Solaris ld.so.1 buffer overflow

From: Jouko Pynnonen (joukoat_private)
Date: Tue Jul 29 2003 - 13:36:18 PDT

Next message: SGI Security Coordinator: "[VulnWatch] IRIX nsd server and modules mishandle AUTH_UNIX gid list"

Previous message: SGI Security Coordinator: "[Full-Disclosure] IRIX nsd server and modules mishandle AUTH_UNIX gid list"
Next in thread: Rukshin, David: "RE: Solaris ld.so.1 buffer overflow"
Next in thread: Jouko Pynnonen: "Re: Solaris ld.so.1 buffer overflow"
Reply: Rukshin, David: "RE: Solaris ld.so.1 buffer overflow"
Reply: clint walker: "RE: Solaris ld.so.1 buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

OVERVIEW
========

There is a buffer overflow vulnerability in the Solaris runtime linker, 
/lib/ld.so.1. A local user can gain elevated privileges if there are
any dynamically linked, executable SUID/SGID programs in the 
filesystem.

On a typical Solaris installation most or all SUID/SGID programs are 
dynamically linked. The trend has been to completely move towards 
dynamically linked binaries due to Sun's recommendation. Support for 
static binaries will be removed in Solaris 10.



DETAILS
=======

The environment variable LD_PRELOAD is used to force ld.so.1 to load 
the specified library during runtime linking. If a setuid or setgid 
program is being loaded, the value of this variable is checked to 
prevent a potential malicious user-defined library to be linked in. In 
this case the linker only accepts libraries located under certain 
trusted directories. The code doing this evaluation is most likely the 
point containing the "unchecked buffer".

The buffer overflow happens if the LD_PRELOAD value starts and ends 
with a slash and contains about 1200 characters. An exploit won't be 
presented here, but the existance of the vulnerability can be tested 
like this:

  $ LD_PRELOAD=/`perl -e 'print "A"x2000'` passwd
  ld.so.1: passwd: warning /AAAAAAA ... AAAAA/: open failed: illegal 
  insecure pathname
  Segmentation Fault (core dumped)

My test exploit for Solaris 9 / SPARC gets a root shell by setting 
the variable and starting /usr/bin/passwd. The exploit builds a fake 
stack frame and causes the linker to return to libc in order to defeat 
the nonexecutable stack protection. I haven't produced an exploit for 
Intel platform, but according to Sun the vulnerability exists on both 
platforms.



SOLUTION
========

Sun Microsystems was contacted on June 1st, 2003 and has released a fix 
for the flaw. A complete list of vulnerable Solaris versions and the 
fix can be found here:

  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680



CREDITS
=======

The vulnerability was discovered by Jouko Pynnönen, Finland.



-- 
Jouko Pynnonen          http://iki.fi/jouko/
joukoat_private

Next message: SGI Security Coordinator: "[VulnWatch] IRIX nsd server and modules mishandle AUTH_UNIX gid list"
Previous message: SGI Security Coordinator: "[Full-Disclosure] IRIX nsd server and modules mishandle AUTH_UNIX gid list"
Next in thread: Rukshin, David: "RE: Solaris ld.so.1 buffer overflow"
Next in thread: Jouko Pynnonen: "Re: Solaris ld.so.1 buffer overflow"
Reply: Rukshin, David: "RE: Solaris ld.so.1 buffer overflow"
Reply: clint walker: "RE: Solaris ld.so.1 buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 29 2003 - 16:24:15 PDT