-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ******************** Netragard, L.L.C Advisory* *******************
Strategic Reconnaissance Team ------------------------------------------------ http://www.netragard.com -- "We make I.T. Safe." [Advisory Information] - ---------------------------------------------------------------------- Advisory ID : NETRAGARD-20060810 Advisory Contact : Adriel T. Desautels Credit : Undisclosed Product Name : libpthread Product Version : 5.1b Vendor Name : Hewlet Packard Type of Vulnerability : Local Root Compromise Effort : Very Difficult Operating System : Tru64 Other : Buffer Overflow [Product Description] - ---------------------------------------------------------------------- The pthread library (libpthread) provides interfaces for developing multi-threaded applications. [Technical Summary] - ---------------------------------------------------------------------- libpthread suffers from a buffer overflow vulnerability which may enable an attacker to execute arbitrary commands on the system. This vulnerability may potentially be exploited by a creating a specially crafted buffer and inserting it into the PTHREAD_CONFIG variable. [Technical Details] - ---------------------------------------------------------------------- libpthread reads in the PTHREAD_CONFIG environment variable. It may be possible to exploit libpthread on HP's tru64 by creating a specially crafted buffer. The details below do not contain the specially crafted buffer. Exploitation of this specific vulnerability is very difficult. ################################################################## # # Insert 273 A's (41) into the PTHREAD_CONFIG variable # ################################################################## OSF1 tru64 V5.1 2650 alpha bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 273'` bash-3.00# newaliases Segmentation fault (core dumped) ################################################################## # # Insert 274 A's (41) into the PTHREAD_CONFIG variable # ################################################################## bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 274'` bash-3.00# newaliases Unaligned access pid=15750 <newaliases> va=0x11fff00a4 pc=0x3ff805c8bf8 ra=0x3ff805c8bf8 inst=0xa4290040 Unaligned access pid=15750 <newaliases> va=0x11fff00bc pc=0x3ff805c8bfc ra=0x3ff805c8bf8 inst=0xa4490058 Unaligned access pid=15750 <newaliases> va=0x11fff008c pc=0x3ff805c8c48 ra=0x3ff805c8bf8 inst=0xa5090028 ################################################################## # # Run newaliases in gdb with the -q flag. # ################################################################## bash-3.00# gdb /tmp/newaliases -q (no debugging symbols found)...(gdb) r Starting program: /tmp/newaliases (no debugging symbols found)...(no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so ################################################################## # # Execute a back trace (bt) within gdb # ################################################################## (gdb) bt #0 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so #1 0x3ff805c8a78 in __putFormatEol () from /usr/shlib/libpthread.so #2 0x3ff805bc4f8 in __utlOptManage () from /usr/shlib/libpthread.so warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x4141414141414141 This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic-fence-post' command. Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a bug in GDB. # # Execute Info Registers within gdb # (gdb) i r v0 0x226 550 t0 0x11fff9b3e 4831812414 t1 0x0 0 t2 0x2 2 t3 0x0 0 t4 0x3ffc0081a00 4396973300224 t5 0x40 64 t6 0x7fffffe6 2147483622 t7 0x19 25 s0 0x4141414141414141 4702111234474983745 s1 0x11fff9c90 4831812752 s2 0x11fff9c88 4831812744 s3 0x0 0 s4 0x0 0 s5 0x11fff9ad8 4831812312 fp 0x1 1 a0 0xbf 191 a1 0x11fff9918 4831811864 a2 0x11fff96b0 4831811248 a3 0x11fff9b34 4831812404 a4 0x0 0 a5 0x11fff9b30 4831812400 t8 0x11fff9931 4831811889 t9 0x62 98 t10 0x49 73 t11 0x1 1 ra 0x3ff805c8bf8 4395905092600 t12 0x3ff801c1380 4395900867456 at 0x41416469 1094804585 gp 0x3ffc01c0170 4396974604656 sp 0x11fff98b0 4831811760 zero 0x0 0 fpcr 