SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Grpck Vendors:   [Multiple Authors/Vendors]
Grpck Group File Checking Utility Buffer Overflow May Let Local Users Gain Root Privileges on the System
SecurityTracker Alert ID:  1003087
SecurityTracker URL:  http://securitytracker.com/id/1003087
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 2 2002
Impact:   Execution of arbitrary code via local system, Root access via local system


Description:   A buffer overflow vulnerability was reported in the grpck group file checking utility. A local user can execute arbitrary code, possibly with root level privileges.

The vulnerability is reportedly due to a strcpy() call that copies the first user-supplied command line argument onto another string without checking the length of the user-supplied string.

A demonstration exploit transcript is provided for IRIX and Red Hat:

IRIX:

# /usr/sbin/grpck `perl -e 'print "X"x3000'`
Segmentation Fault
#

Linux (redhat):

# /usr/sbin/grpck `perl -e 'print "X"x3000'`
Segmentation Fault (core dumped)
#

It is reported that this utility may be installed with set user id (suid) root privileges on IRIX and on Red Hat Linux versions 6.x and prior.

Impact:   A local user can execute arbitrary code on the system. This code may run with root privileges on some operating systems.
Solution:   No solution was available at the time of this entry.
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on SGI and Linux

Message History:   None.


 Source Message Contents

Subject:  [VulnWatch] blackshell3: multiple pwck/grpck vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----

#####################################################
#--blackshell security advisory no3--#		    #
#--IRIX grpck/pwck LOCAL exploit--#		    #
#--Linux grpck/pwck LOCAL exploit--#		    #
#####################################################

########################
vendor details & history
########################

www.sgi.com
www.redhat.com

this is not OS specific

no history for this specific app

##################
details of exploit
##################

it seems as if this effects every single OS that uses
the *ck family for password authentication.
this is a classic buffer overflow of the binaries which
are located in the /usr/sbin/* dir.
they are both in the same family of applications
and both are susiptible to this which is just a
bad strcpy() call which copies the first arg passed
onto another string resulting in a sigsegv.

advanced details:
IRIX:
# /usr/sbin/pwck `perl -e 'print "X"x3000'`
Segmentation Fault
#

# /usr/sbin/grpck `perl -e 'print "X"x3000'`
Segmentation Fault
#

Linux (redhat):

# /usr/sbin/pwck `perl -e 'print "X"x3000'`
Segmentation Fault (core dumped)
#

# /usr/sbin/grpck `perl -e 'print "X"x3000'`
Segmentation Fault (core dumped)
#


we found one box had this suid as default on the irix test box
and we were told it comes as suid on redhat 6.* < prior.


###
fix
###

strcpy should be replaced with the bounds checking
strncpy().

####
note
####

this test was conducted on IRIX 6.5 box, and a redhat 7.2 box.
under no circumstances are we liable for any misuse of this
information

########
hi's to:
########

cr_, Markus@obsd blackshell dev team, #!blackshell
contributors and anyone who over the years has helped
us make us what we are.

#######
contact
#######

blackshell@hushmail.com



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl8EARECAB8FAjwy1LMYHGJsYWNrc2hlbGxAaHVzaG1haWwuY29tAAoJED2VGGGCU8ut
DLMAoIKMheJtbAKVXZEqb6LNMtMUvrBxAKCJY4uqYi6DxXfit8SrtFnkZI1Kow==
=3RvC
-----END PGP SIGNATURE-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC