|Description:||A BUNCH of pathetic security holes in AUTOSOFT/RTS (an inventory control system).|
|Author:||Brian Mitchell <firstname.lastname@example.org> |
|Compromise:|| root (local) |
|Vulnerable Systems:||Any running unfixed vunerable versions of AUTOSOFT/RTS |
|Date:||9 January 1996 |
Date: Thu, 9 Jan 1997 01:31:07 -0600
From: Brian Mitchell (email@example.com)
To: Multiple recipients of list BUGTRAQ
Subject: AUTOSOFT/RTS holes
Recently I have been working on a project involving Auto-Soft's RTS
inventory control system. Well, in a fit of boredom I desided to take
a quick look at some of the privledged programs; alas, I was greatly
The software contains things I thought were long gone: popen()/system()
holes and gets() [!]. Of course, there are also buffer overflows
galore, but that is almost expected these days.
I have not checked all the privledged programs thoroughly, so it is
entirely possible that I have missed many many many holes in their
package. Test platform is a Interactive UNIX box, your milage may
vary. Here are a few interesting (and quite amusing) snipits.
This is a setuid program that's purpose is to run things as any user
from the command line, somewhat akin to su. There is, however, one
slight catch - it does no checking of either password or users.
Additionally, there is atleast one exploitable buffer overflow.
This program is essentially the same as utusr, except it runs programs
as the rts user. However, there is a buffer overflow as it copies the
LOGNAME environment variable into a 133 byte local buffer - this all
happens right before it sets the uid to the rts userid, so root is
This is a test program for the ports rts uses to read/write messages.
It is, of course, setuid root. I'm not sure how many buffer
overflows this program has, I lost count after I found 4 exploitable
ones, the last one being a gets() (what ARE these people thinking?!).
This is very much like uttstsoc, except there is no gets(). However,
the sprintf()s are there in full force.
This is the queue manager, first problem I spotted was a number of
extremely exploitable popen() function calls (take your pick). The
popen() calls run grep and ps in many many functions.
Brian Mitchell / firstname.lastname@example.org
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: