buffer overflow in solaris 'format' command [non-root]

[Mike Furr <mike.furr () umbc edu>]

Command: /usr/sbin/format
Remote?: No
Root?  : No
Prio   : <= low

The 'format' utility provided with the Solaris 2.6 and 2.8(and probably
others as well) does not handle command line arguments correctly.  Any
argument that is passed on the command line that is not a switch is
treated as a path to a disk device.  Each of these arguments is then
strcpy()'d into a buffer of length MAXPATHLEN which is set to 1024 at
compile time. This is done without any bounds checking leaving the
possibility of an overflow.

Since this occurs before it tries to open any devices, any user with
execute permissions to format can exploit this. An intruder may be able
to break out of an (ill constructed) restricted environment using this
vulnerability and then perform further attacks to a system from there.

Example:

me@XXXXXX:~(0)$ uname -a
SunOS XXXX.YYYY.ZZZ 5.8 Generic_108528-11 sun4u sparc SUNW,Ultra-60
me@XXXXXX:~(0)$ /usr/sbin/format `perl -e 'print "A"x1050;'`
Bus Error

Upstream has been contacted and stated that it assigned it a low
priority bugID and will not backport a fixed executable to the current
versions of Solaris without without a more pressing justification.

My recomendation for a fix:
# chmod 0500 /usr/sbin/format

cheers,
Mike Furr

Attachment: _bin
Description: