Date: Thu, 9 Sep 1999 09:52:21 -0500
From: Brock Tellier <[email protected]>
To: [email protected]Subject: 19 SCO 5.0.5+Skunware98 buffer overflows
This is a multi-part message in MIME format.
------=_NextPart_000_03FD_01BEFAA9.02E79120
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Greetings,
After some light security auditing ;) I've found approximately =
nineteen buffer overflows in various SCO 5.0.5+Skunkware98 programs. =
This was, by no means, a comprehensive audit of SCO's su/gids so I'm =
sure there are dozens of holes I've missed. Keep in mind also that this =
was ONLY command line buffer overflow testing and did not include =
environment, file i/o, or any other sort of overflow. And I didn't =
touch /tmp races. That said..=20
=20
Some of these holes are old to the world of security, but apparently =
SCO hasn't caught up yet. For instance, anyone remember the old Xt =
library holes in xterm and such? Well, apparently SCO doesn't. Not to =
mention the fact that in June someone posted an xterm exploit (though =
the author didn't make clear that all programs using the Xt library were =
probably vulnerable) and SCO never came out with a fix. Thus this =
program as well as all others in the class are still vulnerable. =
Following is a list of vulnerable programs and their su/gid status:
Potential root:
SUID root
---
1. xload -bg $1492bytes
2. xterm -bg $1492bytes
3. xmcd -bg $1492bytes
SUID auth (Auth has rw access to /etc/shadow)
---
4. xlock -bg $1492bytes
5. xscreensaver -bg $1492bytes
6. scolock -bg $1492bytes
SUID mem (strings /dev/kmem)
--
7. sar -o $2105bytes or sar -f $1077bytes x
Potential lp:
SUID lp
--
8. cancel $998bytes (isn't this one old too?)
9. lp $10000bytes (didn't get the exact number)
10. reject $10000bytes (as above)
Potential bin:
SUID bin
---
11. sd $1017bytes (SIGSEGV @1017 SIGTERM 1 to 1017bytes)
Potential annoyance:
SUID dos
---
12. doscat $19031bytes
13. doscp "" x
14. dosdir ""
15. dosls ""
16. dosmkdir ""
17. dosrm ""
18. dosrmdir ""
SUID uucp
---
19. ati $40bytes
FIX:
For most of these programs, you're going to have to suffer with some =
broken functionality when you remove the s-bits. The various suid root =
and auth won't be able to function without their su/gid status. However =
you could make a new group such as xusers and have these programs only =
executable by its members. In fact adding trusted users to the lp group =
is probably the best way to overcome these lp vulnerabilities as well.
Hopefully this advisory will scare SCO into doing some security =
auditing on their own before their buggy product hits the market. In =
any case, be wary.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
------=_NextPart_000_03FD_01BEFAA9.02E79120
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> After some light =
security=20
auditing ;) I've found approximately nineteen buffer overflows in =
various=20
SCO 5.0.5+Skunkware98 programs. This was, by no means, a =
comprehensive=20
audit of SCO's su/gids so I'm sure there are dozens of holes I've =
missed. =20
Keep in mind also that this was ONLY command line buffer overflow =
testing and=20
did not include environment, file i/o, or any other sort of =
overflow. And=20
I didn't touch /tmp races. That said.. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2> </FONT></DIV>
<DIV><FONT face=3DArial size=3D2> Some of these holes =
are old to=20
the world of security, but apparently SCO hasn't caught up yet. =
For=20
instance, anyone remember the old Xt library holes in xterm and =
such? =20
Well, apparently SCO doesn't. Not to mention the fact that in June =
someone=20
posted an xterm exploit (though the author didn't make clear that all =
programs=20
using the Xt library were probably vulnerable) and SCO never came out =
with a=20
fix. Thus this program as well as all others in the class are =
still=20
vulnerable. Following is a list of vulnerable programs and their =
su/gid=20
status:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Potential root:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SUID root</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>1. xload -bg $1492bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>2. xterm -bg $1492bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>3. xmcd -bg $1492bytes</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>SUID auth (Auth has rw access to=20
/etc/shadow)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>4. xlock -bg $1492bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>5. xscreensaver -bg =
$1492bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>6. scolock -bg $1492bytes</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>SUID mem (strings =
/dev/kmem)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>--</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>7. sar -o $2105bytes or sar -f =
$1077bytes=20
x</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Potential lp:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SUID lp</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>--</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>8. cancel $998bytes (isn't this one old =
too?)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>9. lp $10000bytes (didn't get the exact =
number)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>10. reject $10000bytes (as =
above)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Potential bin:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SUID bin</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>11. sd $1017bytes (SIGSEGV @1017 =
SIGTERM 1 to=20
1017bytes)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Potential annoyance:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SUID dos</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>12. doscat $19031bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>13. doscp "" x</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>14. dosdir ""</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>15. dosls ""</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>16. dosmkdir ""</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>17. dosrm ""</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>18. dosrmdir ""</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>SUID uucp</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>19. ati $40bytes</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>FIX:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> For most of these =
programs,=20
you're going to have to suffer with some broken functionality when you =
remove=20
the s-bits. The various suid root and auth won't be able to =
function=20
without their su/gid status. However you could make a new =
group such=20
as xusers and have these programs only executable by its members. =
In fact=20
adding trusted users to the lp group is probably the best way to =
overcome these=20
lp vulnerabilities as well.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2> Hopefully this =
advisory will=20
scare SCO into doing some security auditing on their own before their =
buggy=20
product hits the market. In any case, be wary.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Brock Tellier</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>UNIX Systems Administrator</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Webley Systems</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.webley.com">www.webley.com</A></FONT></DIV></BODY></HT=
ML>
------=_NextPart_000_03FD_01BEFAA9.02E79120--