TUCoPS :: Web :: General :: web4967.htm

Magic Entreprise multiple vulnerabilities (temp files, env var ...)
4th Jan 2002 [SBWID-4967]
COMMAND

	Magic Entreprise mutiple vulnerabilities (temp files, env var ...)

SYSTEMS AFFECTED

	 Magic 8.30-5 and prior, 9.x not fully tested

	 Platform  : Solaris, Linux, AIX, HP/UX, SCO, Digital Unix, AS/400, NT

	

PROBLEM

	Thomas Biege of immutec posted [http://www.immutec.com]
	

	Serveral security holes were found in Magic Enterprise  Edition  Version
	8 (Solaris) while doing a penetration test  for  a  customer.  In  depth
	analysis was performed for the Linux version. Version 9  was  not  fully
	tested, but at least some issues were also verified for Version 9.
	 

	a.)Memory Corruption: remote

	

	The CGI executable \'mgrqcgi\' is used as a kind of  gateway  to  handle
	different tasks.
	

	mgrqcgi reads different  variables  from  the  QUERY_STRING  environment
	variable, which is set by the HTTP server. The names of the variables:
	 

	+ APPNAME

	+ PRGNAME

	+ ARGUMENTS

	+ PageID

	+ mgaction

	+ H_ShopID

	+ H_SID

	+ H_WID

	+ H_INF

	+ and much more

	

	The variable data is copied into local  variables  using  the  non-bound
	checking library function strcpy(3). This  can  be  easily  verified  by
	triggering the overflow using a standart web  browser.  Overwriting  the
	memory for APPNAME bytewise results in overwriting PRGNAME  input  until
	an internal server error occurs.
	

	Attached ltrace output (comments included in []):
	 

	[...]

	

	17:00:03.769509 [08049794] getenv(\"REQUEST_METHOD\") = \"GET\"

	17:00:03.769680 [080497ae] strcmp(\"GET\", \"POST\")= -9

	17:00:03.769817 [080497ce] strcmp(\"GET\", \"GET\") = 0

	

	

	[QUERY_STRING read and splitted up]

	

	17:00:03.769942 [08049915] getenv(\"QUERY_STRING\") =

	\"APPNAME=test&PRGNAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAA\"

	17:00:03.770687 [08049b81] strchr(\"APPNAME=test&PRGNAME=AAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"

	,\'=\') = \"=test&PRGNAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAA\"

	17:00:03.772443 [08049bb7] strchr(\"test&PRGNAME=AAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\",

	\'&\') = \"&PRGNAME=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAA\"

	17:00:03.773713 [08049df3] malloc(8)= 0x08077458

	17:00:03.773811 [08049d30] realloc(NULL, 8) = 0x08077468

	17:00:03.773929 [08049df3] malloc(6)= 0x08077478

	

	

	[variable name seperated from variable data]

	

	17:00:03.774025 [08049b81] strchr(\"PRGNAME=AAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\",

	\'=\') = \"=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AA\"

	17:00:03.776353 [08049bb7] strchr(\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAA\",

	\'&\') = NULL

	17:00:03.777015 [08049bf0] strlen(0xbffffa2a, 0x080498f8, 0x40014ce4,

	0x08077458, 0x080613d8) = 200

	17:00:03.777157 [08049df3] malloc(8)= 0x08077488

	17:00:03.777253 [08049d30] realloc(0x08077468, 16) = 0x08077498

	17:00:03.777974 [08049df3] malloc(202)= 0x080774b0

	17:00:03.778077 [0804acdf] malloc(32) = 0x08077580

	17:00:03.778191 [0804acf4] memset(0x08077580, \'\\000\', 32) = 0x08077580

	

	

	[variable name made upper case]

	

	17:00:03.778302 [0804dcec] toupper(\'A\') = \'A\'

	17:00:03.778413 [0804dcfd] toupper(\'C\') = \'C\'

	17:00:03.778521 [0804dd1c] toupper(\'A\') = \'A\'

	17:00:03.778785 [0804dd2d] toupper(\'C\') = \'C\'

