[UNIX] Security Vulnerabilities in OSF1/Tru64 3.x
From: support@securiteam.comDate: 09/22/02
- Previous message: support@securiteam.com: "[NT] Flaw in Microsoft VM JDBC Classes Could Allow Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 22 Sep 2002 20:56:48 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Security Vulnerabilities in OSF1/Tru64 3.x
------------------------------------------------------------------------
SUMMARY
Three buffer overflow vulnerabilities exist in older versions of
Tru64/OSF1. The following advisory will try to better explain the three
different buffer overflows.
DETAILS
Issue 1:
The uucp utility in Compaq's Tru64/OSF1 3.x operating system contains a
locally exploitable buffer overflow which allows an attacker to gain root
privileges if the "source" command line parameter is a string greater that
approximately 8232 bytes in size. The executable is installed setuid root
that allows the attacker to cause arbitrary code to run in the context of
the root user.
Analysis:
This issue is trivial to exploit. The parameter to the "-s" command line
argument is stored in the heap area of memory, and an attacker can place
shellcode in it for later execution. This eliminates the need for offset
brute forcing, however alignment appears to be an issue in this case.
This issue was exclusively disclosed to iDEFENSE by
<mailto:euan_briggs@btinternet.com> Euan Briggs
Issue 2:
The inc mail incorporation utility in Compaq's OSF1 3.x operating system
contains a locally exploitable buffer overflow which allows an attacker to
gain root privileges if the "MH" environment variable contains a string
greater that approximately 8192 bytes in size. The executable is installed
setuid root that allows the attacker to cause arbitrary code to run in the
context of the root user.
Analysis:
This issue is trivial to exploit; the content of the "HOME" environment
variable is stored in the heap area of memory, and an attacker can place
shellcode in it for later execution. This eliminates the need for
alignment and offset brute forcing.
This issue was exclusively disclosed to iDEFENSE by
<mailto:euan_briggs@btinternet.com> Euan Briggs
Issue 3:
The dxterm utility in Compaq's OSF1 3.x operating system contains a
locally exploitable buffer overflow that allows an attacker to gain root
privileges. The executable is installed setuid root that allows the
attacker to cause arbitrary code to run in the context of the root user.
Analysis:
This issue is trivial to exploit; the argument to the command line
parameter "-xrm" is stored in the heap area of memory, and an attacker can
place shellcode in it for later execution. This eliminates the need for
alignment and offset brute forcing.
This vulnerability was exclusively disclosed to iDEFENSE by
<mailto:euan_briggs@btinternet.com> Euan Briggs
Detection:
These issues were tested on OSF1 3.2 with working exploit code.
Workaround:
Remove the setuid bit from the binaries, however affecting their
functionality:
$ chmod u-s /path.to/dxterm
$ chmod u-s /path.to/inc
$ chmod u-s /path.to/uucp
Vendor response:
According to HP:
"HP and Compaq have corrected the issues in subsequent releases of HP
Tru64 UNIX. HP strongly recommends that OSF V3.* Customers update to a
minimum of Tru64 UNIX V5.1 and apply all available patches.
REPORT: To report a potential security vulnerability with any HP or Compaq
supported product, send email to: security-alert@hp.com"
Disclosure timeline:
August 16, 2002 - Disclosed to iDEFENSE
September 6, 2002 - Disclosed to security-alert@hp.com
September 6, 2002 - Disclosed to iDEFENSE clients
Sepetember 6, 2002 - First human response from HP (Rich.Boren@hp.com)
September 13, 2002 - Follow-up email from iDEFENSE to Rich.Boren@hp.com
September 16, 2002 - Official vendor response received from
Rich.Boren@hp.com
September 18, 2002 - Public Disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:dendler@idefense.com> David
Endler of iDEFENSE.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Flaw in Microsoft VM JDBC Classes Could Allow Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
