From proff  Thu Jul  4 11:58:48 1996
Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id LAA14448 for best-of-security; Thu, 4 Jul 1996 11:58:48 +1000
Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id LAA13625 for <proff@SUBURBIA.NET>; Thu, 4 Jul 1996 11:30:52 +1000
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24296-6615>; Wed, 3 Jul 1996 21:29:04 -0500
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id VAA22310; Wed, 3 Jul 1996 21:25:26 -0400
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with
          spool id 140822 for BUGTRAQ@NETSPACE.ORG; Wed, 3 Jul 1996 21:01:02
          -0400
Received: from netspace.org (netspace [128.148.157.6]) by netspace.org
          (8.7/8.6.12) with SMTP id VAA20776 for <BUGTRAQ@NETSPACE.ORG>; Wed, 3
          Jul 1996 21:00:51 -0400
Approved-By: ALEPH1@UNDERGROUND.ORG
Received: from crimelab.com (crimelab.com [198.64.127.1]) by netspace.org
          (8.7/8.6.12) with ESMTP id SAA12058 for <bugtraq@netspace.org>; Wed,
          3 Jul 1996 18:56:35 -0400
Received: from tarsier.cv.nrao.edu (juphoff@tarsier.cv.nrao.edu
          [192.33.115.50]) by crimelab.com (8.7.1/8.6.4) with SMTP id QAA13804
          for <bugtraq@crimelab.com>; Wed, 3 Jul 1996 16:43:54 -0600 (MDT)
Received: (from juphoff@localhost) by tarsier.cv.nrao.edu (8.6.13/$Revision:
          2.9 $) id SAA30301; Wed, 3 Jul 1996 18:56:28 -0400
X-Quote-I-Like: "Debugging TeX is cool.  Really cool.  You just wont believe
                how vastly mindbogglingly cool it is.  I mean you may think
                Emacs blows your mind,
                but that's just peanuts to TeX." --Ralph Schleicher,
                "citing" Douglas Adams.
X-Mailer: VM 5.95 (beta); GNU Emacs 19.29.1
X-Attribution: Up
Approved-By:  Jeff Uphoff <juphoff@TARSIER.CV.NRAO.EDU>
Message-ID: <199607032256.SAA30301@tarsier.cv.nrao.edu>
Date: 	Wed, 3 Jul 1996 18:56:28 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
Sender: proff
From: Jeff Uphoff <juphoff@TARSIER.CV.NRAO.EDU>
Subject:      [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 [Forwarded e-mail from
              Security Team]
X-To:         bugtraq@crimelab.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>

------- start of forwarded message (RFC 934 encapsulation) -------
From: "[8LGM] Security Team" <8lgm@8lgm.org>
To: 8lgm-advisories@8lgm.org
Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996
Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST)

=============================================================================
 Virtual Domain Hosting Services provided by The FOURnet Information Network
              mail webserv@FOUR.net or see http://www.four.net
=============================================================================
             libC/Inside provided by Electris Software Limited
         mail electris@electris.com or see http://www.electris.com
=============================================================================

                  [8lgm]-Advisory-26.UNIX.rdist.20-3-1996

PROGRAM:

        rdist

VULNERABLE VERSIONS:

        Solaris 2.*
        SunOS 4.1.*
        Potentially all versions running setuid root.

DESCRIPTION:

        rdist creates an error message based on a user provided string,
        without checking bounds on the buffer used.  This buffer is
        on the stack, and can therefore be used to execute arbitrary
        instructions.

IMPACT:

        Local users can obtain superuser privileges.

EXPLOIT:

        A program was developed to verify this bug on a SunOS 4.1.3 machine,
        and succeeded in obtaining a shell running uid 0 from rdist.

DETAILS:

        Consider the following command, running as user bin.

        # rdist -d TestString -d TestString
        rdist: line 1: TestString redefined
        distfile: No such file or directory
        #

        Using libC/Inside, the following trace was obtained:-

        -----------------------------------------------------------------------
        libC/Inside Shared Library Tracing.  V1.0 (Solaris 2.5).
        Copyright (C) 1996, Electris Software Limited, All Rights Reserved.

                Tracing started Thu May  9 00:04:19 1996

                Pid is 18738
                Log file is /tmp/Inside.18738
                Log file descriptor is 3

                uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys)

                Program is rdist

        _start+0x30->atexit(call_fini)
        return(0)
        _start+0x3c->atexit(_fini)
        return(0)
        main+0x28->getuid()
        return(2)
        main+0x38->seteuid(2)
        return(0)
        main+0x5c->getuid()
        return(2)
        main+0x64->getpwuid(2)
        return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \
        pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell=""))
        main+0xb0->strcpy(user, "bin")
        return("bin")
        main+0xc4->strcpy(homedir, "/usr/bin")
        return("/usr/bin")
        main+0xd4->gethostname(host, 32)
        return(0)
        (Arg 0 = "legless")
        main+0x10c->strcmp("-d", "-Server")
        return(17)
        define+0x30->strchr("TestString", '=')
        return((null))
        lookup+0x11c->malloc(16)
        return(0x33220)
        main+0x10c->strcmp("-d", "-Server")
        return(17)
        define+0x30->strchr("TestString", '=')
        return((null))
        lookup+0x88->strcmp("TestString", "TestString")
        return(0)
        lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString")
        return(20)
                (Arg 0 = "TestString redefined")
        yyerror+0x1c->fflush(stdout)
        return(0)
        lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \
                 "TestString redefined")
        return(36)
        main+0x444->mktemp("/tmp/rdistXXXXXX")
        return("/tmp/rdista004_m")
        main+0x4d8->fopen("distfile", "r")
        return((null))
        main+0x4fc->fopen("Distfile", "r")
        return((null))
        main+0x560->perror("distfile")
        return()
        main+0x568->exit(1)
        -----------------------------------------------------------------------

        At lookup+0xcc, sprintf() copies the string provided to an address
        on the stack.  rdist does not check the length of this string,
        so a large string would overwrite the stack.

FIX:

        Use a version of rdist that does not require setuid root privileges.

        Obtain a patch from your vendor.

STATUS UPDATE:

        The file:

        [8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README

        will be created on www.8lgm.org.  This will contain updates on
        any further versions which are found to be vulnerable, and any
        other information received pertaining to this advisory.

- -----------------------------------------------------------------------

FEEDBACK AND CONTACT INFORMATION:

        majordomo@8lgm.org      (Mailing list requests - try 'help'
                                 for details)

        8lgm@8lgm.org           (Everything else)

8LGM FILESERVER:

        All [8LGM] advisories may be obtained via the [8LGM] fileserver.
        For details, 'echo help | mail 8lgm-fileserver@8lgm.org'

8LGM WWW SERVER:

        [8LGM]'s web server can be reached at http://www.8lgm.org.
        This contains details of all 8LGM advisories and other useful
        information.
===========================================================================


- --
- -----------------------------------------------------------------------
$ echo help | mail 8lgm-fileserver@8lgm.org  (Fileserver help)
majordomo@8lgm.org                           (Request to be added to list)
8lgm@8lgm.org                                (General enquiries)
******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
[8LGM] uses libC/Inside - the worlds leading security analysis tool
   now available to the public. Visit http:://www.electris.com
------- end -------