	17:00:03.778892 [0804dcec] toupper(\'A\') = \'A\'

	17:00:03.778999 [0804dcfd] toupper(\'A\') = \'A\'

	17:00:03.779107 [0804dcec] toupper(\'P\') = \'P\'

	17:00:03.779213 [0804dcfd] toupper(\'P\') = \'P\'

	17:00:03.779320 [0804dcec] toupper(\'P\') = \'P\'

	17:00:03.779427 [0804dcfd] toupper(\'P\') = \'P\'

	17:00:03.779534 [0804dcec] toupper(\'N\') = \'N\'

	17:00:03.779641 [0804dcfd] toupper(\'N\') = \'N\'

	17:00:03.779748 [0804dcec] toupper(\'A\') = \'A\'

	17:00:03.779854 [0804dcfd] toupper(\'A\') = \'A\'

	17:00:03.779962 [0804dcec] toupper(\'M\') = \'M\'

	17:00:03.780068 [0804dcfd] toupper(\'M\') = \'M\'

	17:00:03.780175 [0804dcec] toupper(\'E\') = \'E\'

	17:00:03.780300 [0804dcfd] toupper(\'E\') = \'E\'

	17:00:03.780408 [0804dd1c] toupper(\'\\000\')= \'\\000\'

	17:00:03.780517 [0804dd2d] toupper(\'\\000\')= \'\\000\'

	

	

	[APPNAME content copied into stack memory WITHOUT length checking]

	

	17:00:03.780626 [0804ae56] strcpy(0xbfffee68, \"test\") = 0xbfffee68

	

	

	[variable name to upper case]

	

	17:00:03.835647 [0804dcec] toupper(\'P\') = \'P\'

	17:00:03.835828 [0804dcfd] toupper(\'C\') = \'C\'

	17:00:03.835936 [0804dd1c] toupper(\'P\') = \'P\'

	17:00:03.836043 [0804dd2d] toupper(\'C\') = \'C\'

	17:00:03.836150 [0804dcec] toupper(\'P\') = \'P\'

	17:00:03.836257 [0804dcfd] toupper(\'P\') = \'P\'

	17:00:03.836364 [0804dcec] toupper(\'R\') = \'R\'

	17:00:03.836471 [0804dcfd] toupper(\'R\') = \'R\'

	17:00:03.836577 [0804dcec] toupper(\'G\') = \'G\'

	17:00:03.836684 [0804dcfd] toupper(\'G\') = \'G\'

	17:00:03.837645 [0804dcec] toupper(\'N\') = \'N\'

	17:00:03.837766 [0804dcfd] toupper(\'N\') = \'N\'

	17:00:03.837873 [0804dcec] toupper(\'A\') = \'A\'

	17:00:03.837980 [0804dcfd] toupper(\'A\') = \'A\'

	17:00:03.838103 [0804dcec] toupper(\'M\') = \'M\'

	17:00:03.838210 [0804dcfd] toupper(\'M\') = \'M\'

	17:00:03.838317 [0804dcec] toupper(\'E\') = \'E\'

	17:00:03.838423 [0804dcfd] toupper(\'E\') = \'E\'

	17:00:03.838530 [0804dd1c] toupper(\'\\000\')= \'\\000\'

	17:00:03.838639 [0804dd2d] toupper(\'\\000\')= \'\\000\'

	

	

	[PRGNAME content copied into stack memory WITHOUT length checking]

	[BUFFER OVERFLOW triggered here]

	

	17:00:03.838748 [0804ae70] strcpy(0xbfffee48,

	\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

	AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\")

	= 0xbfffee48

	

	

	[segmentation fault occuring]

	

