Bugtraq mailing list archives

Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd)

From: Frank da Cruz <fdc () columbia edu>
Date: Fri, 2 May 2003 15:11:53 EDT

don't know if you have been involved already..

No, this is the first I've seen of it; thanks for sending it along.

On Fri, 2 May 2003 19:49:03 +0300 bt () delfi lt wrote to
bugtraq () securityfocus com:

Hi!

There are many buffer overflows in kermit on HP-UX 11.0 . I am sure it is
vulnerable in other HP-UX versions, too, since "C-Kermit 6.0.192, 6 Sep 96,
for HP-UX 10.00" is installed in HP-UX 11.0 by default.

These were fixed for C-Kermit 8.0 long ago.  The current release of C-Kermit
is 8.0.209.  As far as I know, HP ships C-Kermit 8.0.200 or later with all
HP-UX 11.xx's.  I suspect anybody who has "C-Kermit 6.0.192, 6 Sep 96, for
HP-UX 10.00" on HP-UX 11.00 or later must have upgraded their HP-UX version
without also upgrading Kermit.  If you have an older version of C-Kermit on
ANY release of HP-UX all the way back to 5.21, you can get the current
release here:

  http://www.columbia.edu/kermit/ckermit.html

/usr/bin/kermit is setuid to bin and setgrp to daemon, so upon succesfull
exploitation, local user could get these priviledges.

The setuid/setgid are required for all HP-UX programs that access serial 
ports.

Example of on simple buffer overflow in kermit :
$ /usr/bin/kermit -C "ask `perl -e 'print "A" x 120'`"
Executing /usr/share/lib/kermit/ckermit.ini for UNIX...
Good Evening.
Segmentation fault (core dumped)

The syntax for the ASK command requires a variable name after the word ASK.
Anyway, try it in C-Kermit 8.0:

  /usr/bin/kermit -C "ask foo `perl -e 'print "A" x 800'`"

If you increase 800 to some bigger number, the string is properly cut off
at the end of the ASK prompt buffer.

There are more kermit commands that are unchecked of correct parameter
length: askq,define, assign, getc. Several of them use the same vulnerable
function "doask". I am SURE that these are not all vulnerabilities in
kermit.

A thorough buffer-overflow / memory-leak audit was performed for
C-Kermit 8.0 in early-mid 2000, and it was in public Alpha test before
the end of 2000.

one more thing (I am not sure if it is exploitable,but anyway):
[/home/xxxxxxxxxx] C-Kermit>set alarm %:%:%
Floating point exception (core dumped)

Solution - take off setuid bits form /usr/bin/kermit.

Solution: use current version.

In my opinion, patching kermit against these(and maybe many more)
vulnerabilities is not an option, since source of C-kermit 6.0.192 is
publicly available, and it is very buggy.

C-Kermit is maintained by the Kermit Project.  Users don't have to "patch"
it.  If you give a HELP command, it says (among other things):

  Type SUPPORT to learn how to get technical support.

Then if you give a SUPPORT command it tells you how to report problems.

I tried to contact security-alert () hp com, but i got error message "Client
host rejected: Access denied" (spam?).

This topic was hashed over three years ago in Linux Bugtraq; C-Kermit 8.0
was released and furnished to HP in 2001.

Frank da Cruz
The Kermit Project
Columbia University
612 West 115th Street
New York NY  10025-7799
USA
Email: fdc () columbia edu
http://www.columbia.edu/kermit/

Current thread:

Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd) Frank da Cruz (May 02)
- Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd) Elmar Knipp (May 03)
- <Possible follow-ups>
- Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd) Frank da Cruz (May 03)