Bugtraq mailing list archives
Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd)
From: Frank da Cruz <fdc () columbia edu>
Date: Fri, 2 May 2003 15:11:53 EDT
don't know if you have been involved already..
No, this is the first I've seen of it; thanks for sending it along. On Fri, 2 May 2003 19:49:03 +0300 bt () delfi lt wrote to bugtraq () securityfocus com:
Hi! There are many buffer overflows in kermit on HP-UX 11.0 . I am sure it is vulnerable in other HP-UX versions, too, since "C-Kermit 6.0.192, 6 Sep 96, for HP-UX 10.00" is installed in HP-UX 11.0 by default.
These were fixed for C-Kermit 8.0 long ago. The current release of C-Kermit is 8.0.209. As far as I know, HP ships C-Kermit 8.0.200 or later with all HP-UX 11.xx's. I suspect anybody who has "C-Kermit 6.0.192, 6 Sep 96, for HP-UX 10.00" on HP-UX 11.00 or later must have upgraded their HP-UX version without also upgrading Kermit. If you have an older version of C-Kermit on ANY release of HP-UX all the way back to 5.21, you can get the current release here: http://www.columbia.edu/kermit/ckermit.html
/usr/bin/kermit is setuid to bin and setgrp to daemon, so upon succesfull exploitation, local user could get these priviledges.
The setuid/setgid are required for all HP-UX programs that access serial ports.
Example of on simple buffer overflow in kermit : $ /usr/bin/kermit -C "ask `perl -e 'print "A" x 120'`" Executing /usr/share/lib/kermit/ckermit.ini for UNIX... Good Evening. Segmentation fault (core dumped)
The syntax for the ASK command requires a variable name after the word ASK. Anyway, try it in C-Kermit 8.0: /usr/bin/kermit -C "ask foo `perl -e 'print "A" x 800'`" If you increase 800 to some bigger number, the string is properly cut off at the end of the ASK prompt buffer.
There are more kermit commands that are unchecked of correct parameter length: askq,define, assign, getc. Several of them use the same vulnerable function "doask". I am SURE that these are not all vulnerabilities in kermit.
A thorough buffer-overflow / memory-leak audit was performed for C-Kermit 8.0 in early-mid 2000, and it was in public Alpha test before the end of 2000.
one more thing (I am not sure if it is exploitable,but anyway): [/home/xxxxxxxxxx] C-Kermit>set alarm %:%:% Floating point exception (core dumped) Solution - take off setuid bits form /usr/bin/kermit.
Solution: use current version.
In my opinion, patching kermit against these(and maybe many more) vulnerabilities is not an option, since source of C-kermit 6.0.192 is publicly available, and it is very buggy.
C-Kermit is maintained by the Kermit Project. Users don't have to "patch" it. If you give a HELP command, it says (among other things): Type SUPPORT to learn how to get technical support. Then if you give a SUPPORT command it tells you how to report problems.
I tried to contact security-alert () hp com, but i got error message "Client host rejected: Access denied" (spam?).
This topic was hashed over three years ago in Linux Bugtraq; C-Kermit 8.0 was released and furnished to HP in 2001. Frank da Cruz The Kermit Project Columbia University 612 West 115th Street New York NY 10025-7799 USA Email: fdc () columbia edu http://www.columbia.edu/kermit/
Current thread:
- Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd) Frank da Cruz (May 02)
- Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd) Elmar Knipp (May 03)
- <Possible follow-ups>
- Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd) Frank da Cruz (May 03)