Bugtraq mailing list archives
Vulnerability in Solaris ufsrestore
From: job () ITSX COM (Job de Haas)
Date: Wed, 14 Jun 2000 13:59:05 +0200
Hi, Reading RFP's great initiative on the disclosure policy ( http://www.wiretrip.net/rfp/policy.html ), here is the scoop on a local root exploit I reported to Sun on May 18th. I received confirmation on the reception, stated I would disclose in three weeks and heard nothing since. I've had better experiences with CERT ... The bug is for Solaris 2.x up to the latest (8). The most disturbing part about the whole thing is that it remains after someone actually tried to fix it. I could write a whole blurb about it but a recent thread on AntiSniff showed all the issues. Description ----------- The ufsrestore has an overflow in a buffer holding the pathname/command for an interactive session. Impact ------ The buffer overflow can lead to local root compromise. Workaround ---------- The removal of an executable stack will make exploitation of this vulnerability very difficult and likely impossible because /usr/lib/fs/ufs/ufsrestore is a statically linked executable. However, removal of the setuid bit will in almost every case be acceptable and will be a guaranteed workaround. Affected systems ---------------- The exploit has only been tested on Solaris 8 sun4u. However it seems likely that every previous version is vulnerable including any security patches previously created. Background ---------- The programs for performing backups have a history of security problems. Different Unix distributions have chosen different ways to go about fixing these. Reducing the permissions has been one of the steps the free Unix distributions have chosen. Further, most buffer overflow conditions have been fixed over time. From an older public version of the source a specific condition can be seen in interactive.c: http://www.FreeBSD.org/cgi/cvsweb.cgi/src/sbin/restore/interactive.c?rev=1.5 getcmd(curdir, cmd, name, size, ap) char output[BUFSIZ]; .... (void) strcpy(output, curdir); (void) strcat(output, "/"); (void) strcat(output, rawname); canon(output, name, size); A fix for FreeBSD with the comment "Prevent buffer overflow with extra long arguments." shows at (URL broken off): http://www.FreeBSD.org/cgi/cvsweb.cgi/src/sbin/restore/ interactive.c.diff?r1=1.5&r2=1.6 - (void) strcpy(output, curdir); - (void) strcat(output, "/"); - (void) strcat(output, rawname); + snprintf(output, sizeof(output), "%s/%s", curdir, rawname); However, when disassembling /usr/lib/fs/ufs/ufsrestore, we find: 0x00012538: add %fp, -0x404, %o0 0x0001253c: mov %l3, %o1 0x00012540: call 0x000c058c 0x00012544: mov 0x401, %o2 0x00012548: sethi %hi(0xd9c00), %g2 0x0001254c: add %fp, -0x404, %o0 0x00012550: stb %g0, [%fp - 0x4] 0x00012554: add %g2, 0x64, %o1 0x00012558: call 0x00099f34 0x0001255c: mov 0x401, %o2 0x00012560: add %fp, -0x404, %o0 0x00012564: mov %i3, %o1 0x00012568: stb %g0, [%fp - 0x4] 0x0001256c: call 0x00099f34 0x00012570: mov 0x401, %o2 A reconstruction of what the C-code for this segment would look like, gives something like: (void) strncpy(output, curdir, BUFSIZ); output[BUFSIZ-1] = '\0'; (void) strncat(output, "/", BUFSIZ); output[BUFSIZ-1] = '\0'; (void) strncat(output, rawname, BUFSIZ); output[BUFSIZ-1] = '\0'; It needs no further explanation that this is not the way to fix a buffer overflow. The attached demonstration is in two parts. A script that needs to be run as root to create a proper dump file and C code for a program to exploit the problem with this dump file. The C program is a little big due to some toying with fixed shell code positioning that I didnt quite finish. Regards, Job -- Job de Haas job () itsx com ITSX bv http://www.itsx.com <HR NOSHADE> <UL> <LI>text/plain attachment: fsscript_ </UL> <HR NOSHADE> <UL> <LI>text/plain attachment: ufsroot.c </UL>
Current thread:
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability Ryan Russell (Jun 01)
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability Christopher Schulte (Jun 02)
- bind running as root in Mandrake 7.0 Nicolas MONNET (Jun 03)
- Re: bind running as root in Mandrake 7.0 Brock Sides (Jun 03)
- Re: bind running as root in Mandrake 7.0 White Vampire (Jun 03)
- Re: bind running as root in Mandrake 7.0 Andrew L . Davis (Jun 04)
- Re: bind running as root in Mandrake 7.0 Elias Levy (Jun 08)
- Circumventing Outlook Security Update File Download Security With IFRAMEs cassius () HUSHMAIL COM (Jun 09)
- Re: bind running as root in Mandrake 7.0 Nathan Neulinger (Jun 11)
- Remote DoS for Mercur 3.2 |[TDP]| (Jun 13)
- Vulnerability in Solaris ufsrestore Job de Haas (Jun 14)
- <Possible follow-ups>
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability Christopher Schulte (Jun 02)