HP-UX 11.0 /usr/bin/kermit
bt_at_delfi.lt
Date: 05/02/03
- Previous message: Thomas Wouters: "Re: Dynamic DNS "Spoofing" & IRC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com Date: Fri, 2 May 2003 19:49:03 +0300
Hi!
There are many buffer overflows in kermit on HP-UX 11.0 . I am sure it is vulnerable in
other HP-UX versions, too, since "C-Kermit 6.0.192, 6 Sep 96, for HP-UX 10.00"
is installed in HP-UX 11.0 by default.
/usr/bin/kermit is setuid to bin and setgrp to daemon, so upon succesfull exploitation,
local user could get these priviledges.
Example of on simple buffer overflow in kermit :
$ /usr/bin/kermit -C "ask `perl -e 'print "A" x 120'`"
Executing /usr/share/lib/kermit/ckermit.ini for UNIX...
Good Evening.
Segmentation fault (core dumped)
There are more kermit commands that are unchecked of correct parameter length:
askq,define, assign, getc. Several of them use the same vulnerable function
"doask". I am SURE that these are not all vulnerabilities in kermit.
one more thing (I am not sure if it is exploitable,but anyway):
[/home/xxxxxxxxxx] C-Kermit>set alarm %:%:%
Floating point exception (core dumped)
Solution - take off setuid bits form /usr/bin/kermit.
In my opinion, patching kermit against these(and maybe many more) vulnerabilities is not
an option, since source of C-kermit 6.0.192 is publicly available, and it is very buggy.
I tried to contact security-alert@hp.com, but i got error message "Client host
rejected: Access denied" (spam?).
Bye,
bt@delfi.lt
<--------------------===========================-------------------->
Meiles zinutes sirdies damai ar riteriui: siusk MEILE numeriu 1325.
Jei siunti draugui, po zodzio MEILE nurodyk jo mob. telefono numeri.
Zinutes kaina 1 Lt. http://sms.delfi.lt/
- Previous message: Thomas Wouters: "Re: Dynamic DNS "Spoofing" & IRC"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