	17:00:03.839409 [080497f5] getenv(\"HTTP_COOKIE\")= NULL

	17:00:03.839545 [08049ac0] getenv(\"REMOTE_ADDR\")= NULL

	17:00:03.839687 [0805aff4] memset(0x08076e68, \'\\000\', 120) =

	0x08076e68

	17:00:03.839801 [08053971] strcpy(0x08077334, \"otaku\") = 0x08077334

	17:00:03.839920 [0804cdb7] malloc(1508) = 0x080775a8

	17:00:03.840018 [0804cad0] memcpy(0x080775b0, \"\\001\\001\", 1500) =

	0x080775b0

	17:00:03.840160 [08052f00] strlen(0xbfffedc8, 0x08049ab4, 0xbfffee00,

	0xbfffedc8, 0x080775b0) = 0

	17:00:03.840308 [08052f5b] strlen(0xbfffed48, 0x08049ab4, 0xbfffee00,

	0xbfffed48, 0x080775b0) = 0

	17:00:03.840440 [080519d5] memcpy(0x08076e60, \"\\001\\001\", 1500) =

	0x08076e60

	17:00:03.840577 [0804cef0] free(0x080775a8) = 

	17:00:03.840672 [0804b52c] memset(0xbfffeef8, \'\\000\', 16) = 0xbfffeef8

	17:00:03.840782 [0804b54c] malloc(200)= 0x080775a8

	17:00:03.841364 [0804afe6] --- SIGSEGV (Segmentation fault) ---

	17:00:03.841890 [ffffffff] +++ killed by SIGSEGV +++

	

	

	The GNU Debugger output:
	 

	[...]

	

	Starting program: /usr/local/httpd/cgi-bin/mgrqcgi

	(no debugging symbols found)...(no debugging symbols found)...(no

	debugging symbols found)...

	(no debugging symbols found)...

	Program received signal SIGSEGV, Segmentation fault.

	0x0804b103 in strcpy ()

	(gdb) info stack

	#00x0804b103 in strcpy ()

	#10x41414141 in ?? ()

	#20x0804a440 in strcpy ()

	#30x08049b18 in strcpy ()

	#40x41414141 in ?? ()

	

	[...]

	

	

	Some characters  could  not  be  used  while  overflowing  the  internal
	buffers, because they have other meanings in  the  CGI  context  or  are
	filtered. Characters that could not be used:
	 

	+ 0x00

	+ 0x09

	+ 0x0A

	+ 0x0B

	+ 0x0C

	+ 0x0D

	+ 0x20

	+ 0x23

	+ 0x25

	+ 0x26

	

	

	 

	b.) Memory Corruption: local

	

	The Linux RPM comes with one setuid root application:
	 

	+ /usr/magicadm/servers/mgdispatch

	

	There seem to be serveral buffer overflows in the  code  of  mgdispatch.
	One example of missing bounds checking occurs very early in the  program
	code while reading an environment variable  called  MGDISPATCH_LOG.  The
	destination buffer is about 3000 bytes big, so an  attacker  has  enough
	space for stuffing the shellcode in and execute arbitrary commands.
	

	ltrace output:
	 

	[...]

	

	getenv(\"MGDISPATCH_LOG\")=

	\"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"...

	strcpy(0xbfffd87c, \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\"...) =

	0xbfffd87c

	getenv(\"MG_DOS_CLIENTS\" 

	--- SIGSEGV (Segmentation fault) ---

	+++ killed by SIGSEGV +++

	

	

	The GNU Debugger output::
	 

	[...]

	

	(gdb) r 78

	Starting program: ./mgdispatch 78

	(no debugging symbols found)...(no debugging symbols found)...

	(no debugging symbols found)...(no debugging symbols found)...

	Program received signal SIGSEGV, Segmentation fault.

	0x4008d63b in getenv () from /lib/libc.so.6

	(gdb) bt

	#00x4008d63b in getenv () from /lib/libc.so.6

	#10x0804dec8 in strcpy ()

	#20x41414141 in ?? ()

	

	[...]

	

	 

	c.) Temporary File Handling

	

	Some shell script files included in the Linux RPM (probably  applies  to
	other versions as well) do insecure temporary  file  handling,  allowing
	symlink attacks, replacing information and execution of commands.
	