0x0 0 pc 0x3ff805c8bf8 4395905092600 vfp 0x11fff9900 4831811840 frame 2 v0 0x226 550 t0 0x11fff9b3e 4831812414 t1 0x0 0 t2 0x2 2 t3 0x0 0 t4 0x3ffc0081a00 4396973300224 t5 0x11fff9a50 4831812176 t6 0x7fffffe6 2147483622 t7 0x19 25 s0 0x1 1 s1 0x11fff9c90 4831812752 s2 0x11fff9c88 4831812744 s3 0x0 0 s4 0x0 0 s5 0x11fff9ad8 4831812312 fp 0x1 1 ################################################################## # # The following registers, a0, a1, a2, a3, a4, a5, have been # overwritten with A's (0x41). # ################################################################## a0 0x4141414141414141 4702111234474983745 a1 0x4141414141414141 4702111234474983745 a2 0x4141414141414141 4702111234474983745 a3 0x4141414141414141 4702111234474983745 a4 0x4141414141414141 4702111234474983745 a5 0x4141414141414141 4702111234474983745 t8 0x11fff9931 4831811889 t9 0x62 98 t10 0x49 73 t11 0x1 1 ra 0x3ff805bc4f8 4395905041656 t12 0x3ff801c1380 4395900867456 at 0x41416469 1094804585 gp 0x3ffc01c0170 4396974604656 sp 0x11fff9a80 4831812224 zero 0x0 0 fpcr 0x0 0 pc 0x3ff805bc4f8 4395905041656 ################################################################## # # Other binaries which are linked agianst libpthread.so # will also segfault when the PTHREAD_CONFIG variable # is set to a large string of A's. The following is # a list of some of those binaries # ################################################################## /usr/sbin/mailq /usr/sbin/sendmail /usr/sbin/sendmail.v8.11.1 /usr/sbin/smtpd /usr/sbin/collect /usr/dt/bin/mailcv ################################################################## # # Sendmail Example. Loading sendmail core file with # the tru64 debugger. # ################################################################## bash-3.00# dbx ./sendmail core dbx version 5.1 Type 'help' for help. Core file created by program "sendmail" warning: ./sendmail has no symbol table -- very little is supported without it signal Segmentation fault at >*[__putString, 0x3ff805c8bf8] ldq t0, 64(s0) (dbx) where > 0 __putString(0x0, 0x0, 0x11fffbad8, 0x1, 0x11fffb918) [0x3ff805c8bf8] 1 __putFormatEol(0x4141414141414141, 0x4141414141414141, 0x4141414141414141, 0x4141414141414141, 0x4141414141414141) [0x3ff805c8a74] 2 __utlOptManage(0x30002800000, 0x26000, 0x3ff805c09c4, 0x3ffc01b8098, 0x3ff805c0a14) [0x3ff805bc4f4] ################################################################## # # Older versions are also vulnerable... # ################################################################## Older versions are also vulnerable... tru64.netragard> uname -a OSF1 tru64.netragard V5.0 910 alpha tru64.netragard> PTHREAD_CONFIG=`perl -e 'print "A"x 272'` tru64.netragard> export PTHREAD_CONFIG tru64.netragard> /usr/dt/bin/mailcv %PTHREAD_CONFIG keyword "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA" is not valid Memory fault Other binareis on 5.0 /usr/bin/ladebug [Proof of Concept] - ---------------------------------------------------------------------- Undislcosed [Vendor Status] - ---------------------------------------------------------------------- Vendor contacted patch released. [About Netragard] - ---------------------------------------------------------------------- Netragard offers specialized application, network security, and managed security services which enable its clients to take a proactive security stance. Each of our services is driven by security professionals who specialize in specific areas of Information Security. This specialized focus differentiates Netragard from the competition by enabling Netragard to produce deliverables which are the product of skilled security professionals and not the product of automated tools and scripts. [ For more information please visit http://www.netragard.com ] [Disclaimer] - ---------------------http://www.netragard.com------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business. <a href="http://www.netragard.com">http://www.netragard.com</a> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) iD8DBQFFU/c7Qwbn1P9Iaa0RAs+GAJ494WKCsHlPEFjsL1Zy+hQtpsGVRQCfSdUL eUqI/l8ML/I2/rKIDHvZ/k8= =h9zy -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/