Re: Compaq tru64 setuids /usr/bin/at and /usr/dt/bin/mailcv

[Foldi Tamas <crow () localhost hu>]

On Wed, Mar 27, 2002 at 11:58:01AM -0500, KF wrote:
> Not really sure... the ladebug debugger gave me a head ache so I didn't 
> play with it much. If someone can point

Try with the dbx debugger instead of ladebug.

> me to a working tru64 gdb package I would find out some details. I was 
> hoping that someone else from the
> list would be able to determine just that...is local root compromise 
> possible?
> -KF
>
> > alpha.snosoft.com> uname -a
> > OSF1 alpha.snosoft.com V5.1 732 alpha
> >
> > alpha.snosoft.com> ls -al /usr/bin/at
> > -rwsr-xr-x   1 root     bin        57760 Aug 24  2000 /usr/bin/at
> >
> > alpha.snosoft.com> /usr/bin/at `perl -e 'print "A" x 9000'` Memory fault
> > - core dumped

[crow@darksun]% uname -a                               /usr/users/crow/
OSF1 darksun V5.1 1885 alpha
[crow@darksun]% ls -l /usr/bin/at                      /usr/users/crow/
-rwsr-xr-x   1 root     bin        57840 Aug  1  2001 /usr/bin/at
[crow@darksun]%  /usr/bin/at `perl -e 'print "A" x 9000'`
at: syntax error                   
                                             
(it seems the bug is fixed in 5.1A)

> > alpha.snosoft.com> ls -al /usr/dt/bin/mailcv
> > -rwsr-xr-x   1 root     bin        98368 Aug 25  2000 /usr/dt/bin/mailcv
> >
> > alpha.snosoft.com> /usr/dt/bin/mailcv -f  `perl -e 'print "A" x 9000'` A
> > exception system:  exiting due to multiple internal errors:
> >       exception dispatch or unwind stuck in infinite loop
> >       exception dispatch or unwind stuck in infinite loop exception
> > system:  exiting due to multiple internal errors:
> >       exception dispatch or unwind stuck in infinite loop
> >       exception dispatch or unwind stuck in infinite loop Abort - core
> > dumped

[crow@darksun]% /usr/dt/bin/mailcv -f  `perl -e 'print "A" x 9000'` A
exception system:  exiting due to multiple internal errors:
        exception dispatch or unwind stuck in infinite loop
        exception dispatch or unwind stuck in infinite loop
exception system:  exiting due to multiple internal errors:
        exception dispatch or unwind stuck in infinite loop
        exception dispatch or unwind stuck in infinite loop
zsh: abort (core dumped)  /usr/dt/bin/mailcv -f `perl -e 'print "A" x 9000'` A

[crow@darksun]% dbx /usr/dt/bin/mailcv core   
dbx version 5.1
Type 'help' for help.
Core file created by program "mailcv"

warning: /usr/dt/bin/mailcv has no symbol table -- very little is supported
without it
thread 0x4 signal IOT/Abort trap at >*[_sigprocmask, 0x3ff800d5708]     bne
a3, 0x3ff800d5710
(dbx) where
>  0 _sigprocmask(0x3ff00000001, 0x0, 0x3ff801229d8, 0x40c6666600000006,
>  0x3ff801869b4) [0x3ff800d5708]
   1 __sigprocmask(0x3ff801229d8, 0x40c6666600000006, 0x3ff801869b4, 0x0,
0x3ff801a9cd4) [0x3ff800d7d70]
   2 abort(0x3ff807e2364, 0x20, 0x0, 0x0, 0x600000000) [0x3ff801a9cd0]
   3 __exc_raise_status_exception(0x0, 0x0, 0x0, 0x0, 0x3ff800bedc8)
[0x3ff807e2360]
[...]
  19 exc_raise_status_exception(0x0, 0x0, 0x0, 0x4000, 0x3ff807e320c)
[0x3ff807e23e0]
  20 exc_dispatch_exception(0x3ffc00819c0, 0xc, 0x11fff8a40, 0x6, 0x1)
[0x3ff807e3208]
  21 exc_raise_signal_exception(0xb0ffe0003, 0x80, 0x0, 0x3ff800e8f8c, 0x1)
[0x3ff807e3e68]
  22 (unknown)() [0x3ff80577d80]
  23 __getopt(0x3ffc0099f18, 0x0, 0x0, 0x0, 0x0) [0x3ff800e8f8c]
(dbx) 

As i see, this is not a buffer overflow (getopt called with NULL pointers).


Btw, before you start coding exploit to alpha/tru64, you should check the
"executable_stack" setting with "sysconfig -q proc executable_stack". If it is
null, then the exploiting is much harder. 

Regards,
Tamas Foldi

> >

-- 
        Quidquid latine dictum sit, altum sonatur.
        Whatever is said in Latin sounds profound.