[ENIGMA] Digital UNIX/Tru64 UNIX remote kdebug Vulnerability

[enigma <enigma () ITAUDIT COM AU>]

_____________________________________________________________________

                               ENIGMA SECURITY ADVISORY
                         A division of ITAC: Leaders in IT Security
                                 (http://enigma.itaudit.com.au)

                         Digital UNIX kdebugd remote Vulnerability
_____________________________________________________________________


Title:               kdebugd service file vulnerability
Bug ID:           EN18090001
Affected:         Digital UNIX 4.0F, other versions believed to be as well
but untested.
Compromise:  Any file on the system can be read from or written to as root,
possibly
                       resulting in remote root access being obtained.
Author:           Mark Dowd (mark () itaudit com au)


1. SYNOPSIS

The kdebug daemon can be exploited by remote users to open and display the
contents of
any file on the system. It can also be used to write to the beginning of any
file on the system
overwriting data which was previously there.

2. DETAILS

When a connection is initiated with the kdebug daemon, an initialisation
packet is sent,
which consists of two strings: "kdebug" (or another permissible entry found
in /etc/remote),
and an optional file location for the session to be recorded into. The
problem is that this file
location can be any file on the system, and is modified with root
privileges. An attacker
can specify a file such as /etc/hosts.equiv in the initialisation packet,
and then subsequent
data which is written by the client will also be written to this file. As
mentioned previously,
data that is written to the file is written to the beginning of the file and
not the end, some
superfluous data is also prepended by the kdebug daemon, which means passwd
file
entries and some other similar types of attacks on files with strict syntax
can not be
performed. Furthermore, it appears that kdebugd will only write to files
which already exist
on the system.

This bug can also be exploited for reading any file on the file system. This
is achieved by
sending an initialisation packet specifying the debug file as /etc/remote, a
file which kdebugd
interrogates when processing initialisation packets. The client can then
send subsequent
data that contains a valid /etc/remote entry. Each entry in /etc/remote has
a file which is
read from. In the case of the "kdebug" entry, it is /dev/ttys00. When a
client is writing new
a new entry with this vulnerability, they can specify a file such as
/etc/passwd, and then
initiate a new connection to kdebug, requesting their new entry instead of
"kdebug". The
/etc/passwd file in this case would be opened and written to the socket,
allowing the client
to see the full contents of the file. Once again, with root privileges.

3. SOLUTION

Compaq has said that the vulnerability exists up to Tru64 5.0, and that a
fix is currently being
developed and is expected to be available in the initial patch kit for Tru64
UNIX V5.1. As a workaround
in the meantime, it is recommended that the kdebugd service be disabled by
removing it from
/etc/inetd.conf.