SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Traffic Edge Vendors:   Inktomi
Inktomi Traffic Edge Caching Server Buffer Overflow Lets Local Users Execute Arbitrary Code with Root Privileges
SecurityTracker Alert ID:  1004691
SecurityTracker URL:  http://securitytracker.com/id/1004691
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 3 2002
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Traffic Edge 1.1.2, 1.5.0
Description:   A buffer overflow vulnerability was reported in Inktomi's Traffic Edge caching software. A local user can obtain root access on the system.

CORE SECURITY TECHNOLOGIES issued an advisory warning of a vulnerability in the traffic_manager that can be triggered by a local user.

According to the report, the traffic_manager executable is configured with set user id (suid) root privileges in a default installation. A local user can pass a long command line argument to traffic_manager to cause arbitrary code to be executed with root level privileges, giving the local user root access on the host.

It is reported that the overflow can be triggered with a string longer than 1700 bytes passed as an argument to the -path option. CORE SDI has confirmed that the vulnerability is exploitable on Solaris.

The flaw in traffic_manager reportedly affects all current and previous versions of Inktomi Traffic Server, Traffic Edge, and Media-IXT.

A demonstration exploit transcript is provided:

/inktomi/5.1.3/bin# ./traffic_manager -path `perl -e 'print "A"x1720'` <
[TrafficManager] ==> Kernel Sig 11; Reason: 1
[TrafficManager] ==> Cleaning up and reissuing signal #11
Abort(coredump)

truss output:
open64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
fstat(3, 0xFFBEC130) = 0
time() = 1024660377
getpid() = 27458 [27457]
putmsg(3, 0xFFBEB7E8, 0xFFBEB7DC, 0) = 0
open("/var/run/syslog_door", O_RDONLY) Err#2 ENOENT
Incurred fault #5, FLTACCESS %pc = 0xFF0CF2E0
siginfo: SIGBUS BUS_ADRALN addr=0x41414149
Received signal #10, SIGBUS [caught]
siginfo: SIGBUS BUS_ADRALN addr=0x41414149

Impact:   A local user can execute arbitrary code with root privileges to gain root access on the system.
Solution:   The vendor reportedly plans to fix the vulnerability in all future maintenance releases of Traffic Server, Media-IXT, and Traffic Edge.

As a workaround, remove the suid bit from the traffic_manager executable. According to the advisory, the the proxy will not be able to directly serve 'privileged' port numbers less than 1024 when this suid bit is removed.

Some proxy configurations will reportedly require ARM config/ipnat.conf.

CORE SDI indicates that Inktomi has released a note, available at:

http://support.inktomi.com/kb/070202-003.html

[Editor's note: At the time of this entry, the above reference Inktomi KB article was not available on Inktomi's web site.]

Contact emailsupport@inktomi.com for assistance.

Vendor URL:  www.inktomi.com/products/cns/traffic_edge.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Red Hat Linux), UNIX (Solaris - SunOS), Windows (2000)
Underlying OS Comments:  Confirmed on Solaris

Message History:   None.


 Source Message Contents

Subject:  CORE-20020620: Inktomi Traffic Server Buffer Overflow



          CORE SECURITY TECHNOLOGIES
                   http://www.corest.com

                      Vulnerability Report For
                        Inktomi Traffic Server


Date Published: 2002-07-02

Advisory ID: CORE-20020620

Bugtraq ID: 5098

CVE CAN: None currently assigned.

Title: Inktomi Traffic Server traffic_manager local overflow.

Class: Boundary error condition (buffer overflow)

Remotely Exploitable: NO

Locally Exploitable: Yes

Vendors contacted:

 Inktomi Corporation (INKT)
 . Inital email sent: 2002-06-21
 . Acknowledged reception of initial contact: 2002-06-24
 . Official response and fix information: 2002-07-01

Release mode: COORDINATED RELEASE

*Vulnerability Description*

Inktomi's  Traffic Server product provides transparent web caching,
access control and content filtering. It is available for Linux, Solaris
and Windows platforms. A vulnerability that could allow a local attacker to
gain root access has been discovered in the unix version of the software.


