From owner-freebsd-current Tue Aug 29 09:12:58 1995 Return-Path: current-owner Received: (from majordom@localhost) by freefall.FreeBSD.org (8.6.11/8.6.6) id JAA13209 for current-outgoing; Tue, 29 Aug 1995 09:12:58 -0700 Received: from grunt.grondar.za (grunt.grondar.za [196.7.18.129]) by freefall.FreeBSD.org (8.6.11/8.6.6) with ESMTP id JAA13152 for ; Tue, 29 Aug 1995 09:12:29 -0700 Received: from grumble.grondar.za (grumble.grondar.za [196.7.18.130]) by grunt.grondar.za (8.6.12/8.6.9) with ESMTP id SAA10610 for ; Tue, 29 Aug 1995 18:12:13 +0200 Received: from localhost (localhost [127.0.0.1]) by grumble.grondar.za (8.6.11/8.6.9) with SMTP id SAA12783 for ; Tue, 29 Aug 1995 18:12:12 +0200 Message-Id: <199508291612.SAA12783@grumble.grondar.za> X-Authentication-Warning: grumble.grondar.za: Host localhost didn't use HELO protocol To: current@freebsd.org Subject: syslog(3) security hole... Date: Tue, 29 Aug 1995 18:12:11 +0200 From: Mark Murray Sender: current-owner@freebsd.org Precedence: bulk Hi folks Take a look at this. Are we vulnerable? M ------- Forwarded Message From: pvh@ucthpx.uct.ac.za (P van Heusden) Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 (fwd) To: asturman@aztec.co.za, mark@grondar.za Date: Tue, 29 Aug 1995 11:36:46 +0200 (SAST) Forwarded message: Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 To: 8lgm-advisories@8lgm.org, bugtraq@crimelab.com, firewalls@greatcircle.com Date: Tue, 29 Aug 1995 02:33:37 +0100 (BST) ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv@FOUR.net or see http://www.four.net ============================================================================= [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995 VULNERABLE PROGRAMS: All programs calling syslog(3) with user supplied data, without checking argument lengths. KNOWN VULNERABLE PLATFORMS: SunOS 4.1.* KNOWN SECURE PLATFORMS: None at present. DESCRIPTION: syslog(3) uses an internal buffer to build messages. However it performs no bound checking, and relies on the caller to check arguments passed to it. IMPACT: Local and remote users can obtain root access. REPEAT BY: We have written an example exploit to overwrite syslog(3)'s internal buffer using SunOS sendmail(8). However due to the severity of this problem, this code will not be made available to anyone at this time. Please note that the exploit was fairly straightforward to put together, therefore expect exploits to be widely available soon after the release of this advisory. Here is a edited sample of using a modified telnet client to obtain a root shell through SunOS sendmail(8) on a sparc based machine. legless[8lgm]% syslog_telnet localhost smtp Trying 127.0.0.1 ... Connected to localhost. Escape character is '^]'. 220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\ 27 Aug 95 15:56:27 BST mail from: root 250 root... Sender ok rcpt to: root 250 root... Recipient ok data 354 Enter mail, end with "." on a line by itself ^] syslog_telnet> ### At this point, we provide some information to the modified ### telnet client about the remote host. Then sparc instructions ### are sent over the link within the body of the message to ### execute a shell. ### ### As soon as data is finished (with .), sendmail will eventually ### report, through syslog(3), data about this message. syslog's ### internal buffer will be overwritten, and our supplied ### instructions are executed. Hit , then . . /usr/bin/id; uid=0(root) gid=0(wheel) groups=0(wheel) /bin/sh: ^M: not found uptime; 3:57pm up 1:25, 5 users, load average: 0.11, 0.05, 0.00 /bin/sh: ^M: not found exit; Connection closed by foreign host. ### Here we can see that sendmail has execed a shell as root, ### and that we can type commands. (lines ending in ; are ### user input through the telnet client). ### ### This exploit could be further expanded upon to encapsulate ### instructions within the body of a message, which can then ### be mailed out to a site (ie without the necessity to connect ### directly to the smtp port). This may be used to bypass ### firewalls. WORKAROUNDS: We have two methods to ensure that syslog(3) can not be used in the above manner. Fix syslog(3), to perform bound checking. Shared libraries can be then fixed to use the new function. Statically linked programs will require rebuilding. Alternatively, ensure all calls to syslog(3), by all programs, check all arguments passed to syslog(3). Ideally both of the above should be implemented. FIX: Contact vendors for fixes. STATUS UPDATE: The file: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995.README will be created on www.8lgm.org. This will contain updates on any further versions which are found to be vulnerable, and any other information received pertaining to this advisory. - ----------------------------------------------------------------------- FEEDBACK AND CONTACT INFORMATION: majordomo@8lgm.org (Mailing list requests - try 'help' for details) 8lgm@8lgm.org (Everything else) 8LGM FILESERVER: All [8LGM] advisories may be obtained via the [8LGM] fileserver. For details, 'echo help | mail 8lgm-fileserver@8lgm.org' 8LGM WWW SERVER: [8LGM]'s web server can be reached at http://www.8lgm.org. This contains details of all 8LGM advisories and other useful information. =========================================================================== - -- - ----------------------------------------------------------------------- $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help) majordomo@8lgm.org (Request to be added to list) 8lgm@8lgm.org (General enquiries) ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ******** - -- ****************************************************************************** Peter van Heusden | UCT ITS/TSS | "Ek vind geen klinkende pvh@ucthpx.uct.ac.za | standard disclaimer | rym vir rewolusie ..." +27 21 650 3018 | applies | Joan Hambidge ------- End of Forwarded Message