> don't know if you have been involved already.. > No, this is the first I've seen of it; thanks for sending it along. On Fri, 2 May 2003 19:49:03 +0300 bt@delfi.lt wrote to bugtraq@securityfocus.com: > Hi! > > There are many buffer overflows in kermit on HP-UX 11.0 . I am sure it is > vulnerable in other HP-UX versions, too, since "C-Kermit 6.0.192, 6 Sep 96, > for HP-UX 10.00" is installed in HP-UX 11.0 by default. > These were fixed for C-Kermit 8.0 long ago. The current release of C-Kermit is 8.0.209. As far as I know, HP ships C-Kermit 8.0.200 or later with all HP-UX 11.xx's. I suspect anybody who has "C-Kermit 6.0.192, 6 Sep 96, for HP-UX 10.00" on HP-UX 11.00 or later must have upgraded their HP-UX version without also upgrading Kermit. If you have an older version of C-Kermit on ANY release of HP-UX all the way back to 5.21, you can get the current release here: http://www.columbia.edu/kermit/ckermit.html > /usr/bin/kermit is setuid to bin and setgrp to daemon, so upon succesfull > exploitation, local user could get these priviledges. > The setuid/setgid are required for all HP-UX programs that access serial ports. > Example of on simple buffer overflow in kermit : > $ /usr/bin/kermit -C "ask `perl -e 'print "A" x 120'`" > Executing /usr/share/lib/kermit/ckermit.ini for UNIX... > Good Evening. > Segmentation fault (core dumped) > The syntax for the ASK command requires a variable name after the word ASK. Anyway, try it in C-Kermit 8.0: /usr/bin/kermit -C "ask foo `perl -e 'print "A" x 800'`" If you increase 800 to some bigger number, the string is properly cut off at the end of the ASK prompt buffer. > There are more kermit commands that are unchecked of correct parameter > length: askq,define, assign, getc. Several of them use the same vulnerable > function "doask". I am SURE that these are not all vulnerabilities in > kermit. > A thorough buffer-overflow / memory-leak audit was performed for C-Kermit 8.0 in early-mid 2000, and it was in public Alpha test before the end of 2000. > one more thing (I am not sure if it is exploitable,but anyway): > [/home/xxxxxxxxxx] C-Kermit>set alarm %:%:% > Floating point exception (core dumped) > > Solution - take off setuid bits form /usr/bin/kermit. > Solution: use current version. > In my opinion, patching kermit against these(and maybe many more) > vulnerabilities is not an option, since source of C-kermit 6.0.192 is > publicly available, and it is very buggy. > C-Kermit is maintained by the Kermit Project. Users don't have to "patch" it. If you give a HELP command, it says (among other things): Type SUPPORT to learn how to get technical support. Then if you give a SUPPORT command it tells you how to report problems. > I tried to contact security-alert@hp.com, but i got error message "Client > host rejected: Access denied" (spam?). > This topic was hashed over three years ago in Linux Bugtraq; C-Kermit 8.0 was released and furnished to HP in 2001. Frank da Cruz The Kermit Project Columbia University 612 West 115th Street New York NY 10025-7799 USA Email: fdc@columbia.edu http://www.columbia.edu/kermit/
