Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
HP-UX Samba Common Internet File System (CIFS) Client Buffer Overflow May Let Local Users Obtain Elevated Privileges on the System
|
|
SecurityTracker Alert ID: 1004624 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 25 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): HP CIFS/9000
|
Description: A buffer overflow was reported in HP's 'cifslogin' Samba Common Internet File System (CIFS) client software. A local user may be able to obtain elevated privileges on the system.
SecuriTeam reported that there is a buffer overflow vulnerability in the version of 'cifslogin' provided with HP-UX that allows a
local user to execute arbitrary code with root privileges.
According to the report, a local user can supply specially crafted
data with a command line parameter (-U, -D, -P, -S, -N, -u,) to trigger the buffer overflow. Because the utility is configured
with set user id (suid) root privileges, the arbitrary code will run with root privileges, giving the local user root access on
the system.
A local user can reportedly provide an overlong filename (longer than 10000 bytes) using the '-P' command line parameter
to overflow a dynamically allocated buffer. The user-supplied code could modify arbitrary memory addresses (e.g., saved return
address, function pointer) that contain malloc()/free() calls to execute arbitrary code.
A demonstration exploit transcript is
provided:
$ id
uid=110(alex) gid=102(informix)
$
$ uname -a
HP-UX Lab02 B.11.11 U 9000/800 1613339393 unlimited-user license
$
$
ls -la /opt/cifsclient/bin/cifslogin
-rwsr-xr-x 1 root users 53248 Mar 28 2001 /opt/cifsclient/bin/cifslogin
$ /opt/cifsclient/bin/cifslogin
-P `perl -e '{print "A"x10000}'`
Memory fault
SecuriTeam credits <mailto:alex_hernandez@ureach.com> Alex Hernandez with reporting
this flaw.
|
Impact: A local user can execute arbitrary code with root privileges to gain root access on the system.
|
Solution: HP has reportedly released a patch (PHNE_24164) to correct this flaw.
Also, the author of the report has provided the following
workaround:
Temporarily remove the suid root or sgid root attribute of cifslogin:
# chmod a-s /opt/cifsclient/bin/cifslogin
[Editor's
note: According to our database (in Alert #1002215), the HP patch PHNE_24164 that is mentioned in this report was also previously
referenced in HP Security Bulletin #0155, 27 June '01, as a fix for a vulnerability where HP reported that "arbitrary files and
devices can be overwritten." In that Bulletin, HP stated that "local HP-UX users must intentionally modify certain CIFS/9000 Server
resources" to exploit the flaw and that the "problem only occurs during printing operations." The current report from SecuriTeam
(and Alex Hernandez) seems to describe the problem in a different manner. It is not clear whether the two problems are the same
or not. Even so, HP reportedly indicates that the patch will solve both reported issues.]
|
Vendor URL: www.hp.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (HP/UX)
|
Reported By: support@securiteam.com
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 24 Jun 2002 05:09:02 -0400
From: support@securiteam.com
Subject: [UNIX] Sharity Cifslogin Buffer Overflow (Arguments)
|
The following security advisory is sent to the securiteam mailing list, and can be found at the Secur
iTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Sharity Cifslogin Buffer Overflow (Arguments)
------------------------------------------------------------------------
SUMMARY
<http://www.obdev.at/Products/Sharity.html> Sharity is a software package
that runs on UNIX machines and allows you to mount shares exported by
Windows (NT, 95, for Workgroups, etc.), OS/2, samba etc. in your
filesystem. It is NOT an ftp-like client like the smbclient program
distributed with Samba it really mounts the shares in your filesystem just
as NFS does. Since the major release 2, Sharity supports browsing (like
the Windows "Network Neighborhood") and has a GUI for dialogs and for the
configuration. A security vulnerability in HP's provided version allows
attackers to gain elevated privileges by overflowing an internal buffer.
DETAILS
A security vulnerability in the product allows local users to overflow one
of the parameters (-U, -D, -P, -S, -N, -u,) and cause the application to
execute arbitrary code. Since the program is setuid root, elevated
privileges can be gained.
In case that the attacker provide an overlong filename (for example,
longer than 10000 bytes) for example parameter "-P", it would overflow a
dynamic allocated buffer. The attacker could modify arbitrary memory
address (such as saved return address, and function pointer, etc.) with
some features of malloc()/free() implementation by overwriting the border
data structure of the next dynamic memory chunk.
Example:
$ id
uid=110(alex) gid=102(informix)
$ uname -a
HP-UX Lab02 B.11.11 U 9000/800 1613339393 unlimited-user license
$ ls -la /opt/cifsclient/bin/cifslogin
-rwsr-xr-x 1 root users 53248 Mar 28 2001 /opt/cifsclient/bin/cifslogin
$ /opt/cifsclient/bin/cifslogin -P `perl -e '{print "A"x10000}'`
Memory fault
Workaround:
Temporarily remove the suid root or sgid root attribute of cifslogin:
# chmod a-s /opt/cifsclient/bin/cifslogin
Solution:
Apply patch that fixes, CIFS/9000 Server (SAMBA) allows malicious local
users to overwrite arbitrary files and devices, patch number PHNE_24164.
Vendor status:
Contact information:
e-mail: sharity@obdev.at
www: http://www.obdev.at/
Author: Christian Starkjohann <cs@obdev.at>
Response:
Date Sat, 15 June 2002 8:54:01am
From Sharity Support <sharity-support@obdev.at> Add to address book
To <alex_hernandez@ureach.com>
The /opt/cifsclient/bin/cifslogin program is NOT part of Sharity. This is
HP's CIFS client. HP has based this client on an old version of Sharity
that they have licensed.
I will forward your report to the people at HP who are responsible for
this software. I will give credits to you, of course.
Thanks for reporting this problem!
Regards, Christian.
---
Sharity Support, Objective Development.
sharity-support@obdev.at
Contact information:
security-alert@hp.com
secure@hpchs.cup.hp.com
Response:
Date Mon, 17 June 2002 2:40:18pm
From HP S/W Security Team <secure@hpchs.cup.hp.com> Add to address book
To alex_hernandez@ureach.com
Hello Mr: Hernandez,
Please read it, retrieve the patch, and apply it to your Lab02 11.11
installation. The patch can be retrieved *without* a support contract by
registering with itrc.hp.com. (Registration is for simplified mailing list
maintenance on our part. Without that - no patches can be retrieved.)
Yours Truly,
WTEC
HP S/W Security Team.
--
ADDITIONAL INFORMATION
The information has been provided by <mailto:alex_hernandez@ureach.com>
Alex Hernandez.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@secu
riteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.co
m
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, con
sequential, loss of business
profits or special damages.
|
|
Go to the Top of This SecurityTracker Archive Page
|
