OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Aug) 1995: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

[8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995

Mark Thomas (MarkMisty.com)
Tue, 29 Aug 1995 00:10:41 -0400

Hi,

If anyone comes up with diffs to SunOS syslog() source for those
who have source access, or a replacement syslog.c routine to build into
libc, please post.

-Mark



Forwarded message:
> From <punt.demon.co.uk,bagpuss.demon.co.uk:owner-8lgm-advisories8lgm.org>  Mon Aug 28 23:24:24 1995
> From: "[8LGM] Security Team" <8lgm8lgm.org>
> Message-Id: <199508290133.CAA155178lgm.org>
> Subject: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
> To: 8lgm-advisories8lgm.org, bugtraqcrimelab.com, firewallsgreatcircle.com
> Date: Tue, 29 Aug 1995 02:33:37 +0100 (BST)
> X-Mailer: ELM [version 2.4 PL23]
> Content-Type: text
> Content-Length:       4460
>
> =============================================================================
>  Virtual Domain Hosting Services provided by The FOURnet Information Network
>               mail webservFOUR.net or see http://www.four.net
> =============================================================================
>               [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
>
> VULNERABLE PROGRAMS:
>
>       All programs calling syslog(3) with user supplied data, without
>       checking argument lengths.
>
> KNOWN VULNERABLE PLATFORMS:
>
>       SunOS 4.1.*
>
> KNOWN SECURE PLATFORMS:
>
>       None at present.
>
> DESCRIPTION:
>
>       syslog(3) uses an internal buffer to build messages.  However
>       it performs no bound checking, and relies on the caller to
>       check arguments passed to it.
>
> IMPACT:
>
>       Local and remote users can obtain root access.
>
> REPEAT BY:
>
>       We have written an example exploit to overwrite syslog(3)'s
>       internal buffer using SunOS sendmail(8).  However due to the
>       severity of this problem, this code will not be made available
>       to anyone at this time.  Please note that the exploit was fairly
>       straightforward to put together, therefore expect exploits to be
>       widely available soon after the release of this advisory.
>
>       Here is a edited sample of using a modified telnet client to
>       obtain a root shell through SunOS sendmail(8) on a sparc
>       based machine.
>
>       legless[8lgm]% syslog_telnet localhost smtp
>       Trying 127.0.0.1 ...
>       Connected to localhost.
>       Escape character is '^]'.
>       220 legless.8lgm.org Sendmail 4.1/SMI-4.1 ready at Sun,\
>        27 Aug 95 15:56:27 BST
>       mail from: root
>       250 root... Sender ok
>       rcpt to: root
>       250 root... Recipient ok
>       data
>       354 Enter mail, end with "." on a line by itself
>       ^]
>       syslog_telnet>
>
>       ### At this point, we provide some information to the modified
>       ### telnet client about the remote host.  Then sparc instructions
>       ### are sent over the link within the body of the message to
>       ### execute a shell.
>       ###
>       ### As soon as data is finished (with .), sendmail will eventually
>       ### report, through syslog(3), data about this message.  syslog's
>       ### internal buffer will be overwritten, and our supplied
>       ### instructions are executed.
>
>       Hit <cr>, then .<cr>
>
>       .
>       /usr/bin/id;
>       uid=0(root) gid=0(wheel) groups=0(wheel)
>       /bin/sh: ^M: not found
>       uptime;
>         3:57pm  up  1:25,  5 users,  load average: 0.11, 0.05, 0.00
>       /bin/sh: ^M: not found
>       exit;
>       Connection closed by foreign host.
>
>       ### Here we can see that sendmail has execed a shell as root,
>       ### and that we can type commands.  (lines ending in ; are
>       ### user input through the telnet client).
>       ###
>       ### This exploit could be further expanded upon to encapsulate
>       ### instructions within the body of a message, which can then
>       ### be mailed out to a site (ie without the necessity to connect
>       ### directly to the smtp port).  This may be used to bypass
>       ### firewalls.
>
> WORKAROUNDS:
>
>       We have two methods to ensure that syslog(3) can not be used in
>       the above manner.
>
>       Fix syslog(3), to perform bound checking.  Shared libraries
>       can be then fixed to use the new function.  Statically linked
>       programs will require rebuilding.
>
>       Alternatively, ensure all calls to syslog(3), by all programs,
>       check all arguments passed to syslog(3).
>
>       Ideally both of the above should be implemented.
>
> FIX:
>
>       Contact vendors for fixes.
>
> STATUS UPDATE:
>
>       The file:
>
>       [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995.README
>
>       will be created on www.8lgm.org.  This will contain updates on
>       any further versions which are found to be vulnerable, and any
>       other information received pertaining to this advisory.
>
> -----------------------------------------------------------------------
>
> FEEDBACK AND CONTACT INFORMATION:
>
>       majordomo8lgm.org      (Mailing list requests - try 'help'
>                                for details)
>
>       8lgm8lgm.org           (Everything else)
>
> 8LGM FILESERVER:
>
>       All [8LGM] advisories may be obtained via the [8LGM] fileserver.
>       For details, 'echo help | mail 8lgm-fileserver8lgm.org'
>
> 8LGM WWW SERVER:
>
>       [8LGM]'s web server can be reached at http://www.8lgm.org.
>       This contains details of all 8LGM advisories and other useful
>       information.
> ===========================================================================
> --
> -----------------------------------------------------------------------
> $ echo help | mail 8lgm-fileserver8lgm.org  (Fileserver help)
> majordomo8lgm.org                           (Request to be added to list)
> 8lgm8lgm.org                                (General enquiries)
> ******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
>


--
Mark G. Thomas (MarkMisty.com)