Problem: Buffer overflow in traffic_manager executable

The traffic_manager executable is used to manage Traffic Server,
it is installed setuid-root by default under the [installpath]/bin
directory.
When traffic_manager is executed with a long command line argument,
a buffer overflow occurs.
This vulnerability can be exploited locally to gain root access.

A local exploit module is available for CORE IMPACT customers in
the July 2002 update pack.

*Vulnerable Packages/Systems*

The local root vulnerability in traffic_manager exists
in all current and previous revisions of Inktomi Traffic Server,
Traffic Edge and Media-IXT.

 Current product revisions are:
  Media-IXT 3.0.4
  Traffic Server / Media-IXT 4.0.18
  Traffic Server / Media-IXT 4.0.20
  Traffic Server / Media-IXT 5.1.3
  Traffic Server / Media-IXT 5.2.0-R
  Traffic Server / Media-IXT 5.2.1
  Traffic Server / Media-IXT 5.2.2
  Traffic Edge 1.1.2 (Traffic Server 5.2.1)
  Traffic Edge 1.5.0 (Traffic Server 5.5)

*Solution/Vendor Information/Workaround*

The buffer overflow error in the "-path" option of the
traffic_manager command will be corrected to remove the
vulnerability in all future maintenance releases of
Traffic Server, Media-IXT and Traffic Edge.

The identified vulnerability applies to command-line
execution of bin/traffic_manager, so the risk applies only
to shell sessions already connected to the proxy host as
non-privileged users.  The vulnerability does not affect
network services or access and cannot grant remote access to
the proxy host.

If you wish to block this local vulnerability, remove the
setuid bit from the traffic_manager executable.  When
traffic_manager is not setuid root, the proxy will not be able
to directly serve 'privileged' port numbers less than 1024.

Some proxy configurations will require ARM config/ipnat.conf

Please refer to Inktomi's note on the bug at
http://support.inktomi.com/kb/070202-003.html
with specific instructions on how to reconfigure the
products to operate properly without the SUID flag set
on the binary.

Contact emailsupport@inktomi.com for assistance

*Credits*

This vulnerability was discovered by Juliano Rizzo of the
Security Consulting Services team at CORE SECURITY TECHNOLOGIES

We would like to thank Warren Brown from Inktomi Product Support
for the quick response to the issue.

*Technical Description - Exploit/Concept Code*

Traffic Manager installs the traffic_manager program as a root
owned file with the set user id bit set.

Below are the lines from install.sh that makes traffic_manager
setuid-root.

----
  # Adjust setuid commands
  chown root ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
  chmod 4755 ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
  if [ -d ${InstallDir}/bin/debug ] ; then
    chown root ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
    chmod 4755 ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
  fi

----
The overflow occurs when a string longer than 1700 bytes is passed
as argument to the -path option. The exploitability has been confirmed
under Solaris platform.

/inktomi/5.1.3/bin# ./traffic_manager -path `perl -e 'print "A"x1720'` <
[TrafficManager] ==> Kernel Sig 11; Reason: 1
[TrafficManager] ==> Cleaning up and reissuing signal #11
Abort(coredump)

truss output:
open64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
fstat(3, 0xFFBEC130)                            = 0
time()                                          = 1024660377
getpid()                                        = 27458 [27457]
putmsg(3, 0xFFBEB7E8, 0xFFBEB7DC, 0)            = 0
open("/var/run/syslog_door", O_RDONLY)          Err#2 ENOENT
    Incurred fault #5, FLTACCESS  %pc = 0xFF0CF2E0
      siginfo: SIGBUS BUS_ADRALN addr=0x41414149
    Received signal #10, SIGBUS [caught]
      siginfo: SIGBUS BUS_ADRALN addr=0x41414149

Replacing 0x41414141 for a valid stack address and building the right
string it is posible to execute arbitrary code with root privileges.


DISCLAIMER:

The contents of this advisory are copyright (c) 2002 CORE SECURITY
TECHNOLOGIES
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.

$Id: InktomiTS-pathbof-advisory.txt,v 1.5 2002/07/02 21:11:40 iarce Exp $

---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A


--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce@corest.com>

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC