OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Phuzzy L0gik (phzynmrc.org)
Date: Tue Aug 21 2001 - 12:20:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Took a quick look at the ucd-snmp-4.2.1 source off of sourceforge:

    Aside from the obvious strcpy()'s littered throughout the source; namely,
    with the agent's '-l' commandline argument I found this:

     (I think the rpm package reads ~/.rpmrc which makes this exploitable) :

    in agent/mibgroup/host/hr_swinst.c :

     #define SNMP_MAXPATH MAXPATHLEN /* MAXPATHLEN = 1024 */
     static char string [SNMP_MAXPATH];
     char path[SNMP_MAXPATH];
     ...
             rpmReadConfigFiles(NULL, NULL, NULL, 0); /* read ~/.rpmrc */
             swi->swi_dbpath = rpmGetVar(RPMVAR_DBPATH);
    >> sprintf(path, "%s/packages.rpm", swi->swi_dbpath);
            swi->swi_directory = strdup(path);
     ...
              if (swi->swi_directory != NULL)
                     strcpy(string, swi->swi_directory);

    mta_sendmail.c also misuses vsprintf(buffer, format, ap); but is not
    exploitable as sizeof(format) is 200 whereas buffer is 600.

    Format string problems exist in the following :
     apps/snmpnetstat/inet.c and inet6.c
     apps/snmptable.c
     snmplib/mib.c
     snmplib/read_config.c
     snmplib/snmp_debug.c
     snmplib/snmp_logging.c

    and the race condition is in agent/mibgroup/util_funcs.c :

     if ((cfd = open(cachefile,O_WRONLY|O_TRUNC|O_CREAT,0644)) < 0) {

    note the missing O_EXCL.

    - phzy

    > ---------- Forwarded message ----------
    > Date: Sat, 18 Aug 2001 06:02:43 +0000 (GMT)
    > From: Rain Forest Puppy <rfpvulnwatch.org>
    > To: vulnwatchvulnwatch.org
    > Subject: [VulnWatch] Security Update: [CSSA-2001-031.0] Linux -security
    > issues in ucd-snmp (fwd)
    >
    >
    > Sorry for the forward...pulled this off the announce list. Hints at
    > unknown ucd-snmp problems.
    >
    > - rfp
    >
    > ---------- Forwarded message ----------
    > Date: Fri, 17 Aug 2001 15:31:17 -0600
    > From: Support Info <supinfocaldera.com>
    > Reply-To: announcelists.caldera.com
    > To: announcelists.caldera.com
    > Subject: Security Update: [CSSA-2001-031.0] Linux -security issues in
    > ucd-snmp
    >
    > ______________________________________________________________________________
    > Caldera International, Inc. Security Advisory
    >
    > Subject: Linux - security issues in ucd-snmp
    > Advisory number: CSSA-2001-031.0
    > Issue date: 2001, August 16
    > Cross reference:
    > ______________________________________________________________________________
    >
    >
    > 1. Problem Description
    >
    > In a routine security audit of the ucd-snmp package we have found
    > several problems, including several potentially exploitable buffer
    > overflows, format string bugs, signedness issues and tempfile race
    > conditions. Some of these might allow remote attackers to gain access
    > to the UID under which snmpd is running. This update fixes all known
    > problems and also makes the snmpd run as user 'nobody', reducing the
    > impact of further problems.
    >
    >
    > 2. Vulnerable Versions
    >
    > System Package
    > -----------------------------------------------------------
    > OpenLinux 2.3 not vulnerable
    >
    > OpenLinux eServer 2.3.1 All packages previous to
    > and OpenLinux eBuilder ucd-snmp-4.2.1-6b
    >
    > OpenLinux eDesktop 2.4 not vulnerable
    >
    > OpenLinux Server 3.1 not vulnerable
    >
    > OpenLinux Workstation 3.1 not vulnerable
    >
    >
    > 3. Solution
    >
    > Workaround
    >
    > none
    >
    > The proper solution is to upgrade to the latest packages.
    >
    > 4. OpenLinux 2.3
    >
    > not vulnerable
    >
    > 5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
    >
    > 5.1 Location of Fixed Packages
    >
    > The upgrade packages can be found on Caldera's FTP site at:
    >
    > ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
    >
    > The corresponding source code package can be found at:
    >
    > ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
    >
    > 5.2 Verification
    >
    > cb200e856acac6bd14fec9eb67eabb14 RPMS/ucd-snmp-4.2.1-6b.i386.rpm
    > 0c8f8963ce490f80a47681996e9370ab RPMS/ucd-snmp-devel-4.2.1-6b.i386.rpm
    > d584b6cd0b799b4b928dadce9f2ec058 RPMS/ucd-snmp-utils-4.2.1-6b.i386.rpm
    > 1e78df3f5bfce4319ce8e7622e45d795 SRPMS/ucd-snmp-4.2.1-6b.src.rpm
    >
    >
    > 5.3 Installing Fixed Packages
    >
    > Upgrade the affected packages with the following commands:
    >
    > rpm -Fvh ucd-snmp-4.2.1-6b.i386.rpm \
    > ucd-snmp-devel-4.2.1-6b.i386.rpm \
    > ucd-snmp-utils-4.2.1-6b.i386.rpm
    >
    >
    > 6. OpenLinux eDesktop 2.4
    >
    > not vulnerable
    >
    > 7. OpenLinux 3.1 Server
    >
    > not vulnerable
    >
    > 8. OpenLinux 3.1 Workstation
    >
    > not vulnerable
    >
    > 9. References
    >
    > This and other Caldera security resources are located at:
    >
    > http://www.caldera.com/support/security/index.html
    >
    > This security fix closes Caldera's internal Problem Report 10043.
    >
    >
    > 10. Disclaimer
    >
    > Caldera International, Inc. is not responsible for the misuse of
    > any of the information we provide on this website and/or through our
    > security advisories. Our advisories are a service to our customers
    > intended to promote secure installation and use of Caldera OpenLinux.
    > ______________________________________________________________________________
    >
    >

    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

    "I'm in trouble for the things I haven't got to yet"

    hellNbaknmrc.org
    http://www.nmrc.org

    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-