=============================================================================
Virtual Domain Hosting Services provided by The FOURnet Information Network
mail webserv@FOUR.net or see http://www.four.net
=============================================================================
libC/Inside provided by Electris Software Limited
mail electris@electris.com or see http://www.electris.com
=============================================================================
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996
PROGRAM:
rdist
VULNERABLE VERSIONS:
Solaris 2.*
SunOS 4.1.*
Potentially all versions running setuid root.
DESCRIPTION:
rdist creates an error message based on a user provided string,
without checking bounds on the buffer used. This buffer is
on the stack, and can therefore be used to execute arbitrary
instructions.
IMPACT:
Local users can obtain superuser privileges.
EXPLOIT:
A program was developed to verify this bug on a SunOS 4.1.3 machine,
and succeeded in obtaining a shell running uid 0 from rdist.
DETAILS:
Consider the following command, running as user bin.
# rdist -d TestString -d TestString
rdist: line 1: TestString redefined
distfile: No such file or directory
#
Using libC/Inside, the following trace was obtained:-
-----------------------------------------------------------------------
libC/Inside Shared Library Tracing. V1.0 (Solaris 2.5).
Copyright (C) 1996, Electris Software Limited, All Rights Reserved.
Tracing started Thu May 9 00:04:19 1996
Pid is 18738
Log file is /tmp/Inside.18738
Log file descriptor is 3
uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys)
Program is rdist
_start+0x30->atexit(call_fini)
return(0)
_start+0x3c->atexit(_fini)
return(0)
main+0x28->getuid()
return(2)
main+0x38->seteuid(2)
return(0)
main+0x5c->getuid()
return(2)
main+0x64->getpwuid(2)
return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \
pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell=""))
main+0xb0->strcpy(user, "bin")
return("bin")
main+0xc4->strcpy(homedir, "/usr/bin")
return("/usr/bin")
main+0xd4->gethostname(host, 32)
return(0)
(Arg 0 = "legless")
main+0x10c->strcmp("-d", "-Server")
return(17)
define+0x30->strchr("TestString", '=')
return((null))
lookup+0x11c->malloc(16)
return(0x33220)
main+0x10c->strcmp("-d", "-Server")
return(17)
define+0x30->strchr("TestString", '=')
return((null))
lookup+0x88->strcmp("TestString", "TestString")
return(0)
lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString")
return(20)
(Arg 0 = "TestString redefined")
yyerror+0x1c->fflush(stdout)
return(0)
lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \
"TestString redefined")
return(36)
main+0x444->mktemp("/tmp/rdistXXXXXX")
return("/tmp/rdista004_m")
main+0x4d8->fopen("distfile", "r")
return((null))
main+0x4fc->fopen("Distfile", "r")
return((null))
main+0x560->perror("distfile")
return()
main+0x568->exit(1)
-----------------------------------------------------------------------
At lookup+0xcc, sprintf() copies the string provided to an address
on the stack. rdist does not check the length of this string,
so a large string would overwrite the stack.
FIX:
Use a version of rdist that does not require setuid root privileges.
Obtain a patch from your vendor.
STATUS UPDATE:
The file:
[8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README
will be created on www.8lgm.org. This will contain updates on
any further versions which are found to be vulnerable, and any
other information received pertaining to this advisory.
-----------------------------------------------------------------------
FEEDBACK AND CONTACT INFORMATION:
majordomo@8lgm.org (Mailing list requests - try 'help'
for details)
8lgm@8lgm.org (Everything else)
8LGM FILESERVER:
All [8LGM] advisories may be obtained via the [8LGM] fileserver.
For details, 'echo help | mail 8lgm-fileserver@8lgm.org'
8LGM WWW SERVER:
[8LGM]'s web server can be reached at http://www.8lgm.org.
This contains details of all 8LGM advisories and other useful
information.
===========================================================================