	This list includes shell script names and the appropriate lines:
	 

	+ /usr/magicadm/api/mkuserproc:40:tmpfile=/tmp/mg.$$

	+ /usr/magicadm/sbin/mgrnt:42:$AWK -F= \'/^[^#]/ {if (NF > 0) print

	\"export \" $1}\' $MAGIC_HOME/etc/mgenv >

	/tmp/mg$$

	+ /usr/magicadm/sbin/mgrnt:43:. /tmp/mg$$

	+ /usr/magicadm/sbin/mgrnt:44:rm -f /tmp/mg$$

	+ /usr/magicadm/sbin/mgrnt:63:$AWK -F= \'/^[^#]/ {if (NF > 0)

	print \"export \" $1}\' $EnvUserFile >

	/tmp/mgu$$

	+ /usr/magicadm/sbin/mgrnt:64:. /tmp/mgu$$

	+ /usr/magicadm/sbin/mgrnt:65:rm /tmp/mgu$$

	+ /usr/magicadm/servers/mgdatasrvr.sc:51:$AWK -F= \'/^[^#]/ {if (NF >

	 0) print \"export \" $1}\'

	 $MAGIC_HOME/etc/mgenv >

	 /tmp/mg$$

	+ /usr/magicadm/servers/mgdatasrvr.sc:52:. /tmp/mg$$

	+ /usr/magicadm/servers/mgdatasrvr.sc:53:rm -f /tmp/mg$$

	+ /usr/magicadm/servers/mgdatasrvr.sc:75:$AWK -F= \'/^[^#]/

	 {if (NF > 0) print \"export

	 \" $1}\' $EnvUserFile >

	 /tmp/mgu$$

	+ /usr/magicadm/servers/mgdatasrvr.sc:76:. /tmp/mgu$$

	+ /usr/magicadm/servers/mgdatasrvr.sc:77:rm /tmp/mgu$$

	

	 

	d.) Insecure Permissions

	

	The RPM  file  installs  some  files  and  directories  group  \'users\'
	writeable. This includes the Magic Admin  home  directory  /usr/magicadm
	(a magicadm account is created in /etc/passwd),  the  license  directory
	and various executables. The list of group writeable executables:
	 

	+ /usr/magicadm/bin/magicrnt

	+ /usr/magicadm/bin/mdinformix

	+ /usr/magicadm/bin/mdmssql

	+ /usr/magicadm/bin/mdoracle

	+ /usr/magicadm/bin/mgcircvr

	+ /usr/magicadm/bin/mgcisam

	+ /usr/magicadm/bin/mginformix

	+ /usr/magicadm/bin/mgmemory

	+ /usr/magicadm/bin/mgoracle

	+ /usr/magicadm/bin/mgtcp

	+ /usr/magicadm/broker/mgrqcmdl

	+ /usr/magicadm/broker/mgrqmrb

	+ /usr/magicadm/cgibin/mgrqcgi

	+ /usr/magicadm/servers/mgdatasrvr

	

	This allows an attacker to replace these writeable executeables to  gain
	higher  privileges  and  even  any  other  file   to   exploit   trusted
	information.
	

	 

	e.) Miscellaneous

	

	The  symbols  that  are  exported  by  the  executables   and   by   the
	Magic-Request API library reveal, that there are even more  insecure  C-
	library functions like system(3), strcpy(3),  strcat(3)  and  sprintf(3)
	and alike.
	

	 

	Authors:

	========

	

	  Thomas Biege tb@immutec.com ( \'mailto:tb@immutec.com\' )

	  Stephan Holtwisch sh@immutec.com ( \'mailto:sh@immutec.com\' )

	

	

	Disclaimer:

	===========

	

	 This advisory does not claim to be complete or to be usable for any

	 purpose. Especially information on the vulnerable systems may be

	 inaccurate or wrong. Possible supplied exploit code is not to be used

	 for malicious purposes, but for educational purposes only.

	

	

	Copyrights:

	===========

	

	 Copyright (c) 2001, immutec GmbH

	

	 Redistribution without modification is permitted.

	 Redistribution with modification is permitted if the copyright notice,

	 disclaimer and authors notice are retained.

	

SOLUTION

	None yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH