1. No return-into-libc exploit for Digital Unix
I didn't understand the return-into-libc method really prior to my
previous BUGTRAQ post. Since then, I understand it a bit more and
Solar Designer has informed me that such attacks will be very
difficult due to the passing of parameters in registers on this
architecture. So, things look better for 3.x admins, although AFAIK
you can still just shove some shellcode into a buffer that gets
malloc()'d and then return into it.
2. Incorrect patch installation instructions in SSRT0583U.tar.gz
The initial patch installation instructions for SSRT0583U for 'at' and
'inc' had incorrect instructions which would leave exploitable suid
root binaries lying around if they were followed to the letter, e.g:
# cp /patches/at at.new
# chown root:bin at.new
# chmod 4755 at.new
# ln at at.orig
# mv at.new at
These were later changed to read:
# cp /patches/at at.new
# chown root:bin at.new
# chmod 4755 at.new
# ln at at.orig
# mv at.new at
# chmod 400 at.orig
The MD5 checksums on the patch files are/were:
bf03f67cf0ec69e335ba9dcc0cf88c13 SSRT0583U.tar.gz (old)
d1da354134b0335548aa7f436414d94a SSRT0583U.tar.gz (corrected)
To be sure you're okay:
# chmod 400 /usr/bin/at.orig /usr/bin/mh/inc.orig /usr/shlib/libmh.so.orig
The patches are available at:
ftp://xfer.service.digital.com/to_customer/SSRT0583U.tar.gz
3. DIGITAL NetWorker for DIGITAL UNIX, Version 4.4
There exists an exploitable buffer overflow in the program nsralist
which in version 4.4. is setuid root. I have reports that the more
current 5.2 version does not install this program suid root. To check
for this vulnerability:
% ls -l /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist
-rws--x--x 1 root system 565248 Nov 26 1997 /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist
% /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist -R `perl -e 'print "a" x 4000'`
nsralist: RPC error, Program not registered
Segmentation fault
The fix is to strip the suid root bits off of everything in that
directory, and to upgrade to version 5.2 or later.
Obviously, "BRX440" contains the version number and other possibly
exploitable versions may be in different directories, so:
% find /usr/opt -name nsralist -exec ls -la \{\} \;
Or better just scan your entire machine for suid/sgid files.
4. /usr/bin/rdist CA-96.14.rdist_vul
This bug was apparently first described in CA-91.20.rdist.vulnerability,
then CA-94.04.SunOS.rdist.vulnerability and later in CA-96.14.rdist_vul.
This was a bug in common code which DEC apparently claimed to have
fixed with patches to OSF 3.2C and prior platforms and which should
have been included in all the 4.0 releases. Unfortunately, 4.0D with
patch kit #3 still has this bug:
% /usr/bin/rdist -d `perl -e 'print "a" x 300'` -d `perl -e 'print "a" x 300'`
rdist: line 1: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa redefined
Segmentation fault
Luckily, this is difficult to exploit because the "..aaa redefined" is
what gets pushed onto the stack which means that either you jump to a
location in memory with no 0x00's or else you overwrite the ra with
the tail end of "redefined" which probably means 0x164656369 as the
most useful address and *I* cannot figure out how to get code into that
location. This lets one mess around with the return address way too
much, though. If anyone figures out how to exploit this please let me
know.
Exploit code for this advisory on rootshell.com includes code for
IRIX (irix-buffer.txt 6/15/97 for 'ordist') and FreeBSD (rdist-ex.c
8/26/96).
Thanks for suggesting this one goes out to minus- on #phrack
5. /usr/bin/rdist CA-97.23.rdist
In the CERT advisory on this subject, Digital claimed "This reported
problem is not present for Digital's ULTRIX or Digital UNIX Operating
Systems Software." This is entirely inaccurate:
% /usr/bin/rdist -d bleh=`perl -e 'print "a" x 8200'` -c /tmp/ '${bleh}'
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
rdist: line 1: Pathname too long
Segmentation fault
(again you need to do this from a reasonably recent version of tcsh
which will not choke on `perl -e 'print "a" x 8200'` with a "Word too
long" error)
Exploitation of this bug is completely straight-forwards, although the
script that I included with /usr/bin/mh/inc will need to be modified.
This buffer overflow exists on all version of Digital Unix from 4.0
up through 4.0D with patch kit #3. Digital is aware of this problem
and is working on patches, but I strongly suggest that admins take
the suggestions offered in the CERT advisory CA-97.23.rdist:
1. strip the suid root bits off of /usr/bin/rdist
2. install the rdist version from
http://www.magnicomp.com/rdist/
which does not run suid root (www.magnicomp.com is the new home
of the supported version of rdist which used to be at USC).
Exploit code for this advisory in the BUGTRAQ archives includes
code for Solaris 2.5-2.6 and is at:
http://geek-girl.com/bugtraq/1998_3/0522.html
Thanks for this one go out to minus- on #phrack and _daveg_ for
reminding me after i'd gotten all frustrated over CA-96.14 that
there was a 2nd CERT advisory on rdist and for digging up the Solaris
exploit for me.
6. Exploit code
Sorry. No exploit code for the script kiddies this time. Exploitation
of #3 and #5 are entirely-straight forwards. If anyone (CERT???) needs
exploit code for legitimate testing purposes, just send me e-mail.
7. Patches
Compaq has been made aware of the problem. Patches should be
forthcoming. Admins are, however, advised not to wait for the
patches. NetWorker should be upgraded or the suid root bits
stripped off of it (this might impair functionality, contact Compaq
if you really need to know if you can do this) and the publically
available non-suid rdist version should be used in place of the suid
root one provided with Digital Unix.
Yes I released this prior to the patches being made available. I
do so because entirely satisfactory work-arounds exist, in fact
"work-arounds" exist which are ultimately better than any patch that
Compaq releases which still keeps rdist suid root. The only way
Compaq could come out with something better would be to develop a
non-exec-stack work-around for 4.0 or to distribute privaleged
code binaries which had been compiled with something like StackGuard.
Unfortunately, I don't see Compaq doing this.
8. Reminder
There are undoubtably many buffer overflows still to be found in
Digital Unix. Reduce your privaleged code to a minimum:
a. find all suid/sgid programs, strip the ones that aren't used and
wrap the ones that are.
b. hunt down all daemon processes and turn off the ones that you don't
use -- use nmap, netstat -an and lsof.
--
Lamont Granquist lamontg_at_raven.genome.washington.edu
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg_at_raven.genome.washington.edu | pgp -fka
Received on Fri Feb 19 1999 - 22:22:58 NZDT