Solaris 8 libsldap buffer overflow

From: Jouko Pynnonen (joukoat_private)
Date: Tue Jun 26 2001 - 02:24:27 PDT

Next message: bugzillaat_private: "[RHSA-2001:086-06] New Samba packages available for Red Hat Linux 5.2, 6.2, 7 and 7.1"

Previous message: Security Advice: "Issues with Windows 2000 Encrypting File System and Disk Wipe Software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

DESCRIPTION

The library implementing LDAP naming services on Solaris 8, libsldap,
contains a buffer overflow in the initialization code. While parsing
the environment variable LDAP_OPTIONS, a fixed size buffer is used to
store its contents which can be of any length. This is a
straightforward buffer overflow and exploitable in conjunction with
privileged programs that use the library. Such programs include
passwd, yppasswd, nispasswd, sendmail, and chkey. The library is only
found on Solaris 8 systems. On vulnerable systems the buffer overflow
can lead to a local root compromise.

Testing for the vulnerability of your system can be done as follows:

$ LDAP_OPTIONS=`perl -e "print 'A'x300"` passwd
Segmentation Fault

A segmentation or other fault indicates you have a problem. If the
program works normally (and asks your password), you're probably not
vulnerable. Other setuid binaries can be tested in the same way. To
check whether a program has been linked against the libsldap library,
you can use the ldd command.



WORKAROUNDS

One workaround is to clear the setuid/setgid bits of the vulnerable
programs (chmod 755 prog), but this will in most cases make them useless.
Another way is to compile a dummy library and replace
/usr/lib/libsldap.so.1 with it. This will disable any LDAP functionality
of the programs using this library, but otherwise they seem to work. A
dummy kludge library can apparently be compiled and installed like this:

$ cp /dev/null dummy.c
$ gcc -shared dummy.c -o dummy.so
$ su
# mv /usr/lib/libsldap.so.1 /usr/lib/orig_libsldap_so
# cp dummy.so /usr/lib/libsldap.so.1

This neutralizes the buffer overflow, but might also break some
things and have other side-effects. If you do this, do it on your own
risk. I haven't tested how the dummy library behaves on different kind
of systems and with different programs.



VENDOR RESPONSE

The vendor was informed on May 31st. According to Sun Microsystems
they had just discovered the vulnerability themselves and it "has
been fixed in the development release of Solaris and patches are being
generated for Solaris 8 presently."



CREDITS & ACKNOWLEDGEMENTS

Vulnerability discovered by: Jouko Pynnönen <joukoat_private>
Thanks & greets to: Esa Etelävuori, cc-opers@IRCNet


-- 
Jouko Pynnonen          Online Solutions Ltd      Secure your Linux -
joukoat_private                                http://www.secmod.com

Next message: bugzillaat_private: "[RHSA-2001:086-06] New Samba packages available for Red Hat Linux 5.2, 6.2, 7 and 7.1"
Previous message: Security Advice: "Issues with Windows 2000 Encrypting File System and Disk Wipe Software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 11:18:24 PDT