Date: Fri, 19 Feb 1999 14:18:18 -0800 From: Lamont Granquist To: BUGTRAQ@netspace.org Subject: More Buffer Overflows in Digital Unix 1. No return-into-libc exploit for Digital Unix I didn't understand the return-into-libc method really prior to my previous BUGTRAQ post. Since then, I understand it a bit more and Solar Designer has informed me that such attacks will be very difficult due to the passing of parameters in registers on this architecture. So, things look better for 3.x admins, although AFAIK you can still just shove some shellcode into a buffer that gets malloc()'d and then return into it. 2. Incorrect patch installation instructions in SSRT0583U.tar.gz The initial patch installation instructions for SSRT0583U for 'at' and 'inc' had incorrect instructions which would leave exploitable suid root binaries lying around if they were followed to the letter, e.g: # cp /patches/at at.new # chown root:bin at.new # chmod 4755 at.new # ln at at.orig # mv at.new at These were later changed to read: # cp /patches/at at.new # chown root:bin at.new # chmod 4755 at.new # ln at at.orig # mv at.new at # chmod 400 at.orig The MD5 checksums on the patch files are/were: bf03f67cf0ec69e335ba9dcc0cf88c13 SSRT0583U.tar.gz (old) d1da354134b0335548aa7f436414d94a SSRT0583U.tar.gz (corrected) To be sure you're okay: # chmod 400 /usr/bin/at.orig /usr/bin/mh/inc.orig /usr/shlib/libmh.so.orig The patches are available at: ftp://xfer.service.digital.com/to_customer/SSRT0583U.tar.gz 3. DIGITAL NetWorker for DIGITAL UNIX, Version 4.4 There exists an exploitable buffer overflow in the program nsralist which in version 4.4. is setuid root. I have reports that the more current 5.2 version does not install this program suid root. To check for this vulnerability: % ls -l /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist -rws--x--x 1 root system 565248 Nov 26 1997 /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist % /usr/opt/BRX440/BRXSOAKIT440/bin/nsralist -R `perl -e 'print "a" x 4000'` nsralist: RPC error, Program not registered Segmentation fault The fix is to strip the suid root bits off of everything in that directory, and to upgrade to version 5.2 or later. Obviously, "BRX440" contains the version number and other possibly exploitable versions may be in different directories, so: % find /usr/opt -name nsralist -exec ls -la \{\} \; Or better just scan your entire machine for suid/sgid files. 4. /usr/bin/rdist CA-96.14.rdist_vul This bug was apparently first described in CA-91.20.rdist.vulnerability, then CA-94.04.SunOS.rdist.vulnerability and later in CA-96.14.rdist_vul. This was a bug in common code which DEC apparently claimed to have fixed with patches to OSF 3.2C and prior platforms and which should have been included in all the 4.0 releases. Unfortunately, 4.0D with patch kit #3 still has this bug: % /usr/bin/rdist -d `perl -e 'print "a" x 300'` -d `perl -e 'print "a" x 300'` rdist: line 1: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa redefined Segmentation fault Luckily, this is difficult to exploit because the "..aaa redefined" is what gets pushed onto the stack which means that either you jump to a location in memory with no 0x00's or else you overwrite the ra with the tail end of "redefined" which probably means 0x164656369 as the most useful address and *I* cannot figure out how to get code into that location. This lets one mess around with the return address way too much, though. If anyone figures out how to exploit this please let me know. Exploit code for this advisory on rootshell.com includes code for IRIX (irix-buffer.txt 6/15/97 for 'ordist') and FreeBSD (rdist-ex.c 8/26/96). Thanks for suggesting this one goes out to minus- on #phrack 5. /usr/bin/rdist CA-97.23.rdist In the CERT advisory on this subject, Digital claimed "This reported problem is not present for Digital's ULTRIX or Digital UNIX Operating Systems Software." This is entirely inaccurate: % /usr/bin/rdist -d bleh=`perl -e 'print "a" x 8200'` -c /tmp/ '${bleh}' rdist: line 1: Pathname too long rdist: line 1: Pathname too long rdist: line 1: Pathname too long rdist: line 1: Pathname too long rdist: line 1: Pathname too long rdist: line 1: Pathname too long rdist: line 1: Pathname too long rdist: line 1: Pathname too long rdist: line 1: Pathname too long rdist: line 1: Pathname too long Segmentation fault (again you need to do this from a reasonably recent version of tcsh which will not choke on `perl -e 'print "a" x 8200'` with a "Word too long" error) Exploitation of this bug is completely straight-forwards, although the script that I included with /usr/bin/mh/inc will need to be modified. This buffer overflow exists on all version of Digital Unix from 4.0 up through 4.0D with patch kit #3. Digital is aware of this problem and is working on patches, but I strongly suggest that admins take the suggestions offered in the CERT advisory CA-97.23.rdist: 1. strip the suid root bits off of /usr/bin/rdist 2. install the rdist version from http://www.magnicomp.com/rdist/ which does not run suid root (www.magnicomp.com is the new home of the supported version of rdist which used to be at USC). Exploit code for this advisory in the BUGTRAQ archives includes code for Solaris 2.5-2.6 and is at: http://geek-girl.com/bugtraq/1998_3/0522.html Thanks for this one go out to minus- on #phrack and _daveg_ for reminding me after i'd gotten all frustrated over CA-96.14 that there was a 2nd CERT advisory on rdist and for digging up the Solaris exploit for me. 6. Exploit code Sorry. No exploit code for the script kiddies this time. Exploitation of #3 and #5 are entirely-straight forwards. If anyone (CERT???) needs exploit code for legitimate testing purposes, just send me e-mail. 7. Patches Compaq has been made aware of the problem. Patches should be forthcoming. Admins are, however, advised not to wait for the patches. NetWorker should be upgraded or the suid root bits stripped off of it (this might impair functionality, contact Compaq if you really need to know if you can do this) and the publically available non-suid rdist version should be used in place of the suid root one provided with Digital Unix. Yes I released this prior to the patches being made available. I do so because entirely satisfactory work-arounds exist, in fact "work-arounds" exist which are ultimately better than any patch that Compaq releases which still keeps rdist suid root. The only way Compaq could come out with something better would be to develop a non-exec-stack work-around for 4.0 or to distribute privaleged code binaries which had been compiled with something like StackGuard. Unfortunately, I don't see Compaq doing this. 8. Reminder There are undoubtably many buffer overflows still to be found in Digital Unix. Reduce your privaleged code to a minimum: a. find all suid/sgid programs, strip the ones that aren't used and wrap the ones that are. b. hunt down all daemon processes and turn off the ones that you don't use -- use nmap, netstat -an and lsof. -- Lamont Granquist lamontg@raven.genome.washington.edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg@raven.genome.washington.edu | pgp -fka