[2165] in bugtraq
[8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
daemon@ATHENA.MIT.EDU (Mark Thomas)
Tue Aug 29 05:10:57 1995
Date: Tue, 29 Aug 1995 00:10:41 -0400
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Mark Thomas <Mark@Misty.com>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
Hi,
If anyone comes up with diffs to SunOS syslog() source for those
who have source access, or a replacement syslog.c routine to build into
libc, please post.
-Mark
Forwarded message:
> From <@punt.demon.co.uk,@bagpuss.demon.co.uk:owner-8lgm-advisories@8lgm.org> Mon Aug 28 23:24:24 1995
> From: "[8LGM] Security Team" <8lgm@8lgm.org>
> Message-Id: <199508290133.CAA15517@8lgm.org>
> Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
> To: 8lgm-advisories@8lgm.org, bugtraq@crimelab.com, firewalls@greatcircle.com
> Date: Tue, 29 Aug 1995 02:33:37 +0100 (BST)
> X-Mailer: ELM [version 2.4 PL23]
> Content-Type: text
> Content-Length: 4460
>
> =============================================================================
> Virtual Domain Hosting Services provided by The FOURnet Information Network
> mail webserv@FOUR.net or see http://www.four.net
> =============================================================================
> [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
>
> VULNERABLE PROGRAMS:
>
> All programs calling syslog(3) with user supplied data, without
> checking argument lengths.
>
> KNOWN VULNERABLE PLATFORMS:
>
> SunOS 4.1.*
>
> KNOWN SECURE PLATFORMS:
>
> None at present.
>
> DESCRIPTION:
>
> syslog(3) uses an internal buffer to build messages. However
> it performs no bound checking, and relies on the caller to
> check arguments passed to it.
>
> IMPACT:
>
> Local and remote users can obtain root access.
>
> REPEAT BY:
>
> We have written an example exploit to overwrite syslog(3)'s
> internal buffer using SunOS sendmail(8). However due to the
> severity of this problem, this code will not be made available
> to anyone at this time. Please note that the exploit was fairly
> straightforward to put together, therefore expect exploits to be
> widely available soon after the release of this advisory.
>
> Here is a edited sample of using a modified telnet client to
> obtain a root shell through SunOS sendmail(8) on a sparc
> based machine.
>
> legless[8lgm]% syslog_telnet localhost smtp
> Trying 127.0.0.1 ...
> Connected to localhost.
> Escape character is '^]'.
> 220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\
> 27 Aug 95 15:56:27 BST
> mail from: root
> 250 root... Sender ok
> rcpt to: root
> 250 root... Recipient ok
> data
> 354 Enter mail, end with "." on a line by itself
> ^]
> syslog_telnet>
>
> ### At this point, we provide some information to the modified
> ### telnet client about the remote host. Then sparc instructions
> ### are sent over the link within the body of the message to
> ### execute a shell.
> ###
> ### As soon as data is finished (with .), sendmail will eventually
> ### report, through syslog(3), data about this message. syslog's
> ### internal buffer will be overwritten, and our supplied
> ### instructions are executed.
>
> Hit <cr>, then .<cr>
>
> .
> /usr/bin/id;
> uid=0(root) gid=0(wheel) groups=0(wheel)
> /bin/sh: ^M: not found
> uptime;
> 3:57pm up 1:25, 5 users, load average: 0.11, 0.05, 0.00
> /bin/sh: ^M: not found
> exit;
> Connection closed by foreign host.
>
> ### Here we can see that sendmail has execed a shell as root,
> ### and that we can type commands. (lines ending in ; are
> ### user input through the telnet client).
> ###
> ### This exploit could be further expanded upon to encapsulate
> ### instructions within the body of a message, which can then
> ### be mailed out to a site (ie without the necessity to connect
> ### directly to the smtp port). This may be used to bypass
> ### firewalls.
>
> WORKAROUNDS:
>
> We have two methods to ensure that syslog(3) can not be used in
> the above manner.
>
> Fix syslog(3), to perform bound checking. Shared libraries
> can be then fixed to use the new function. Statically linked
> programs will require rebuilding.
>
> Alternatively, ensure all calls to syslog(3), by all programs,
> check all arguments passed to syslog(3).
>
> Ideally both of the above should be implemented.
>
> FIX:
>
> Contact vendors for fixes.
>
> STATUS UPDATE:
>
> The file:
>
> [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995.README
>
> will be created on www.8lgm.org. This will contain updates on
> any further versions which are found to be vulnerable, and any
> other information received pertaining to this advisory.
>
> -----------------------------------------------------------------------
>
> FEEDBACK AND CONTACT INFORMATION:
>
> majordomo@8lgm.org (Mailing list requests - try 'help'
> for details)
>
> 8lgm@8lgm.org (Everything else)
>
> 8LGM FILESERVER:
>
> All [8LGM] advisories may be obtained via the [8LGM] fileserver.
> For details, 'echo help | mail 8lgm-fileserver@8lgm.org'
>
> 8LGM WWW SERVER:
>
> [8LGM]'s web server can be reached at http://www.8lgm.org.
> This contains details of all 8LGM advisories and other useful
> information.
> ===========================================================================
> --
> -----------------------------------------------------------------------
> $ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help)
> majordomo@8lgm.org (Request to be added to list)
> 8lgm@8lgm.org (General enquiries)
> ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
>
--
Mark G. Thomas (Mark@Misty.com)
