Solaris ipcs vulnerability

From: Marc Maiffret (marcat_private)
Date: Thu Apr 12 2001 - 18:07:08 PDT

Next message: Half Adder: "Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !"

Previous message: eEye Digital Security: "Trend Micro Interscan VirusWall 3.01 vulnerability"
Next in thread: Scott Howard: "Re: Solaris ipcs vulnerability"
Reply: Scott Howard: "Re: Solaris ipcs vulnerability"
Reply: ARAI Yuu: "Re: Solaris ipcs vulnerability"
Reply: Mike Batchelor: "Re: Solaris ipcs vulnerability"
Reply: SChoe: "Re: Solaris ipcs vulnerability"
Reply: Robert G. Ferrell: "Re: Solaris ipcs vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Solaris ipcs vulnerability

Release Date:
April 11, 2001

Systems Affected:
Solaris 7 (x86)
Other versions of Solaris are most likely affected also.

Discovered by:
Riley Hassell rileyat_private

Description:
We have discovered a buffer overflow in the /usr/bin/i86/ipcs utility
provided with Solaris 7. The problem exists in the parsing of the TZ
(TIMEZONE) environment variable. By exploiting this vulnerability an
attacker can achieve local sys group privileges. IPCS is used for gathering
information on active inter-process communication facilities. Exploitation
of this vulnerability would be very difficult, but not impossible.

bash-2.03$ TZ=`perl -e 'print "A"x1035'`
bash-2.03$ /usr/bin/i86/ipcs
IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001
Message Queue facility inactive.
T ID KEY MODE OWNER GROUP
Shared Memory:
m 0 0x500004d3 --rw-r--r-- root root
Semaphore facility inactive.
Segmentation Fault (core dumped)

Note: [buffer] is any 1036 (or so) character string. A's...

bash-2.03$ su root
Password:
# gdb /usr/bin/i86/ipcs core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
<snip>
#0 0x41414141 in ?? ()
(gdb) info reg eip
eip 0x41414141 0x41414141
(gdb)

Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches
for this and other related vulnerabilities eEye has discovered.

Workaround:
chmod –s /usr/bin/i86/ipcs
This will remove the setgid bit from /usr/bin/i86/ipcs, therefore if someone
does exploit this vulnerability, they won’t gain higher privileges.

Greetings:
ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, Loki, and last
but not least… Speakeasy.net

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alertat_private for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
infoat_private

Next message: Half Adder: "Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !"
Previous message: eEye Digital Security: "Trend Micro Interscan VirusWall 3.01 vulnerability"
Next in thread: Scott Howard: "Re: Solaris ipcs vulnerability"
Reply: Scott Howard: "Re: Solaris ipcs vulnerability"
Reply: ARAI Yuu: "Re: Solaris ipcs vulnerability"
Reply: Mike Batchelor: "Re: Solaris ipcs vulnerability"
Reply: SChoe: "Re: Solaris ipcs vulnerability"
Reply: Robert G. Ferrell: "Re: Solaris ipcs vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 09:47:34 PDT