The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


19 SCO 5.0.5+Skunware98 buffer overflows


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Thu, 9 Sep 1999 09:52:21 -0500
From: Brock Tellier <[email protected]>
To: [email protected]
Subject: 19 SCO 5.0.5+Skunware98 buffer overflows

This is a multi-part message in MIME format.

------=_NextPart_000_03FD_01BEFAA9.02E79120
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Greetings,

    After some light security auditing ;) I've found approximately =
nineteen buffer overflows in various SCO 5.0.5+Skunkware98 programs.  =
This was, by no means, a comprehensive audit of SCO's su/gids so I'm =
sure there are dozens of holes I've missed.  Keep in mind also that this =
was ONLY command line buffer overflow testing and did not include =
environment, file i/o, or any other sort of overflow.  And I didn't =
touch /tmp races.  That said..=20
   =20
    Some of these holes are old to the world of security, but apparently =
SCO hasn't caught up yet.  For instance, anyone remember the old Xt =
library holes in xterm and such?  Well, apparently SCO doesn't.  Not to =
mention the fact that in June someone posted an xterm exploit (though =
the author didn't make clear that all programs using the Xt library were =
probably vulnerable) and SCO never came out with a fix.  Thus this =
program as well as all others in the class are still vulnerable.  =
Following is a list of vulnerable programs and their su/gid status:

Potential root:
SUID root
---
1. xload -bg $1492bytes
2. xterm -bg $1492bytes
3. xmcd -bg $1492bytes

SUID auth (Auth has rw access to /etc/shadow)
---
4. xlock -bg $1492bytes
5. xscreensaver -bg $1492bytes
6. scolock -bg $1492bytes

SUID mem (strings /dev/kmem)
--
7. sar -o $2105bytes or sar -f $1077bytes x

Potential lp:
SUID lp
--
8. cancel $998bytes (isn't this one old too?)
9. lp $10000bytes (didn't get the exact number)
10. reject $10000bytes (as above)

Potential bin:
SUID bin
---
11. sd $1017bytes (SIGSEGV @1017 SIGTERM 1 to 1017bytes)

Potential annoyance:
SUID dos
---
12. doscat $19031bytes
13. doscp "" x
14. dosdir ""
15. dosls ""
16. dosmkdir ""
17. dosrm ""
18. dosrmdir ""

SUID uucp
---
19. ati $40bytes

FIX:

    For most of these programs, you're going to have to suffer with some =
broken functionality when you remove the s-bits.  The various suid root =
and auth won't be able to function without their su/gid status.  However =
you could make a new group such as xusers and have these programs only =
executable by its members.  In fact adding trusted users to the lp group =
is probably the best way to overcome these lp vulnerabilities as well.

    Hopefully this advisory will scare SCO into doing some security =
auditing on their own before their buggy product hits the market.  In =
any case, be wary.

Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com

------=_NextPart_000_03FD_01BEFAA9.02E79120
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2314.1000" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Greetings,</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp; After some light =
security=20
auditing ;) I've found approximately&nbsp;nineteen buffer overflows in =
various=20
SCO 5.0.5+Skunkware98 programs.&nbsp; This was, by no means, a =
comprehensive=20
audit of SCO's su/gids so I'm sure there are dozens of holes I've =
missed.&nbsp;=20
Keep in mind also that this was ONLY command line buffer overflow =
testing and=20
did not include environment, file i/o, or any other sort of =
overflow.&nbsp; And=20
I didn't touch /tmp races.&nbsp; That said.. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp; </FONT></DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp; Some of these holes =
are old to=20
the world of security, but apparently SCO hasn't caught up yet.&nbsp; =
For=20
instance, anyone remember the old Xt library holes in xterm and =
such?&nbsp;=20
Well, apparently SCO doesn't.&nbsp; Not to mention the fact that in June =
someone=20
posted an xterm exploit (though the author didn't make clear that all =
programs=20
using the Xt library were probably vulnerable) and SCO never came out =
with a=20
fix.&nbsp; Thus this program as well as all others in the class are =
still=20
vulnerable.&nbsp; Following is a list of vulnerable programs and their =
su/gid=20
status:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Potential root:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SUID root</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>1. xload -bg $1492bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>2. xterm -bg $1492bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>3. xmcd -bg $1492bytes</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>SUID auth (Auth has rw access to=20
/etc/shadow)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>4. xlock -bg $1492bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>5. xscreensaver -bg =
$1492bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>6. scolock -bg $1492bytes</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>SUID mem (strings =
/dev/kmem)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>--</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>7. sar -o $2105bytes or sar -f =
$1077bytes=20
x</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Potential lp:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SUID lp</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>--</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>8. cancel $998bytes (isn't this one old =

too?)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>9. lp $10000bytes (didn't get the exact =

number)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>10. reject $10000bytes (as =
above)</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Potential bin:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SUID bin</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>11. sd $1017bytes (SIGSEGV @1017 =
SIGTERM 1 to=20
1017bytes)</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Potential annoyance:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>SUID dos</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>12. doscat $19031bytes</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>13. doscp "" x</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>14. dosdir ""</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>15. dosls ""</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>16. dosmkdir ""</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>17. dosrm ""</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>18. dosrmdir ""</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>SUID uucp</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>---</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>19. ati $40bytes</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>FIX:</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp; For most of these =
programs,=20
you're going to have to suffer with some broken functionality when you =
remove=20
the s-bits.&nbsp; The various suid root and auth won't be able to =
function=20
without their su/gid status.&nbsp; However you could make a new =
group&nbsp;such=20
as xusers and have these programs only executable by its members.&nbsp; =
In fact=20
adding trusted users to the lp group is probably the best way to =
overcome these=20
lp vulnerabilities as well.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>&nbsp;&nbsp;&nbsp; Hopefully this =
advisory will=20
scare SCO into doing some security auditing on their own before their =
buggy=20
product hits the market.&nbsp; In any case, be wary.</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Brock Tellier</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>UNIX Systems Administrator</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Webley Systems</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.webley.com">www.webley.com</A></FONT></DIV></BODY></HT=
ML>

------=_NextPart_000_03FD_01BEFAA9.02E79120--

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру