Bugtraq mailing list archives

Vulnerability in Solaris ufsrestore

From: job () ITSX COM (Job de Haas)
Date: Wed, 14 Jun 2000 13:59:05 +0200


Hi,

Reading RFP's great initiative on the disclosure policy
( http://www.wiretrip.net/rfp/policy.html ), here is the scoop
on a local root exploit I reported to Sun on May 18th. I received
confirmation on the reception, stated I would disclose in three weeks and
heard nothing since. I've had better experiences with CERT ...

The bug is for Solaris 2.x up to the latest (8). The most disturbing part
about the whole thing is that it remains after someone actually tried to fix
it. I could write a whole blurb about it but a recent thread on AntiSniff
showed all the issues.

Description
-----------

The ufsrestore has an overflow in a buffer holding the pathname/command for
an interactive session.

Impact
------
The buffer overflow can lead to local root compromise.

Workaround
----------
The removal of an executable stack will make exploitation of this
vulnerability very difficult and likely impossible because
/usr/lib/fs/ufs/ufsrestore is a statically linked executable. However,
removal of the setuid bit will in almost every case be acceptable and will
be a guaranteed workaround.

Affected systems
----------------
The exploit has only been tested on Solaris 8 sun4u. However it seems
likely that every previous version is vulnerable including any security
patches previously created.

Background
----------
The programs for performing backups have a history of security problems.
Different Unix distributions have chosen different ways to go about fixing
these. Reducing the permissions has been one of the steps the free Unix
distributions have chosen. Further, most buffer overflow conditions have
been fixed over time. From an older public version of the source a specific
condition can be seen in interactive.c:

http://www.FreeBSD.org/cgi/cvsweb.cgi/src/sbin/restore/interactive.c?rev=1.5

getcmd(curdir, cmd, name, size, ap)

        char output[BUFSIZ];
        ....
                (void) strcpy(output, curdir);
                (void) strcat(output, "/");
                (void) strcat(output, rawname);
                canon(output, name, size);

A fix for FreeBSD with the comment "Prevent buffer overflow with extra
long arguments." shows at (URL broken off):

http://www.FreeBSD.org/cgi/cvsweb.cgi/src/sbin/restore/
                                      interactive.c.diff?r1=1.5&r2=1.6

-               (void) strcpy(output, curdir);
-               (void) strcat(output, "/");
-               (void) strcat(output, rawname);
+               snprintf(output, sizeof(output), "%s/%s", curdir, rawname);

However, when disassembling /usr/lib/fs/ufs/ufsrestore, we find:

0x00012538:     add     %fp, -0x404, %o0
0x0001253c:     mov     %l3, %o1
0x00012540:     call    0x000c058c
0x00012544:     mov     0x401, %o2
0x00012548:     sethi   %hi(0xd9c00), %g2
0x0001254c:     add     %fp, -0x404, %o0
0x00012550:     stb     %g0, [%fp - 0x4]
0x00012554:     add     %g2, 0x64, %o1
0x00012558:     call    0x00099f34
0x0001255c:     mov     0x401, %o2
0x00012560:     add     %fp, -0x404, %o0
0x00012564:     mov     %i3, %o1
0x00012568:     stb     %g0, [%fp - 0x4]
0x0001256c:     call    0x00099f34
0x00012570:     mov     0x401, %o2

A reconstruction of what the C-code for this segment would look like, gives
something like:

                (void) strncpy(output, curdir, BUFSIZ);
                output[BUFSIZ-1] = '\0';
                (void) strncat(output, "/", BUFSIZ);
                output[BUFSIZ-1] = '\0';
                (void) strncat(output, rawname, BUFSIZ);
                output[BUFSIZ-1] = '\0';

It needs no further explanation that this is not the way to fix a buffer
overflow.

The attached demonstration is in two parts. A script that needs to be run as
root to create a proper dump file and C code for a program to exploit the
problem with this dump file. The C program is a little big due to some
toying with fixed shell code positioning that I didnt quite finish.

Regards,

Job

--
Job de Haas         job () itsx com
ITSX bv      http://www.itsx.com


<HR NOSHADE>
<UL>
<LI>text/plain attachment: fsscript_
</UL>

<HR NOSHADE>
<UL>
<LI>text/plain attachment: ufsroot.c
</UL>

Current thread:

Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability Ryan Russell (Jun 01)
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) vulnerability Christopher Schulte (Jun 02)
- bind running as root in Mandrake 7.0 Nicolas MONNET (Jun 03)
  - Re: bind running as root in Mandrake 7.0 Brock Sides (Jun 03)
  - Re: bind running as root in Mandrake 7.0 White Vampire (Jun 03)
  - Re: bind running as root in Mandrake 7.0 Andrew L . Davis (Jun 04)
    - Re: bind running as root in Mandrake 7.0 Elias Levy (Jun 08)
    - Circumventing Outlook Security Update File Download Security With IFRAMEs cassius () HUSHMAIL COM (Jun 09)
    - Re: bind running as root in Mandrake 7.0 Nathan Neulinger (Jun 11)
    - Remote DoS for Mercur 3.2 |[TDP]| (Jun 13)
    - Vulnerability in Solaris ufsrestore Job de Haas (Jun 14)
- <Possible follow-ups>
- Re: Remote DoS attack in Real Networks Real Server (Strike #2) Vulnerability Christopher Schulte (Jun 02)