Date: Wed, 3 Jul 1996 23:01:39 -0400 (EDT) From: Brian Tao <taob@io.org> To: Dan Polivy <danp@carebase3.jri.org> Cc: freebsd-security@FreeBSD.ORG Subject: Re: is FreeBSD's rdist vulnerable? Message-ID: <Pine.NEB.3.92.960703230037.20017C-100000@zap.io.org> In-Reply-To: <Pine.BSF.3.91.960703191714.1090A-100000@carebase3.jri.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 3 Jul 1996, Dan Polivy wrote:
>
> Has anyone read 8lgm's rdist advisory and attempted to see whether or not
> FreeBSD's rdist is vulnerable?
For those of you who haven't seen the advisory...
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
>>>>>
From: "[8LGM] Security Team" <8lgm@8lgm.org>
To: 8lgm-advisories@8lgm.org
Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996
Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST)
=============================================================================
Virtual Domain Hosting Services provided by The FOURnet Information Network
mail webserv@FOUR.net or see http://www.four.net
=============================================================================
libC/Inside provided by Electris Software Limited
mail electris@electris.com or see http://www.electris.com
=============================================================================
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996
PROGRAM:
rdist
VULNERABLE VERSIONS:
Solaris 2.*
SunOS 4.1.*
Potentially all versions running setuid root.
DESCRIPTION:
rdist creates an error message based on a user provided string,
without checking bounds on the buffer used. This buffer is
on the stack, and can therefore be used to execute arbitrary
instructions.
IMPACT:
Local users can obtain superuser privileges.
EXPLOIT:
A program was developed to verify this bug on a SunOS 4.1.3 machine,
and succeeded in obtaining a shell running uid 0 from rdist.
DETAILS:
Consider the following command, running as user bin.
# rdist -d TestString -d TestString
rdist: line 1: TestString redefined
distfile: No such file or directory
#
Using libC/Inside, the following trace was obtained:-
-----------------------------------------------------------------------
libC/Inside Shared Library Tracing. V1.0 (Solaris 2.5).
Copyright (C) 1996, Electris Software Limited, All Rights Reserved.
Tracing started Thu May 9 00:04:19 1996
Pid is 18738
Log file is /tmp/Inside.18738
Log file descriptor is 3
uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys)
Program is rdist
_start+0x30->atexit(call_fini)
return(0)
_start+0x3c->atexit(_fini)
return(0)
main+0x28->getuid()
return(2)
main+0x38->seteuid(2)
return(0)
main+0x5c->getuid()
return(2)
main+0x64->getpwuid(2)
return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \
pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell=""))
main+0xb0->strcpy(user, "bin")
return("bin")
main+0xc4->strcpy(homedir, "/usr/bin")
return("/usr/bin")
main+0xd4->gethostname(host, 32)
return(0)
(Arg 0 = "legless")
main+0x10c->strcmp("-d", "-Server")
return(17)
define+0x30->strchr("TestString", '=')
return((null))
lookup+0x11c->malloc(16)
return(0x33220)
main+0x10c->strcmp("-d", "-Server")
return(17)
define+0x30->strchr("TestString", '=')
return((null))
lookup+0x88->strcmp("TestString", "TestString")
return(0)
lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString")
return(20)
(Arg 0 = "TestString redefined")
yyerror+0x1c->fflush(stdout)
return(0)
lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \
"TestString redefined")
return(36)
main+0x444->mktemp("/tmp/rdistXXXXXX")
return("/tmp/rdista004_m")
main+0x4d8->fopen("distfile", "r")
return((null))
main+0x4fc->fopen("Distfile", "r")
return((null))
main+0x560->perror("distfile")
return()
main+0x568->exit(1)
-----------------------------------------------------------------------
At lookup+0xcc, sprintf() copies the string provided to an address
on the stack. rdist does not check the length of this string,
so a large string would overwrite the stack.
FIX:
Use a version of rdist that does not require setuid root privileges.
Obtain a patch from your vendor.
STATUS UPDATE:
The file:
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README
will be created on www.8lgm.org. This will contain updates on
any further versions which are found to be vulnerable, and any
other information received pertaining to this advisory.
- -----------------------------------------------------------------------
FEEDBACK AND CONTACT INFORMATION:
majordomo@8lgm.org (Mailing list requests - try 'help'
for details)
8lgm@8lgm.org (Everything else)
8LGM FILESERVER:
All [8LGM] advisories may be obtained via the [8LGM] fileserver.
For details, 'echo help | mail 8lgm-fileserver@8lgm.org'
8LGM WWW SERVER:
[8LGM]'s web server can be reached at http://www.8lgm.org.
This contains details of all 8LGM advisories and other useful
information.
===========================================================================
- --
- -----------------------------------------------------------------------
$ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help)
majordomo@8lgm.org (Request to be added to list)
8lgm@8lgm.org (General enquiries)
******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
[8LGM] uses libC/Inside - the worlds leading security analysis tool
now available to the public. Visit http:://www.electris.com
<<<<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960703230037.20017C-100000>