lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030502164743.21546.qmail@dezdemonijus.delfi.lt>
Date: Fri, 2 May 2003 19:47:43 +0300
From: bt@...fi.lt
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.netsys.com
Subject: (no subject)


Hi!

There are many buffer overflows in kermit on HP-UX 11.0 . I am sure it is vulnerable in other HP-UX versions, too, since "C-Kermit 6.0.192, 6 Sep 96, for HP-UX 10.00" is installed in HP-UX 11.0 by default.

/usr/bin/kermit is setuid to bin and setgrp to daemon, so upon succesfull exploitation, local user could get these priviledges.

Example of on simple buffer overflow in kermit :
$ /usr/bin/kermit -C "ask `perl -e 'print "A" x 120'`"
Executing /usr/share/lib/kermit/ckermit.ini for UNIX...
Good Evening.
Segmentation fault (core dumped)

There are more kermit commands that are unchecked of correct parameter length: askq,define, assign, getc. Several of them use the same vulnerable function "doask". I am SURE that these are not all vulnerabilities in kermit.

one more thing (I am not sure if it is exploitable,but anyway):
[/home/xxxxxxxxxx] C-Kermit>set alarm %:%:%
Floating point exception (core dumped)

Solution - take off setuid bits form /usr/bin/kermit.
 
In my opinion, patching kermit against these(and maybe many more) vulnerabilities is not an option, since source of C-kermit 6.0.192 is publicly available, and it is very buggy. 

I tried to contact security-alert@...com, but i got error message "Client host rejected: Access denied" (spam?).

Bye,

bt@...fi.lt
<--------------------===========================-------------------->
Meiles zinutes sirdies damai ar riteriui: siusk MEILE numeriu 1325.
Jei siunti draugui, po zodzio MEILE nurodyk jo mob. telefono numeri.
Zinutes kaina 1 Lt.  http://sms.delfi.lt/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