Re: [Full-Disclosure] iDEFENSE Security Advisory 09.18.2002: SecurityVulnerabilities in OSF1/Tru64 3.

[KF]

How is this different from what we disclosed?
http://packetstorm.decepticons.org/advisories/misc/TRU64_advisory.txt
-KF


David Endler wrote:

> iDEFENSE Security Advisory 09.18.2002
> Security Vulnerabilities in OSF1/Tru64 3.x
>
>
> DESCRIPTION
>
> Three buffer overflow vulnerabilities exist in older versions of
> Tru64/OSF1.  
>
> ISSUE 1
>
> The uucp utility in Compaqs Tru64/OSF1 3.x operating system contains
> a locally exploitable buffer overflow which allows an attacker to
> gain root privileges if the "source" command line parameter is a
> string greater that approximately 8232 bytes in size. The executable
> is installed setuid root which allows the attacker to cause arbitrary
> code to run in the context of the root user.  
>  
> Analysis: This issue is trivial to exploit; The parameter to the "-s"
> command line argument is stored in the heap area of memory, and an
> attacker can place shellcode in it for later execution. This
> eliminates the need for offset brute forcing, however alignment
> appears to be an issue in this case.
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2002-1127 to this issue.
>
> This issue was exlcusively disclosed to iDEFENSE by Euan Briggs
> ([EMAIL PROTECTED])
>  
>
>
> ISSUE 2
>
> The inc mail incorporation utility in Compaqs OSF1 3.x operating
> system contains a locally exploitable buffer overflow which allows an
> attacker to gain root privileges if the "MH" environment variable
> contains a string greater that approximately 8192 bytes in size. The
> executable is installed setuid root which allows the attacker to
> cause arbitrary code to run in the context of the root user.  
>  
> Analysis: This issue is trivial to exploit; the content of the "HOME"
> environment variable is stored in the heap area of memory, and an
> attacker can place shellcode in it for later execution. This
> eliminates the need for alignment and offset brute forcing.
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2002-1128 to this issue.
>
> This issue was exclusively disclosed to iDEFENSE by Euan Briggs
> ([EMAIL PROTECTED])
>
>  
>
> ISSUE 3
>
> Description: The dxterm utility in Compaqs OSF1 3.x operating system
> contains a locally exploitable buffer overflow which allows an
> attacker to gain root privileges. The executable is installed setuid
> root which allows the attacker to cause arbitrary code to run in the
> context of the root user.  
>  
> Analysis: This issue is trivial to exploit; the argument to the
> command line parameter "-xrm" is stored in the heap area of memory,
> and an attacker can place shellcode in it for later execution. This
> eliminates the need for alignment and offset brute forcing.
>
> The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
> has assigned the identification number CAN-2002-1129 to this issue.
>
> This vulnerability was exclusively disclosed to iDEFENSE by Euan
> Briggs ([EMAIL PROTECTED])
>
>
> DETECTION
>
> These issues were tested on OSF1 3.2 with working exploit code.
>
>
> WORKAROUND
>
> Remove the setuid bit from the binaries, however affecting their
> functionality:
>
> $ chmod u-s /path.to/dxterm
> $ chmod u-s /path.to/inc
> $ chmod u-s /path.to/uucp
>
>
> VENDOR RESPONSE
>
> According to HP:
>
> "HP and Compaq have corrected the issues in subsequent releases of HP
> Tru64 UNIX. HP strongly recommends that OSF V3.* Customers update to
> a minimum of Tru64 UNIX V5.1 and apply all available patches.
>
> REPORT: To report a potential security vulnerability with any HP or
> Compaq supported product, send email to: [EMAIL PROTECTED]"
>
>
> DISCLOSURE TIMELINE
>
> August 16, 2002 - Disclosed to iDEFENSE
> September 6, 2002 - Disclosed to [EMAIL PROTECTED]
> September 6, 2002 - Disclosed to iDEFENSE clients
> Sepetember 6, 2002 - First human response from HP ([EMAIL PROTECTED])
> September 13, 2002 - Follow-up email from iDEFENSE to
> [EMAIL PROTECTED]
> September 16, 2002 - Official vendor response received from
> [EMAIL PROTECTED]
> September 18, 2002 - Public Disclosure
>
>
>
> http://www.idefense.com/contributor.html
>
> David Endler, CISSP
> Director, Technical Intelligence
> iDEFENSE, Inc.
> 14151 Newbrook Drive
> Suite 100
> Chantilly, VA 20151
> voice: 703-344-2632
> fax: 703-961-1071
>
> [EMAIL PROTECTED]
> www.idefense.com
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html