DESCRIPTION The library implementing LDAP naming services on Solaris 8, libsldap, contains a buffer overflow in the initialization code. While parsing the environment variable LDAP_OPTIONS, a fixed size buffer is used to store its contents which can be of any length. This is a straightforward buffer overflow and exploitable in conjunction with privileged programs that use the library. Such programs include passwd, yppasswd, nispasswd, sendmail, and chkey. The library is only found on Solaris 8 systems. On vulnerable systems the buffer overflow can lead to a local root compromise. Testing for the vulnerability of your system can be done as follows: $ LDAP_OPTIONS=`perl -e "print 'A'x300"` passwd Segmentation Fault A segmentation or other fault indicates you have a problem. If the program works normally (and asks your password), you're probably not vulnerable. Other setuid binaries can be tested in the same way. To check whether a program has been linked against the libsldap library, you can use the ldd command. WORKAROUNDS One workaround is to clear the setuid/setgid bits of the vulnerable programs (chmod 755 prog), but this will in most cases make them useless. Another way is to compile a dummy library and replace /usr/lib/libsldap.so.1 with it. This will disable any LDAP functionality of the programs using this library, but otherwise they seem to work. A dummy kludge library can apparently be compiled and installed like this: $ cp /dev/null dummy.c $ gcc -shared dummy.c -o dummy.so $ su # mv /usr/lib/libsldap.so.1 /usr/lib/orig_libsldap_so # cp dummy.so /usr/lib/libsldap.so.1 This neutralizes the buffer overflow, but might also break some things and have other side-effects. If you do this, do it on your own risk. I haven't tested how the dummy library behaves on different kind of systems and with different programs. VENDOR RESPONSE The vendor was informed on May 31st. According to Sun Microsystems they had just discovered the vulnerability themselves and it "has been fixed in the development release of Solaris and patches are being generated for Solaris 8 presently." CREDITS & ACKNOWLEDGEMENTS Vulnerability discovered by: Jouko Pynnönen <joukoat_private> Thanks & greets to: Esa Etelävuori, cc-opers@IRCNet -- Jouko Pynnonen Online Solutions Ltd Secure your Linux - joukoat_private http://www.secmod.com
This archive was generated by hypermail 2b30 : Tue Jun 26 2001 - 11:18:24 PDT