Bugtraq mailing list archives
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from
From: juphoff () tarsier cv nrao edu (Jeff Uphoff)
Date: Wed, 3 Jul 1996 18:56:28 -0400
------- start of forwarded message (RFC 934 encapsulation) -------
From: "[8LGM] Security Team" <8lgm () 8lgm org>
To: 8lgm-advisories () 8lgm org
Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996
Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST)
=============================================================================
Virtual Domain Hosting Services provided by The FOURnet Information Network
mail webserv () FOUR net or see http://www.four.net
=============================================================================
libC/Inside provided by Electris Software Limited
mail electris () electris com or see http://www.electris.com
=============================================================================
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996
PROGRAM:
rdist
VULNERABLE VERSIONS:
Solaris 2.*
SunOS 4.1.*
Potentially all versions running setuid root.
DESCRIPTION:
rdist creates an error message based on a user provided string,
without checking bounds on the buffer used. This buffer is
on the stack, and can therefore be used to execute arbitrary
instructions.
IMPACT:
Local users can obtain superuser privileges.
EXPLOIT:
A program was developed to verify this bug on a SunOS 4.1.3 machine,
and succeeded in obtaining a shell running uid 0 from rdist.
DETAILS:
Consider the following command, running as user bin.
# rdist -d TestString -d TestString
rdist: line 1: TestString redefined
distfile: No such file or directory
#
Using libC/Inside, the following trace was obtained:-
-----------------------------------------------------------------------
libC/Inside Shared Library Tracing. V1.0 (Solaris 2.5).
Copyright (C) 1996, Electris Software Limited, All Rights Reserved.
Tracing started Thu May 9 00:04:19 1996
Pid is 18738
Log file is /tmp/Inside.18738
Log file descriptor is 3
uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys)
Program is rdist
_start+0x30->atexit(call_fini)
return(0)
_start+0x3c->atexit(_fini)
return(0)
main+0x28->getuid()
return(2)
main+0x38->seteuid(2)
return(0)
main+0x5c->getuid()
return(2)
main+0x64->getpwuid(2)
return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \
pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell=""))
main+0xb0->strcpy(user, "bin")
return("bin")
main+0xc4->strcpy(homedir, "/usr/bin")
return("/usr/bin")
main+0xd4->gethostname(host, 32)
return(0)
(Arg 0 = "legless")
main+0x10c->strcmp("-d", "-Server")
return(17)
define+0x30->strchr("TestString", '=')
return((null))
lookup+0x11c->malloc(16)
return(0x33220)
main+0x10c->strcmp("-d", "-Server")
return(17)
define+0x30->strchr("TestString", '=')
return((null))
lookup+0x88->strcmp("TestString", "TestString")
return(0)
lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString")
return(20)
(Arg 0 = "TestString redefined")
yyerror+0x1c->fflush(stdout)
return(0)
lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \
"TestString redefined")
return(36)
main+0x444->mktemp("/tmp/rdistXXXXXX")
return("/tmp/rdista004_m")
main+0x4d8->fopen("distfile", "r")
return((null))
main+0x4fc->fopen("Distfile", "r")
return((null))
main+0x560->perror("distfile")
return()
main+0x568->exit(1)
-----------------------------------------------------------------------
At lookup+0xcc, sprintf() copies the string provided to an address
on the stack. rdist does not check the length of this string,
so a large string would overwrite the stack.
FIX:
Use a version of rdist that does not require setuid root privileges.
Obtain a patch from your vendor.
STATUS UPDATE:
The file:
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README
will be created on www.8lgm.org. This will contain updates on
any further versions which are found to be vulnerable, and any
other information received pertaining to this advisory.
- -----------------------------------------------------------------------
FEEDBACK AND CONTACT INFORMATION:
majordomo () 8lgm org (Mailing list requests - try 'help'
for details)
8lgm () 8lgm org (Everything else)
8LGM FILESERVER:
All [8LGM] advisories may be obtained via the [8LGM] fileserver.
For details, 'echo help | mail 8lgm-fileserver () 8lgm org'
8LGM WWW SERVER:
[8LGM]'s web server can be reached at http://www.8lgm.org.
This contains details of all 8LGM advisories and other useful
information.
===========================================================================
- --
- -----------------------------------------------------------------------
$ echo help | mail 8lgm-fileserver () 8lgm org (Fileserver help)
majordomo () 8lgm org (Request to be added to list)
8lgm () 8lgm org (General enquiries)
******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
[8LGM] uses libC/Inside - the worlds leading security analysis tool
now available to the public. Visit http:://www.electris.com
------- end -------
Current thread:
- Solaris mailx hole Marc Mosko/jfrank/us (Jun 30)
- Re: Solaris mailx hole Andy Dills (Jul 01)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 02)
- CD4300 series BUG DANIEL .D .EZEKIEL (Jul 02)
- Re: BoS: Re: Solaris mailx hole Travis Hassloch x231 (Jul 02)
- Re: Solaris mailx hole Dave Roberts (Jul 03)
- Re: Solaris mailx hole Andy Dills (Jul 03)
- [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from Jeff Uphoff (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Michael Brennen (Jul 03)
- BoS: *** SECURITY ALERT *** (fwd) Mark_W_Loveless () smtp bnr com (Jul 04)
- IIS bug test Paolo Taraboi (Jul 04)
- IMAPD security problems ? Zvi Bar-Deroma (Jul 04)
- Re: IMAPD security problems ? Ian MacPhedran (Jul 04)
- Re: Solaris mailx hole Casper Dik (Jul 02)
- Re: Solaris mailx hole Andy Dills (Jul 01)
- <Possible follow-ups>
- Re: Solaris mailx hole Josef Buergler (Jul 02)
- Re: Solaris mailx hole Rick Otten (Jul 03)