OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Iván Arce (core.lists.bugtraqcore-sdi.com)
Date: Tue Jul 02 2002 - 17:23:46 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

              CORE SECURITY TECHNOLOGIES
                       http://www.corest.com

                          Vulnerability Report For
                            Inktomi Traffic Server

    Date Published: 2002-07-02

    Advisory ID: CORE-20020620

    Bugtraq ID: 5098

    CVE CAN: None currently assigned.

    Title: Inktomi Traffic Server traffic_manager local overflow.

    Class: Boundary error condition (buffer overflow)

    Remotely Exploitable: NO

    Locally Exploitable: Yes

    Vendors contacted:

     Inktomi Corporation (INKT)
     . Inital email sent: 2002-06-21
     . Acknowledged reception of initial contact: 2002-06-24
     . Official response and fix information: 2002-07-01

    Release mode: COORDINATED RELEASE

    *Vulnerability Description*

    Inktomi's Traffic Server product provides transparent web caching,
    access control and content filtering. It is available for Linux, Solaris
    and Windows platforms. A vulnerability that could allow a local attacker to
    gain root access has been discovered in the unix version of the software.

    Problem: Buffer overflow in traffic_manager executable

    The traffic_manager executable is used to manage Traffic Server,
    it is installed setuid-root by default under the [installpath]/bin
    directory.
    When traffic_manager is executed with a long command line argument,
    a buffer overflow occurs.
    This vulnerability can be exploited locally to gain root access.

    A local exploit module is available for CORE IMPACT customers in
    the July 2002 update pack.

    *Vulnerable Packages/Systems*

    The local root vulnerability in traffic_manager exists
    in all current and previous revisions of Inktomi Traffic Server,
    Traffic Edge and Media-IXT.

     Current product revisions are:
      Media-IXT 3.0.4
      Traffic Server / Media-IXT 4.0.18
      Traffic Server / Media-IXT 4.0.20
      Traffic Server / Media-IXT 5.1.3
      Traffic Server / Media-IXT 5.2.0-R
      Traffic Server / Media-IXT 5.2.1
      Traffic Server / Media-IXT 5.2.2
      Traffic Edge 1.1.2 (Traffic Server 5.2.1)
      Traffic Edge 1.5.0 (Traffic Server 5.5)

    *Solution/Vendor Information/Workaround*

    The buffer overflow error in the "-path" option of the
    traffic_manager command will be corrected to remove the
    vulnerability in all future maintenance releases of
    Traffic Server, Media-IXT and Traffic Edge.

    The identified vulnerability applies to command-line
    execution of bin/traffic_manager, so the risk applies only
    to shell sessions already connected to the proxy host as
    non-privileged users. The vulnerability does not affect
    network services or access and cannot grant remote access to
    the proxy host.

    If you wish to block this local vulnerability, remove the
    setuid bit from the traffic_manager executable. When
    traffic_manager is not setuid root, the proxy will not be able
    to directly serve 'privileged' port numbers less than 1024.

    Some proxy configurations will require ARM config/ipnat.conf

    Please refer to Inktomi's note on the bug at
    http://support.inktomi.com/kb/070202-003.html
    with specific instructions on how to reconfigure the
    products to operate properly without the SUID flag set
    on the binary.

    Contact emailsupportinktomi.com for assistance

    *Credits*

    This vulnerability was discovered by Juliano Rizzo of the
    Security Consulting Services team at CORE SECURITY TECHNOLOGIES

    We would like to thank Warren Brown from Inktomi Product Support
    for the quick response to the issue.

    *Technical Description - Exploit/Concept Code*

    Traffic Manager installs the traffic_manager program as a root
    owned file with the set user id bit set.

    Below are the lines from install.sh that makes traffic_manager
    setuid-root.

    ----
      # Adjust setuid commands
      chown root ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
      chmod 4755 ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
      if [ -d ${InstallDir}/bin/debug ] ; then
        chown root ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
        chmod 4755 ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
      fi
    

    ---- The overflow occurs when a string longer than 1700 bytes is passed as argument to the -path option. The exploitability has been confirmed under Solaris platform.

    /inktomi/5.1.3/bin# ./traffic_manager -path `perl -e 'print "A"x1720'` < [TrafficManager] ==> Kernel Sig 11; Reason: 1 [TrafficManager] ==> Cleaning up and reissuing signal #11 Abort(coredump)

    truss output: open64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG fstat(3, 0xFFBEC130) = 0 time() = 1024660377 getpid() = 27458 [27457] putmsg(3, 0xFFBEB7E8, 0xFFBEB7DC, 0) = 0 open("/var/run/syslog_door", O_RDONLY) Err#2 ENOENT Incurred fault #5, FLTACCESS %pc = 0xFF0CF2E0 siginfo: SIGBUS BUS_ADRALN addr=0x41414149 Received signal #10, SIGBUS [caught] siginfo: SIGBUS BUS_ADRALN addr=0x41414149

    Replacing 0x41414141 for a valid stack address and building the right string it is posible to execute arbitrary code with root privileges.

    DISCLAIMER:

    The contents of this advisory are copyright (c) 2002 CORE SECURITY TECHNOLOGIES and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

    $Id: InktomiTS-pathbof-advisory.txt,v 1.5 2002/07/02 21:11:40 iarce Exp $

    --- Perscriptio in manibus tabellariorum est Noli me vocare, ego te vocabo

    Ivan Arce CTO CORE SECURITY TECHNOLOGIES

    44 Wall Street - New York, NY 10005 Ph: (212) 461-2345 Fax: (212) 461-2346 http://www.corest.com

    PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A

    --- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arcecorest.com>