Advisories : Digital UNIX/Tru64 UNIX remote kdebug Vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Digital UNIX/Tru64 UNIX remote kdebug Vulnerability

Title:	Digital UNIX/Tru64 UNIX remote kdebug Vulnerability
Released by:	Enigma
Date:	19th September 2000
Printable version:	Click here

_____________________________________________________________________



                               ENIGMA SECURITY ADVISORY

                         A division of ITAC: Leaders in IT Security

                                 (http://enigma.itaudit.com.au)



                         Digital UNIX kdebugd remote Vulnerability

_____________________________________________________________________





Title:               kdebugd service file vulnerability

Bug ID:           EN18090001

Affected:         Digital UNIX 4.0F, other versions believed to be as well

but untested.

Compromise:  Any file on the system can be read from or written to as root,

possibly

                       resulting in remote root access being obtained.

Author:           Mark Dowd (mark@itaudit.com.au)





1. SYNOPSIS



The kdebug daemon can be exploited by remote users to open and display the

contents of

any file on the system. It can also be used to write to the beginning of any

file on the system

overwriting data which was previously there.



2. DETAILS



When a connection is initiated with the kdebug daemon, an initialisation

packet is sent,

which consists of two strings: "kdebug" (or another permissible entry found

in /etc/remote),

and an optional file location for the session to be recorded into. The

problem is that this file

location can be any file on the system, and is modified with root

privileges. An attacker

can specify a file such as /etc/hosts.equiv in the initialisation packet,

and then subsequent

data which is written by the client will also be written to this file. As

mentioned previously,

data that is written to the file is written to the beginning of the file and

not the end, some

superfluous data is also prepended by the kdebug daemon, which means passwd

file

entries and some other similar types of attacks on files with strict syntax

can not be

performed. Furthermore, it appears that kdebugd will only write to files

which already exist

on the system.



This bug can also be exploited for reading any file on the file system. This

is achieved by

sending an initialisation packet specifying the debug file as /etc/remote, a

file which kdebugd

interrogates when processing initialisation packets. The client can then

send subsequent

data that contains a valid /etc/remote entry. Each entry in /etc/remote has

a file which is

read from. In the case of the "kdebug" entry, it is /dev/ttys00. When a

client is writing new

a new entry with this vulnerability, they can specify a file such as

/etc/passwd, and then

initiate a new connection to kdebug, requesting their new entry instead of

"kdebug". The

/etc/passwd file in this case would be opened and written to the socket,

allowing the client

to see the full contents of the file. Once again, with root privileges.



3. SOLUTION



Compaq has said that the vulnerability exists up to Tru64 5.0, and that a

fix is currently being

developed and is expected to be available in the initial patch kit for Tru64

UNIX V5.1. As a workaround

in the meantime, it is recommended that the kdebugd service be disabled by

removing it from

/etc/inetd.conf.