Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Network Queueing System (NQS) on Cray UNIX (UNICOS) Has Format String Error That Lets Local Users
|
|
SecurityTracker Alert ID: 1002854 |
|
SecurityTracker URL: http://securitytracker.com/id/1002854
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 29 2001
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
|
|
Description:
A vulnerability was reported in the Network Queueing System (NQS) daemon running on all versions of Cray's UNIX Cray Operating System (UNICOS) and possibly on some other UNIX operating systems.
The NQS daemon, a batch job control processor for supercomputing environments, reportedly contains a format bug which allows an unprivileged local user to obtain root level access on the system.
A local user can create a batch with a name that contains special formatting characters and submit the job with qsub in a certain manner to cause the user-supplied batch job to be processed by an unsafe function. The qsub command submits a file that contains a shell script as a batch request to the Network Queuing System (NQS).
The author of the report notes that this vulnerability has been exploited successfully in a RISC environment, using ALPHA processors and that it may be easy to exploit on PowerPC and SPARC environments.
|
Impact:
A local user can obtain root level access on the system.
|
Solution:
No solution was available at the time of this entry.
|
Cause:
Input validation error
|
Underlying OS:
UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 27 Nov 2001 22:06:21 +0000
Subject: UNICOS LOCAL HOLE ALL VERSIONS
|
*********** CRAY UNICOS NQSD FORMAT BUG LOCAL ROOT COMPROMISE ALL VERSIONS
***********
MICKEY MOUSE HACKING SQUADRON ADVISORY #: 1
DISCLAIMER
----------
We are a collective group of security professionals who want to remain
nameless due to the various legal and corporate red tape which now surrounds
the issue of disclosure in today's IT security environments. However, due to
the fact that we have unsuccessfully been able to convince vendors to take
appropriate actions in fixing these gaping security holes, we have decided
to take the option of becoming nameless and releasing this advisory in such
a way. Due to the nature of many of the severe vulnerabilities we have
discovered, we will enclose only minimal details about the holes, and no
working exploit code.
BEGIN
-----
NATURE
------
Local root compromise of any UNICOS computer running the NQS daemon
VULNERABLE PLATFORMS/SOFTWARE
-----------------------------
All versions of cray's UNIX Cray Operating System running NQSD
Possibly NQSD running in IBM and Solaris environments as well.
SUCCESSFULLY TESTED ON
----------------------
Cray T3E running UNICOS/mk revision 2.0.5.54
HISTORY
-------
The NQS, or Network Queueing System, is a popular batch software processor
which is used to perform job control and leveraging in supercomputing
environments which require heavy symmetric multi processing. The controlling
daemon, which looks like it appears below
37152 ? 0:00 nqsdaemon
57415 ? 0:00 nqsdaemon
runs as root in order to properly schedule and timeslice batched process.
The Mickey Mouse Hacking Squadron has discovered a format bug vulnerbility
by which any unprivileged user on a system running NQS can gain root access.
This involves creating a batch with a name that contains special formatting
characters, which is processed by an unsafe function taking a variable
argument list. In order to exploit this vulnerability, the user must be able
to submit the job with qsub in such a way that it triggers this
vulnerability.
DESCRIPTION
The qsub command submits a file that contains a shell script as
a batch request to the Network Queuing System (NQS). For an
introduction to the use of NQS, see the Network Queuing System
(NQS)User's Guide, publication SG-2105.
This vulnerability has been exploited successfully by the MMHS in a RISC
environment, using ALPHA processors, in a way similar to bugs exploited
successfully on Digital UNIX by SeungHyun Seo, also posted to the Bugtraq
mailing list. The exploitation on vectorized processors, such as the Y-MP
series, has proved to be much more difficult, especially due to large 64 bit
addressing and a large number of NULL bytes in the process address space.
This should also prove easy to exploit on PowerPC and SPARC environments.
VENDOR STATUS
-------------
NO RESPONSE FROM CRAY!
REFERENCES
----------
1). "Format String Attack on alpha system" Seunghyun Seo (truefinder),
2001/09/24
http://cert.uni-stuttgart.de/archive/bugtraq/2001/09/msg00264.html
CONTACT
-------
We are looking for feedback and new members! EMAIL us with any concerns you
might have.
Note: We are not a blackhat organization, just a group of concerned
professionals!
MMSquadron@hotmail.com for any comments or suggestions!
GREETINGS
---------
Team TESO, Aleph1, M. Zalewski, Georgi, zen-parse, Simple Nomad, HERT,
GOBBLES
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
|
|
Go to the Top of This SecurityTracker Archive Page
|
