Command: /usr/sbin/format Remote?: No Root? : No Prio : <= low The 'format' utility provided with the Solaris 2.6 and 2.8(and probably others as well) does not handle command line arguments correctly. Any argument that is passed on the command line that is not a switch is treated as a path to a disk device. Each of these arguments is then strcpy()'d into a buffer of length MAXPATHLEN which is set to 1024 at compile time. This is done without any bounds checking leaving the possibility of an overflow. Since this occurs before it tries to open any devices, any user with execute permissions to format can exploit this. An intruder may be able to break out of an (ill constructed) restricted environment using this vulnerability and then perform further attacks to a system from there. Example: me@XXXXXX:~(0)$ uname -a SunOS XXXX.YYYY.ZZZ 5.8 Generic_108528-11 sun4u sparc SUNW,Ultra-60 me@XXXXXX:~(0)$ /usr/sbin/format `perl -e 'print "A"x1050;'` Bus Error Upstream has been contacted and stated that it assigned it a low priority bugID and will not backport a fixed executable to the current versions of Solaris without without a more pressing justification. My recomendation for a fix: # chmod 0500 /usr/sbin/format cheers, Mike Furr
This archive was generated by hypermail 2b30 : Fri Nov 16 2001 - 10:33:13 PST