From 8lgm@8lgm.org Wed Jul 3 22:00:48 1996 Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST) From: "[8LGM] Security Team" <8lgm@8lgm.org> To: 8lgm-advisories@8lgm.org Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv@FOUR.net or see http://www.four.net ============================================================================= libC/Inside provided by Electris Software Limited mail electris@electris.com or see http://www.electris.com ============================================================================= [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 PROGRAM: rdist VULNERABLE VERSIONS: Solaris 2.* SunOS 4.1.* Potentially all versions running setuid root. DESCRIPTION: rdist creates an error message based on a user provided string, without checking bounds on the buffer used. This buffer is on the stack, and can therefore be used to execute arbitrary instructions. IMPACT: Local users can obtain superuser privileges. EXPLOIT: A program was developed to verify this bug on a SunOS 4.1.3 machine, and succeeded in obtaining a shell running uid 0 from rdist. DETAILS: Consider the following command, running as user bin. # rdist -d TestString -d TestString rdist: line 1: TestString redefined distfile: No such file or directory # Using libC/Inside, the following trace was obtained:- ----------------------------------------------------------------------- libC/Inside Shared Library Tracing. V1.0 (Solaris 2.5). Copyright (C) 1996, Electris Software Limited, All Rights Reserved. Tracing started Thu May 9 00:04:19 1996 Pid is 18738 Log file is /tmp/Inside.18738 Log file descriptor is 3 uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys) Program is rdist _start+0x30->atexit(call_fini) return(0) _start+0x3c->atexit(_fini) return(0) main+0x28->getuid() return(2) main+0x38->seteuid(2) return(0) main+0x5c->getuid() return(2) main+0x64->getpwuid(2) return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \ pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell="")) main+0xb0->strcpy(user, "bin") return("bin") main+0xc4->strcpy(homedir, "/usr/bin") return("/usr/bin") main+0xd4->gethostname(host, 32) return(0) (Arg 0 = "legless") main+0x10c->strcmp("-d", "-Server") return(17) define+0x30->strchr("TestString", '=') return((null)) lookup+0x11c->malloc(16) return(0x33220) main+0x10c->strcmp("-d", "-Server") return(17) define+0x30->strchr("TestString", '=') return((null)) lookup+0x88->strcmp("TestString", "TestString") return(0) lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString") return(20) (Arg 0 = "TestString redefined") yyerror+0x1c->fflush(stdout) return(0) lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \ "TestString redefined") return(36) main+0x444->mktemp("/tmp/rdistXXXXXX") return("/tmp/rdista004_m") main+0x4d8->fopen("distfile", "r") return((null)) main+0x4fc->fopen("Distfile", "r") return((null)) main+0x560->perror("distfile") return() main+0x568->exit(1) ----------------------------------------------------------------------- At lookup+0xcc, sprintf() copies the string provided to an address on the stack. rdist does not check the length of this string, so a large string would overwrite the stack. FIX: Use a version of rdist that does not require setuid root privileges. Obtain a patch from your vendor. STATUS UPDATE: The file: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo@8lgm.org (Mailing list requests - try 'help' for details) 8lgm@8lgm.org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== -- ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help) majordomo@8lgm.org (Request to be added to list) 8lgm@8lgm.org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** [8LGM] uses libC/Inside - the worlds leading security analysis tool now available to the public. Visit http:://www.electris.com