lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3D88FBEF.3030204@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: iDEFENSE Security Advisory 09.18.2002: Security
 Vulnerabilities in OSF1/Tru64 3.

How is this different from what we disclosed?
http://packetstorm.decepticons.org/advisories/misc/TRU64_advisory.txt
-KF


David Endler wrote:

> iDEFENSE Security Advisory 09.18.2002
> Security Vulnerabilities in OSF1/Tru64 3.x
>
>
> DESCRIPTION
>
> Three buffer overflow vulnerabilities exist in older versions of
> Tru64/OSF1.  
>
> ISSUE 1
>
> The uucp utility in Compaq.s Tru64/OSF1 3.x operating system contains
> a locally exploitable buffer overflow which allows an attacker to
> gain root privileges if the "source" command line parameter is a
> string greater that approximately 8232 bytes in size. The executable
> is installed setuid root which allows the attacker to cause arbitrary
> code to run in the context of the root user.  
>  
> Analysis: This issue is trivial to exploit; The parameter to the "-s"
> command line argument is stored in the heap area of memory, and an
> attacker can place shellcode in it for later execution. This
> eliminates the need for offset brute forcing, however alignment
> appears to be an issue in this case.
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2002-1127 to this issue.
>
> This issue was exlcusively disclosed to iDEFENSE by Euan Briggs
> (euan_briggs@...nternet.com)
>  
>
>
> ISSUE 2
>
> The inc mail incorporation utility in Compaq.s OSF1 3.x operating
> system contains a locally exploitable buffer overflow which allows an
> attacker to gain root privileges if the "MH" environment variable
> contains a string greater that approximately 8192 bytes in size. The
> executable is installed setuid root which allows the attacker to
> cause arbitrary code to run in the context of the root user.  
>  
> Analysis: This issue is trivial to exploit; the content of the "HOME"
> environment variable is stored in the heap area of memory, and an
> attacker can place shellcode in it for later execution. This
> eliminates the need for alignment and offset brute forcing.
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2002-1128 to this issue.
>
> This issue was exclusively disclosed to iDEFENSE by Euan Briggs
> (euan_briggs@...nternet.com)
>
>  
>
> ISSUE 3
>
> Description: The dxterm utility in Compaq.s OSF1 3.x operating system
> contains a locally exploitable buffer overflow which allows an
> attacker to gain root privileges. The executable is installed setuid
> root which allows the attacker to cause arbitrary code to run in the
> context of the root user.  
>  
> Analysis: This issue is trivial to exploit; the argument to the
> command line parameter "-xrm" is stored in the heap area of memory,
> and an attacker can place shellcode in it for later execution. This
> eliminates the need for alignment and offset brute forcing.
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2002-1129 to this issue.
>
> This vulnerability was exclusively disclosed to iDEFENSE by Euan
> Briggs (euan_briggs@...nternet.com)
>
>
> DETECTION
>
> These issues were tested on OSF1 3.2 with working exploit code.
>
>
> WORKAROUND
>
> Remove the setuid bit from the binaries, however affecting their
> functionality:
>
> $ chmod u-s /path.to/dxterm
> $ chmod u-s /path.to/inc
> $ chmod u-s /path.to/uucp
>
>
> VENDOR RESPONSE
>
> According to HP:
>
> "HP and Compaq have corrected the issues in subsequent releases of HP
> Tru64 UNIX. HP strongly recommends that OSF V3.* Customers update to
> a minimum of Tru64 UNIX V5.1 and apply all available patches.
>
> REPORT: To report a potential security vulnerability with any HP or
> Compaq supported product, send email to: security-alert@...com"
>
>
> DISCLOSURE TIMELINE
>
> August 16, 2002 - Disclosed to iDEFENSE
> September 6, 2002 - Disclosed to security-alert@...com
> September 6, 2002 - Disclosed to iDEFENSE clients
> Sepetember 6, 2002 - First human response from HP (Rich.Boren@...com)
> September 13, 2002 - Follow-up email from iDEFENSE to
> Rich.Boren@...com
> September 16, 2002 - Official vendor response received from
> Rich.Boren@...com
> September 18, 2002 - Public Disclosure
>
>
>
> http://www.idefense.com/contributor.html
>
> David Endler, CISSP
> Director, Technical Intelligence
> iDEFENSE, Inc.
> 14151 Newbrook Drive
> Suite 100
> Chantilly, VA 20151
> voice: 703-344-2632
> fax: 703-961-1071
>
> dendler@...fense.com
> www.idefense.com
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