OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Endler (dendler_at_idefense.com)
Date: Wed Sep 18 2002 - 16:06:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    iDEFENSE Security Advisory 09.18.2002
    Security Vulnerabilities in OSF1/Tru64 3.x

    DESCRIPTION

    Three buffer overflow vulnerabilities exist in older versions of
    Tru64/OSF1.

    ISSUE 1

    The uucp utility in Compaq’s Tru64/OSF1 3.x operating system contains
    a locally exploitable buffer overflow which allows an attacker to
    gain root privileges if the "source" command line parameter is a
    string greater that approximately 8232 bytes in size. The executable
    is installed setuid root which allows the attacker to cause arbitrary
    code to run in the context of the root user.
     
    Analysis: This issue is trivial to exploit; The parameter to the "-s"
    command line argument is stored in the heap area of memory, and an
    attacker can place shellcode in it for later execution. This
    eliminates the need for offset brute forcing, however alignment
    appears to be an issue in this case.

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2002-1127 to this issue.

    This issue was exlcusively disclosed to iDEFENSE by Euan Briggs
    (euan_briggsbtinternet.com)
     

    ISSUE 2

    The inc mail incorporation utility in Compaq’s OSF1 3.x operating
    system contains a locally exploitable buffer overflow which allows an
    attacker to gain root privileges if the "MH" environment variable
    contains a string greater that approximately 8192 bytes in size. The
    executable is installed setuid root which allows the attacker to
    cause arbitrary code to run in the context of the root user.
     
    Analysis: This issue is trivial to exploit; the content of the "HOME"
    environment variable is stored in the heap area of memory, and an
    attacker can place shellcode in it for later execution. This
    eliminates the need for alignment and offset brute forcing.

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2002-1128 to this issue.

    This issue was exclusively disclosed to iDEFENSE by Euan Briggs
    (euan_briggsbtinternet.com)

     

    ISSUE 3

    Description: The dxterm utility in Compaq’s OSF1 3.x operating system
    contains a locally exploitable buffer overflow which allows an
    attacker to gain root privileges. The executable is installed setuid
    root which allows the attacker to cause arbitrary code to run in the
    context of the root user.
     
    Analysis: This issue is trivial to exploit; the argument to the
    command line parameter "-xrm" is stored in the heap area of memory,
    and an attacker can place shellcode in it for later execution. This
    eliminates the need for alignment and offset brute forcing.

    The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
    has assigned the identification number CAN-2002-1129 to this issue.

    This vulnerability was exclusively disclosed to iDEFENSE by Euan
    Briggs (euan_briggsbtinternet.com)

    DETECTION

    These issues were tested on OSF1 3.2 with working exploit code.

    WORKAROUND

    Remove the setuid bit from the binaries, however affecting their
    functionality:

    $ chmod u-s /path.to/dxterm
    $ chmod u-s /path.to/inc
    $ chmod u-s /path.to/uucp

    VENDOR RESPONSE

    According to HP:

    "HP and Compaq have corrected the issues in subsequent releases of HP
    Tru64 UNIX. HP strongly recommends that OSF V3.* Customers update to
    a minimum of Tru64 UNIX V5.1 and apply all available patches.

    REPORT: To report a potential security vulnerability with any HP or
    Compaq supported product, send email to: security-alerthp.com"

    DISCLOSURE TIMELINE

    August 16, 2002 - Disclosed to iDEFENSE
    September 6, 2002 - Disclosed to security-alerthp.com
    September 6, 2002 - Disclosed to iDEFENSE clients
    Sepetember 6, 2002 - First human response from HP (Rich.Borenhp.com)
    September 13, 2002 - Follow-up email from iDEFENSE to
    Rich.Borenhp.com
    September 16, 2002 - Official vendor response received from
    Rich.Borenhp.com
    September 18, 2002 - Public Disclosure

    http://www.idefense.com/contributor.html

    David Endler, CISSP
    Director, Technical Intelligence
    iDEFENSE, Inc.
    14151 Newbrook Drive
    Suite 100
    Chantilly, VA 20151
    voice: 703-344-2632
    fax: 703-961-1071

    dendleridefense.com
    www.idefense.com

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1.2
    Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A

    iQA/AwUBPYjo0UrdNYRLCswqEQJnywCfd96gfT2x0jRODc3bb6r/tMmSb24An1WE
    e9zdAzR99PtprllGJpch001e
    =/879
    -----END PGP SIGNATURE-----