[Full-Disclosure] iDEFENSE Security Advisory 09.18.2002: Security Vulnerabilities in OSF1/Tru64 3.

From: David Endler (dendler@idefense.com)
Date: 09/18/02


From: dendler@idefense.com (David Endler)
Date: Wed, 18 Sep 2002 17:06:49 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 09.18.2002
Security Vulnerabilities in OSF1/Tru64 3.x

DESCRIPTION

Three buffer overflow vulnerabilities exist in older versions of
Tru64/OSF1.

ISSUE 1

The uucp utility in Compaq’s Tru64/OSF1 3.x operating system contains
a locally exploitable buffer overflow which allows an attacker to
gain root privileges if the "source" command line parameter is a
string greater that approximately 8232 bytes in size. The executable
is installed setuid root which allows the attacker to cause arbitrary
code to run in the context of the root user.
 
Analysis: This issue is trivial to exploit; The parameter to the "-s"
command line argument is stored in the heap area of memory, and an
attacker can place shellcode in it for later execution. This
eliminates the need for offset brute forcing, however alignment
appears to be an issue in this case.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1127 to this issue.

This issue was exlcusively disclosed to iDEFENSE by Euan Briggs
(euan_briggs@btinternet.com)
 

ISSUE 2

The inc mail incorporation utility in Compaq’s OSF1 3.x operating
system contains a locally exploitable buffer overflow which allows an
attacker to gain root privileges if the "MH" environment variable
contains a string greater that approximately 8192 bytes in size. The
executable is installed setuid root which allows the attacker to
cause arbitrary code to run in the context of the root user.
 
Analysis: This issue is trivial to exploit; the content of the "HOME"
environment variable is stored in the heap area of memory, and an
attacker can place shellcode in it for later execution. This
eliminates the need for alignment and offset brute forcing.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1128 to this issue.

This issue was exclusively disclosed to iDEFENSE by Euan Briggs
(euan_briggs@btinternet.com)

 

ISSUE 3

Description: The dxterm utility in Compaq’s OSF1 3.x operating system
contains a locally exploitable buffer overflow which allows an
attacker to gain root privileges. The executable is installed setuid
root which allows the attacker to cause arbitrary code to run in the
context of the root user.
 
Analysis: This issue is trivial to exploit; the argument to the
command line parameter "-xrm" is stored in the heap area of memory,
and an attacker can place shellcode in it for later execution. This
eliminates the need for alignment and offset brute forcing.

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1129 to this issue.

This vulnerability was exclusively disclosed to iDEFENSE by Euan
Briggs (euan_briggs@btinternet.com)

DETECTION

These issues were tested on OSF1 3.2 with working exploit code.

WORKAROUND

Remove the setuid bit from the binaries, however affecting their
functionality:

$ chmod u-s /path.to/dxterm
$ chmod u-s /path.to/inc
$ chmod u-s /path.to/uucp

VENDOR RESPONSE

According to HP:

"HP and Compaq have corrected the issues in subsequent releases of HP
Tru64 UNIX. HP strongly recommends that OSF V3.* Customers update to
a minimum of Tru64 UNIX V5.1 and apply all available patches.

REPORT: To report a potential security vulnerability with any HP or
Compaq supported product, send email to: security-alert@hp.com"

DISCLOSURE TIMELINE

August 16, 2002 - Disclosed to iDEFENSE
September 6, 2002 - Disclosed to security-alert@hp.com
September 6, 2002 - Disclosed to iDEFENSE clients
Sepetember 6, 2002 - First human response from HP (Rich.Boren@hp.com)
September 13, 2002 - Follow-up email from iDEFENSE to
Rich.Boren@hp.com
September 16, 2002 - Official vendor response received from
Rich.Boren@hp.com
September 18, 2002 - Public Disclosure

http://www.idefense.com/contributor.html

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@idefense.com
www.idefense.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.2
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

iQA/AwUBPYjo0UrdNYRLCswqEQJnywCfd96gfT2x0jRODc3bb6r/tMmSb24An1WE
e9zdAzR99PtprllGJpch001e
=/879
-----END PGP SIGNATURE-----



Relevant Pages