Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Fw: Remote bufferoverflow exploit for ftpd from AIX 4.3.2

From: gerrie () HIT2000 ORG (Gerrie)
Date: Thu, 30 Sep 1999 04:20:45 +0200


W.H.J.Pinckaers writes:


sq01 () Yorku Ca <sq01 () Yorku Ca> Wrote


Hi,


Short of disabling ftpd completely, is there a work-around that will

not

affect our users ?




At this time: NO, but please make sure you are vulnerable first, we
did discover that this bug is very specific for AIX 4.3.2. (Most other
AIX versions aren't vulnerable to this particular bug)



Actually, IBM does have an efix for this at:

ftp://aix.software.ibm.com/aix/efixes/security/ftpd.tar.Z



 ftpd.tar.Z . . . . . . . . . . . Sep 29 06:32     87k

I here by I admit that I was wrong, the 5 other email adres they exploit was
mailed to didn't get to the right person,
check this for the right email adres, and the rest of the story.

Also Troy did his job good.

first response:

Hi,
Thanks for the bugtraq post.  We'll have a fix out later tonight or
early tomorrow (EST).



I listen on the security-alert () austin ibm com email address and didn't
see anything regarding this.  Who in IBM did you send to?  I'm curious
because even a non-working exploit would show that the IAR was
overwritten.  At that point, it's definitely a problem that we'd fix as
soon as possible.


second response:
Quoting W.H.J.Pinckaers (W.H.J.Pinckaers () cpedu rug nl):


This was mailed about three weeks ago to the following address al
with a question about the corrrect email address for such bugs:

security () ibm com
security-alert () ibm com
support () ibm com
support () nl ibm com
security () us ibm com

None of these mails bounced and the subject did make clear it was
a serious mail (and the body did make clear the bug was serious)
and none of these mail yielded a response


Sounds like you tried to do the right thing and there was a breakdown
somewhere in IBM.  I don't know where the security*@ibm.com addresses
go, but I've sent email to our postmaster asking about them.


About a week later I was able to get a message to someone at ibm
(nl) Who responded with a mail in dutch stating that:

- They didn't see any result of the exploit (an earlier version)
- Asked me if i was sure that the FTPD was the one from AIX and
not another one
- Asked me to contact them for further steps
- In effect denied the existence of the bug (i for myself question the
knowledge of this person, i doubt he did ever do anything security
related before (my 2 cents))


Maybe this was a level 1 support person who was trying to screen
incoming reports to determine who to contact next.  I agree that he
wasn't sensitive to the security implications.


I replied with a mail in dutch with the following content (well i don't
have the mail any more so its just from my memory)
- Checking for a vulnerability isn't done by running an exploit.
(espesccially if you don't know what the exploit is supposed to do,
run /tmp/sh in this case)


Yep, most of my exploits use:

  awk 'BEGIN{for(i=0;i<1024;i++)printf"x"}'

A core dump with 0x78787878 in the IAR is a bad sign...  ;-)


My recommended furter steps:
Check ftpd source for this bug, build a patch and release the patch.


Done.  We issued an advisory with a temporary fix this morning.
Hopefully the bugtraq post will show up soon (lately I've been receiving
posts up to 3 days behind).


Check ftpd source for other security bugs, patch them and release
them. Repeat The last step for all daemons and suid program's (to
begin with you still have /tmp races etc)
(off course the latter is just dreaming form me)


The official fix will include additional sprintf -> snprintf fixes as
well.  They don't look exploitable but need to be fixed anyway.

We're always looking for new vulnerabilities, so if you know of any more
let us know.  We'll get symlink races fixed as well.  Of course we
prioritize based on severity, i.e., the ftpd report will always be fixed
before a symlink race in the sort command.


About a week ago i mailed this person (nlx3277 () nl ibm com,  J.P.
Moelaert AIX support, the Netherlands) asking him to inform me of
the progress with the bug, I still haven't received a reply. At this
time Gerrie did mail the exploit (without extra explanation) to
bugtraq and Viola a reply from someone who seems to be able to
fix it in one day.


We actually found the exploit (on packetstorm, I think) on Monday so we
were almost finished with the fix when we saw the bugtraq post.  In
general, for a simple buffer overflow like this one, we can turn around
a temporary fix in 2 to 3 days.


P.S. I assume i can mail you directly in the future if i happen to find
another bug?


Yes, please.  Also copy security-alert () austin ibm com in case I ever get
a vacation.  ;-)


P.S. 2: In the exploit are a couple of questions (like does TOC
matter, what is TOC,  how fixed are the adresses etc) is it possible
to get these questions answered? (Just out of curiosity I don't
really know much about RS6000 since i don't have access to one
(OK i have had access for 3 days during Hit2000 in which i did find
and exploited the bug)


I don't think I should give you too many answers.  :-)

However, our AIX documentation is available on the web:

   http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/aixgen/

In particular, you might want to start with the section on Subroutine
Linkage Conventions or the "Programming the TOC" page:

   http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/aixassem/alangref/\
          linkage_convent.htm
   http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/aixassem/alangref/\
          program_toc.htm

Remote exploits on AIX are difficult due to hardware differences and
changes between releases (although they are possible, as you've shown).
Being able to find and exploit one in 3 days is quite a feat.

Besides problems related to TOC and upper case conversion, the ftpd
buffer overflow shell code must avoid 0xff bytes because ftpd ignores
them.


P.S. 3: www.rs6000.ibm.com is vulnerable (checked by sending a
5000 char string to the ftpd, it died) this is austin.ibm.com (if I
remember correctly)



Thanks.  We're in the process of notifying the IBM external ftp servers
now.

--
Troy Bollinger                            troy () austin ibm com
AIX Security Development        security-alert () austin ibm com
PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
Previous By Date Next
Previous By Thread Next

Current thread: