Date: Fri, 2 May 2003 19:49:03 +0300
From: bt@...fi.lt
To: bugtraq@...urityfocus.com
Subject: HP-UX 11.0 /usr/bin/kermit


Hi!

There are many buffer overflows in kermit on HP-UX 11.0 . I am sure it is vulnerable in
other HP-UX versions, too, since "C-Kermit 6.0.192, 6 Sep 96, for HP-UX 10.00"
is installed in HP-UX 11.0 by default.

/usr/bin/kermit is setuid to bin and setgrp to daemon, so upon succesfull exploitation,
local user could get these priviledges.

Example of on simple buffer overflow in kermit :
$ /usr/bin/kermit -C "ask `perl -e 'print "A" x 120'`"
Executing /usr/share/lib/kermit/ckermit.ini for UNIX...
Good Evening.
Segmentation fault (core dumped)

There are more kermit commands that are unchecked of correct parameter length:
askq,define, assign, getc. Several of them use the same vulnerable function
"doask". I am SURE that these are not all vulnerabilities in kermit.

one more thing (I am not sure if it is exploitable,but anyway):
[/home/xxxxxxxxxx] C-Kermit>set alarm %:%:%
Floating point exception (core dumped)

Solution - take off setuid bits form /usr/bin/kermit.
 
In my opinion, patching kermit against these(and maybe many more) vulnerabilities is not
an option, since source of C-kermit 6.0.192 is publicly available, and it is very buggy.


I tried to contact security-alert@...com, but i got error message "Client host
rejected: Access denied" (spam?).

Bye,

bt@...fi.lt

<--------------------===========================-------------------->
Meiles zinutes sirdies damai ar riteriui: siusk MEILE numeriu 1325.
Jei siunti draugui, po zodzio MEILE nurodyk jo mob. telefono numeri.
Zinutes kaina 1 Lt.  http://sms.delfi.lt/

Powered by blists - more mailing lists