From 8lgm@8lgm.org Wed Jul  3 22:00:48 1996
Date: Wed, 3 Jul 1996 21:25:58 +0100 (BST)
From: "[8LGM] Security Team" <8lgm@8lgm.org>
To: 8lgm-advisories@8lgm.org
Subject: [8lgm]-Advisory-26.UNIX.rdist.20-3-1996

=============================================================================
 Virtual Domain Hosting Services provided by The FOURnet Information Network
              mail webserv@FOUR.net or see http://www.four.net
=============================================================================
        libC/Inside provided by Electris Software Limited
   mail electris@electris.com or see http://www.electris.com
=============================================================================

                  [8lgm]-Advisory-26.UNIX.rdist.20-3-1996
 
PROGRAM:
 
        rdist
 
VULNERABLE VERSIONS:
 
        Solaris 2.*
  SunOS 4.1.*
  Potentially all versions running setuid root.

DESCRIPTION:

  rdist creates an error message based on a user provided string,
  without checking bounds on the buffer used.  This buffer is
  on the stack, and can therefore be used to execute arbitrary
  instructions.

IMPACT:
 
        Local users can obtain superuser privileges.

EXPLOIT:

  A program was developed to verify this bug on a SunOS 4.1.3 machine,
  and succeeded in obtaining a shell running uid 0 from rdist.

DETAILS:

  Consider the following command, running as user bin.

  # rdist -d TestString -d TestString
  rdist: line 1: TestString redefined
  distfile: No such file or directory
  # 

  Using libC/Inside, the following trace was obtained:-

  -----------------------------------------------------------------------
  libC/Inside Shared Library Tracing.  V1.0 (Solaris 2.5).  
  Copyright (C) 1996, Electris Software Limited, All Rights Reserved.

    Tracing started Thu May  9 00:04:19 1996

    Pid is 18738
    Log file is /tmp/Inside.18738
    Log file descriptor is 3

    uid=2(bin) gid=2(bin) euid=0(root) groups=2(bin),3(sys)

    Program is rdist

  _start+0x30->atexit(call_fini)
  return(0)
  _start+0x3c->atexit(_fini)
  return(0)
  main+0x28->getuid()
  return(2)
  main+0x38->seteuid(2)
  return(0)
  main+0x5c->getuid()
  return(2)
  main+0x64->getpwuid(2)
  return((pw_name="bin", pw_passwd="x", pw_uid=2, pw_gid=2, pw_age="", \
  pw_comment="", pw_gecos="", pw_dir="/usr/bin", pw_shell=""))
  main+0xb0->strcpy(user, "bin")
  return("bin")
  main+0xc4->strcpy(homedir, "/usr/bin")
  return("/usr/bin")
  main+0xd4->gethostname(host, 32)
  return(0)
  (Arg 0 = "legless")
  main+0x10c->strcmp("-d", "-Server")
  return(17)
  define+0x30->strchr("TestString", '=')
  return((null))
  lookup+0x11c->malloc(16)
  return(0x33220)
  main+0x10c->strcmp("-d", "-Server")
  return(17)
  define+0x30->strchr("TestString", '=')
  return((null))
  lookup+0x88->strcmp("TestString", "TestString")
  return(0)
  lookup+0xcc->sprintf(0xeffff8a8, "%s redefined", "TestString")
  return(20)
    (Arg 0 = "TestString redefined")
  yyerror+0x1c->fflush(stdout)
  return(0)
  lookup+0xd4->fprintf(stderr, "rdist: line %d: %s\n", 1, \
     "TestString redefined")
  return(36)
  main+0x444->mktemp("/tmp/rdistXXXXXX")
  return("/tmp/rdista004_m")
  main+0x4d8->fopen("distfile", "r")
  return((null))
  main+0x4fc->fopen("Distfile", "r")
  return((null))
  main+0x560->perror("distfile")
  return()
  main+0x568->exit(1)
  -----------------------------------------------------------------------

  At lookup+0xcc, sprintf() copies the string provided to an address
  on the stack.  rdist does not check the length of this string,
  so a large string would overwrite the stack.

FIX:

  Use a version of rdist that does not require setuid root privileges.

  Obtain a patch from your vendor.

STATUS UPDATE:
 
        The file:
 
  [8lgm]-Advisory-26.UNIX.rdist.20-3-1996.README
 
        will be created on www.8lgm.org.  This will contain updates on 
        any further versions which are found to be vulnerable, and any
        other information received pertaining to this advisory.
 
-----------------------------------------------------------------------
 
FEEDBACK AND CONTACT INFORMATION:
 
        majordomo@8lgm.org      (Mailing list requests - try 'help'
                                 for details)
 
        8lgm@8lgm.org           (Everything else)
 
8LGM FILESERVER:
 
        All [8LGM] advisories may be obtained via the [8LGM] fileserver.
        For details, 'echo help | mail 8lgm-fileserver@8lgm.org'
 
8LGM WWW SERVER:
 
        [8LGM]'s web server can be reached at http://www.8lgm.org.
        This contains details of all 8LGM advisories and other useful
        information.
===========================================================================


-- 
-----------------------------------------------------------------------
$ echo help | mail 8lgm-fileserver@8lgm.org  (Fileserver help)
majordomo@8lgm.org                           (Request to be added to list)
8lgm@8lgm.org                                (General enquiries)
******* VISIT 8LGM ON THE WORLD WIDE WEB: http://www.8lgm.org ********
[8LGM] uses libC/Inside - the worlds leading security analysis tool
   now available to the public. Visit http:://www.electris.com