IBM Rational ClearCase "simplifies the process of change with a family of products that scales from small project workgroups to the distributed global enterprise". A locally exploitable stack overflow in the product's binaries allows gaining of elevated privileges. The following exploit code can be used to test your system for the mentioned vulnerability.
Credit:
The information has been provided by c0ntex.
Definition: [adj] having its source in or being guided by the intellect
(distinguished from experience or emotion); "a rational analysis"
[adj] of or associated with or requiring the use of the mind; "intellectual
problems"; "the triumph of the rational over the animal side of man"
There are so far, 10 seperate binaries, including the below that are vulnerable
to some form of stack based attack. All architectures are vulnerable in some form
too. It is also possible to own remote machines from the ClearCase binaries.
Is it a bug or a feature? who cares, it's Friday :-)
[-] Vuln Binary [-] Vuln Architectures [-]Serious?
/usr/atria/bin/Perl Intel, Alpha, RISC, Possible SPARC Could be
/usr/atria/bin/notify Intel, Alpha, RISC, Possible SPARC Not really
/usr/atria/bin/cleartool Intel, Alpha, RISC, Possible SPARC Yeah
/usr/atria/etc/scrubber Intel, Alpha, RISC, Possible SPARC Yeah
/usr/atria/etc/mount_mvfs Intel, Alpha, RISC, Possible SPARC Yeah
/usr/atria/etc/imsglog Intel, Alpha, RISC, Possible SPARC Could be
/usr/atria/etc/Gzip Intel, Alpha, RISC, Possible SPARC Not really
... etc ...
Still to come: ALBD and MVFS / NFS encapsulation analysis. You may find that MVFS
causes your NFS daemon to, well, react in adverse ways. :) Await a testing environment.
Anyone?
*******************
BOYCOT ROOT GAINING EXPLOIT CODE SHARING
*******************
ALL linux SetUID binaries have a little bug too :-) RUN Forest, RUN, you might find
it too *lol* // Funny priv8 joke ahha //
Want another funny priv8 joke?
-> http://www.wired.com/news/infostructure/0,1377,60391,00.html
Symantec are a funny bunch, they want to make exploit and tool codes illegal.
Ok sirs, may this humble hobbiest ask your good integrity driven self why you decide
to purchase and fund a security related website that shares these same codes with the
public socialist. You could perhaps also then answer why you also fund a security
related website that is involved with people that have been known to `hack`, where
the word hack is assumed to be in the same context used by the media monkey.
--
bash> file core.*
core.1230: ELF 32-bit LSB core file of 'su' (signal 11), Intel 80386, version 1 (SYSV),
from 'su'
core.1233: ELF 32-bit LSB core file of 'crontab' (signal 11), Intel 80386, version 1
(SYSV), from 'crontab'
bash> su
Segmentation fault (core dumped)
bash> mount
mount: error while loading shared libraries: O: cannot open shared object file: No such
file or directory
bash> PuTTY
-bash: PuTTY: command not found
bash> passwd
Segmentation fault (core dumped)
Still checking this out.
*******************
Oracle, now there is an application, it also has some stack based bug that can be
abused by underpaid and overworked computer hobbiest, some PoC might be shared.
Then again, it might not :)
Oracle and SNMP, what a lovely combination.
Oracle on Microsoft system is funny too.
****************
Speaking of Microsoft, another little bug noticed was an overflow in a widespread
*exe* called rundll32. Only useful for virii or something stupid like that anyway,
right?
"!!ALERT!! No 0day patch for remote 0day XSS 0day" *LOL*, this is funny stuff man.
---------
Let us go back about 1 1/2 months.
Background: Being terribly bored with brain numbing talk on IRC I decided to play a
great game called Counter Strike - have you played this game? I tell you, it is a
very good game :) come play some time, it is not a buggy application *HONEST*
You know what I mean right?
"Description: The Windows Rundll32 Program is used to run DLLs as programs and is
used by many programs to execute functions located in a DLL file."
The part that has been left out: rundll32 has been coded in such a way that it does
not check user supplied input with a means to preventing user controlled buffer
overflows.
Faulting application rundll32.exe, version 5.1.2600.0, faulting module unknown,
version 0.0.0.0, fault address 0x000a000d.
Unicode EIP address = 00410041 = *LOL*
http://community.core-sdi.com/~juliano/unicodebo.pdf <--// Nice site fella :) //
You might say `who cares` about rundll32, he say "not he", but would be rude not to let
you know why windows machines shut down or have new user account.
After finding the bug I check google engine and find one post from a guy that noticed
the same thing.
printf("[-] %s\n", VER);
printf("[-] Bug discovered and PoC developed by c0ntex@hushmail.com.\n"
"[-] --------------------------------------------------------\n"
"[-] with a little bit of copy & paste skill. Ok, Yes, it is\n"
"[-] true, c0ntex also lazy perl scripter. :->\n"
"[-] --------------------------------------------------------\n"
"[-] If the added return address isn't working, brute force it.\n"
"[-] Values from around -2000 -> +2000 should work quite well.\n"
"[-] Or add a request to get current esp value and use that.\n"
"[-] --------------------------------------------------------\n"
"[-] Usage: %s offset_value\n", argv[0]);
for(i = 0; i < BUFF; i += 4)
*(long *) &buffer[i] = retaddr;
