rdist exploit [bsdi] Brian Tao (Jul 11)
- Re: rdist exploit [bsdi] Damien Sorder (Jul 11)
- Re: rdist exploit [bsdi] jaeger (Jul 12)
- Re: rdist exploit [bsdi] Andrew N. Edmond (Jul 13)
- Re: rdist exploit [bsdi] Andy Dills (Jul 13)