Full Disclosure mailing list archives

iDEFENSE Security Advisory 09.18.2002: Security Vulnerabilities in OSF1/Tru64 3.

From: dotslash () snosoft com (KF)
Date: Wed, 18 Sep 2002 18:19:27 -0400

How is this different from what we disclosed?
http://packetstorm.decepticons.org/advisories/misc/TRU64_advisory.txt
-KF


David Endler wrote:

iDEFENSE Security Advisory 09.18.2002
Security Vulnerabilities in OSF1/Tru64 3.x


DESCRIPTION

Three buffer overflow vulnerabilities exist in older versions of
Tru64/OSF1.  

ISSUE 1

The uucp utility in Compaqs Tru64/OSF1 3.x operating system contains
a locally exploitable buffer overflow which allows an attacker to
gain root privileges if the "source" command line parameter is a
string greater that approximately 8232 bytes in size. The executable
is installed setuid root which allows the attacker to cause arbitrary
code to run in the context of the root user.  
 
Analysis: This issue is trivial to exploit; The parameter to the "-s"
command line argument is stored in the heap area of memory, and an
attacker can place shellcode in it for later execution. This
eliminates the need for offset brute forcing, however alignment
appears to be an issue in this case.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1127 to this issue.

This issue was exlcusively disclosed to iDEFENSE by Euan Briggs
(euan_briggs () btinternet com)
 


ISSUE 2

The inc mail incorporation utility in Compaqs OSF1 3.x operating
system contains a locally exploitable buffer overflow which allows an
attacker to gain root privileges if the "MH" environment variable
contains a string greater that approximately 8192 bytes in size. The
executable is installed setuid root which allows the attacker to
cause arbitrary code to run in the context of the root user.  
 
Analysis: This issue is trivial to exploit; the content of the "HOME"
environment variable is stored in the heap area of memory, and an
attacker can place shellcode in it for later execution. This
eliminates the need for alignment and offset brute forcing.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1128 to this issue.

This issue was exclusively disclosed to iDEFENSE by Euan Briggs
(euan_briggs () btinternet com)

 

ISSUE 3

Description: The dxterm utility in Compaqs OSF1 3.x operating system
contains a locally exploitable buffer overflow which allows an
attacker to gain root privileges. The executable is installed setuid
root which allows the attacker to cause arbitrary code to run in the
context of the root user.  
 
Analysis: This issue is trivial to exploit; the argument to the
command line parameter "-xrm" is stored in the heap area of memory,
and an attacker can place shellcode in it for later execution. This
eliminates the need for alignment and offset brute forcing.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1129 to this issue.

This vulnerability was exclusively disclosed to iDEFENSE by Euan
Briggs (euan_briggs () btinternet com)


DETECTION

These issues were tested on OSF1 3.2 with working exploit code.


WORKAROUND

Remove the setuid bit from the binaries, however affecting their
functionality:

$ chmod u-s /path.to/dxterm
$ chmod u-s /path.to/inc
$ chmod u-s /path.to/uucp


VENDOR RESPONSE

According to HP:

"HP and Compaq have corrected the issues in subsequent releases of HP
Tru64 UNIX. HP strongly recommends that OSF V3.* Customers update to
a minimum of Tru64 UNIX V5.1 and apply all available patches.

REPORT: To report a potential security vulnerability with any HP or
Compaq supported product, send email to: security-alert () hp com"


DISCLOSURE TIMELINE

August 16, 2002 - Disclosed to iDEFENSE
September 6, 2002 - Disclosed to security-alert () hp com
September 6, 2002 - Disclosed to iDEFENSE clients
Sepetember 6, 2002 - First human response from HP (Rich.Boren () hp com)
September 13, 2002 - Follow-up email from iDEFENSE to
Rich.Boren () hp com
September 16, 2002 - Official vendor response received from
Rich.Boren () hp com
September 18, 2002 - Public Disclosure



http://www.idefense.com/contributor.html

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler () idefense com
www.idefense.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

iDEFENSE Security Advisory 09.18.2002: Security Vulnerabilities in OSF1/Tru64 3. David Endler (Sep 18)
- iDEFENSE Security Advisory 09.18.2002: Security Vulnerabilities in OSF1/Tru64 3. KF (Sep 18)
- <Possible follow-ups>
- iDEFENSE Security Advisory 09.18.2002: Security Vulnerabilities in OSF1/Tru64 3. Steven M. Christey (Sep 19)
  - iDEFENSE OSF1/Tru64 3.x vuln clarification KF (Sep 19)
    - iDEFENSE OSF1/Tru64 3.x vuln clarification Ian A. Finlay (Sep 20)