[2890] in bugtraq
[linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Thu Jul 4 15:14:24 1996
Date: Thu, 4 Jul 1996 13:10:16 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Red Hat 3.0.3 and Slackware 3.0 (the only distributions I've checked so
far) appear safe: by default, they do not install rdist setuid--though
the version that comes with them (rdist-6.1.0) would be vulnerable if
made setuid (by hand) after installation, for whatever strange reason.
(I've inspected the code, and the unchecked buffer is rather obvious.)
Note that there is no need to install rdist setuid if it is compiled to
use rsh vice rcmd(); rsh is the (safe) default, and is the compilation
method used by both Red Hat and Slackware.
Anyone care to take a look at other Linux distributions to check for
default installations that are configured for setuid/rcmd()?
--Up.
------- start of forwarded message (RFC 934 encapsulation) -------
From: "[8LGM] Security Team" <8lgm@8lgm.org>
To: 8lgm-advisories@8lgm.org
Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996
Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST)
=============================================================================
Virtual Domain Hosting Services provided by The FOURnet Information Network
mail webserv@FOUR.net or see http://www.four.net
=============================================================================
libC/Inside provided by Electris Software Limited
mail electris@electris.com or see http://www.electris.com
=============================================================================
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996
PROGRAM:
rdist
VULNERABLE VERSIONS:
Solaris 2.*
SunOS 4.1.*
Potentially all versions running setuid root.
DESCRIPTION:
rdist creates an error message based on a user provided string,
without checking bounds on the buffer used. This buffer is
on the stack, and can therefore be used to execute arbitrary
instructions.
IMPACT:
Local users can obtain superuser privileges.
EXPLOIT:
A program was developed to verify this bug on a SunOS 4.1.3 machine,
and succeeded in obtaining a shell running uid 0 from rdist.
DETAILS:
Consider the following command, running as user bin.
# rdist -d TestString -d TestString
rdist: line 1: TestString redefined
distfile: No such file or directory
#
Using libC/Inside, the following trace was obtained:-
-----------------------------------------------------------------------
libC/Inside Shared Library Tracing. V1.0 (Solaris 2.5).
Copyright (C) 1996, Electris Software Limited, All Rights Reserved.
Tracing started Thu May 9 00:04:19 1996
Pid is 18738
Log file is /tmp/Inside.18738
Log file descriptor is 3
uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys)
Program is rdist
_start+0x30->atexit(call_fini)
return(0)
_start+0x3c->atexit(_fini)
return(0)
main+0x28->getuid()
return(2)
main+0x38->seteuid(2)
return(0)
main+0x5c->getuid()
return(2)
main+0x64->getpwuid(2)
return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \
pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell=""))
main+0xb0->strcpy(user, "bin")
return("bin")
main+0xc4->strcpy(homedir, "/usr/bin")
return("/usr/bin")
main+0xd4->gethostname(host, 32)
return(0)
(Arg 0 = "legless")
main+0x10c->strcmp("-d", "-Server")
return(17)
define+0x30->strchr("TestString", '=')
return((null))
lookup+0x11c->malloc(16)
return(0x33220)
main+0x10c->strcmp("-d", "-Server")
return(17)
define+0x30->strchr("TestString", '=')
return((null))
lookup+0x88->strcmp("TestString", "TestString")
return(0)
lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString")
return(20)
(Arg 0 = "TestString redefined")
yyerror+0x1c->fflush(stdout)
return(0)
lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \
"TestString redefined")
return(36)
main+0x444->mktemp("/tmp/rdistXXXXXX")
return("/tmp/rdista004_m")
main+0x4d8->fopen("distfile", "r")
return((null))
main+0x4fc->fopen("Distfile", "r")
return((null))
main+0x560->perror("distfile")
return()
main+0x568->exit(1)
-----------------------------------------------------------------------
At lookup+0xcc, sprintf() copies the string provided to an address
on the stack. rdist does not check the length of this string,
so a large string would overwrite the stack.
FIX:
Use a version of rdist that does not require setuid root privileges.
Obtain a patch from your vendor.
STATUS UPDATE:
The file:
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README
will be created on www.8lgm.org. This will contain updates on
any further versions which are found to be vulnerable, and any
other information received pertaining to this advisory.
- -----------------------------------------------------------------------
FEEDBACK AND CONTACT INFORMATION:
majordomo@8lgm.org (Mailing list requests - try 'help'
for details)
8lgm@8lgm.org (Everything else)
8LGM FILESERVER:
All [8LGM] advisories may be obtained via the [8LGM] fileserver.
For details, 'echo help | mail 8lgm-fileserver@8lgm.org'
8LGM WWW SERVER:
[8LGM]'s web server can be reached at http://www.8lgm.org.
This contains details of all 8LGM advisories and other useful
information.
===========================================================================
- --
- -----------------------------------------------------------------------
$ echo help | mail 8lgm-fileserver@8lgm.org (Fileserver help)
majordomo@8lgm.org (Request to be added to list)
8lgm@8lgm.org (General enquiries)
******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
[8LGM] uses libC/Inside - the worlds leading security analysis tool
now available to the public. Visit http:://www.electris.com
------- end -------
