From dendler@idefense.com Fri Sep 20 05:13:43 2002 From: David Endler To: vulnwatch@vulnwatch.org Date: Wed, 18 Sep 2002 17:06:49 -0400 Subject: [VulnWatch] iDEFENSE Security Advisory 09.18.2002: Security Vulnerabilities in OSF1/Tru64 3. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 09.18.2002 Security Vulnerabilities in OSF1/Tru64 3.x DESCRIPTION Three buffer overflow vulnerabilities exist in older versions of Tru64/OSF1. ISSUE 1 The uucp utility in Compaq^Òs Tru64/OSF1 3.x operating system contains a locally exploitable buffer overflow which allows an attacker to gain root privileges if the "source" command line parameter is a string greater that approximately 8232 bytes in size. The executable is installed setuid root which allows the attacker to cause arbitrary code to run in the context of the root user. Analysis: This issue is trivial to exploit; The parameter to the "-s" command line argument is stored in the heap area of memory, and an attacker can place shellcode in it for later execution. This eliminates the need for offset brute forcing, however alignment appears to be an issue in this case. The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1127 to this issue. This issue was exlcusively disclosed to iDEFENSE by Euan Briggs (euan_briggs@btinternet.com) ISSUE 2 The inc mail incorporation utility in Compaq^Òs OSF1 3.x operating system contains a locally exploitable buffer overflow which allows an attacker to gain root privileges if the "MH" environment variable contains a string greater that approximately 8192 bytes in size. The executable is installed setuid root which allows the attacker to cause arbitrary code to run in the context of the root user. Analysis: This issue is trivial to exploit; the content of the "HOME" environment variable is stored in the heap area of memory, and an attacker can place shellcode in it for later execution. This eliminates the need for alignment and offset brute forcing. The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1128 to this issue. This issue was exclusively disclosed to iDEFENSE by Euan Briggs (euan_briggs@btinternet.com) ISSUE 3 Description: The dxterm utility in Compaq^Òs OSF1 3.x operating system contains a locally exploitable buffer overflow which allows an attacker to gain root privileges. The executable is installed setuid root which allows the attacker to cause arbitrary code to run in the context of the root user. Analysis: This issue is trivial to exploit; the argument to the command line parameter "-xrm" is stored in the heap area of memory, and an attacker can place shellcode in it for later execution. This eliminates the need for alignment and offset brute forcing. The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2002-1129 to this issue. This vulnerability was exclusively disclosed to iDEFENSE by Euan Briggs (euan_briggs@btinternet.com) DETECTION These issues were tested on OSF1 3.2 with working exploit code. WORKAROUND Remove the setuid bit from the binaries, however affecting their functionality: $ chmod u-s /path.to/dxterm $ chmod u-s /path.to/inc $ chmod u-s /path.to/uucp VENDOR RESPONSE According to HP: "HP and Compaq have corrected the issues in subsequent releases of HP Tru64 UNIX. HP strongly recommends that OSF V3.* Customers update to a minimum of Tru64 UNIX V5.1 and apply all available patches. REPORT: To report a potential security vulnerability with any HP or Compaq supported product, send email to: security-alert@hp.com" DISCLOSURE TIMELINE August 16, 2002 - Disclosed to iDEFENSE September 6, 2002 - Disclosed to security-alert@hp.com September 6, 2002 - Disclosed to iDEFENSE clients Sepetember 6, 2002 - First human response from HP (Rich.Boren@hp.com) September 13, 2002 - Follow-up email from iDEFENSE to Rich.Boren@hp.com September 16, 2002 - Official vendor response received from Rich.Boren@hp.com September 18, 2002 - Public Disclosure http://www.idefense.com/contributor.html David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendler@idefense.com www.idefense.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.1.2 Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4B0ACC2A iQA/AwUBPYjo0UrdNYRLCswqEQJnywCfd96gfT2x0jRODc3bb6r/tMmSb24An1WE e9zdAzR99PtprllGJpch001e =/879 -----END PGP SIGNATURE-----