Hi there, I've found /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr will cause buffer overflow on Solaris 7. /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr are installed as SGID mail. Unfortunately, these are NOT exploitable. Because it seems that /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr drops privilege before the overflow occurs. bash-2.03$ ls -la /usr/dt/bin/dtmail /usr/dt/bin/dtmailpr -r-xr-sr-x 1 bin mail 1490924 Oct 31 08:59 /usr/dt/bin/dtmail -r-xr-sr-x 1 bin mail 531732 Oct 31 08:59 /usr/dt/bin/dtmailpr bash-2.03$ uname -a SunOS puppet 5.7 Generic_106542-18 i86pc i386 i86pc bash-2.03$ /usr/dt/bin/dtmail -f `perl -e 'print "A"x1200'` Segmentation Fault bash-2.03$ cp /usr/dt/bin/dtmail ./ bash-2.03$ ./dtmail -f `perl -e 'print "A"x1200'` Segmentation Fault (core dumped) bash-2.03$ gdb ./dtmail --core=core GNU gdb 4.18 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-pc-solaris2.7"... (no debugging symbols found)... Core was generated by `./dtmail -f AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA'. Program terminated with signal 9, Killed. Reading symbols from /usr/dt/lib/libSDtMail.so.2... (no debugging symbols found)...done. Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols found)... done. Reading symbols from /usr/dt/lib/libDtSvc.so.1... (no debugging symbols found)...done. Reading symbols from /usr/dt/lib/libtt.so.2...(no debugging symbols found)... done. Reading symbols from /usr/dt/lib/libDtWidget.so.2... (no debugging symbols found)...done. ---Type <return> to continue, or q <return> to quit--- Reading symbols from /usr/dt/lib/libXm.so.4...(no debugging symbols found)... done. Reading symbols from /usr/openwin/lib/libXt.so.4... (no debugging symbols found)...done. Reading symbols from /usr/openwin/lib/libX11.so.4... (no debugging symbols found)...done. Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libC.so.5...(no debugging symbols found)...done. Reading symbols from /usr/dt/lib/libSDtFwa.so.1... (no debugging symbols found)...done. Reading symbols from /usr/lib/libm.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libw.so.1... warning: Lowest section in /usr/lib/libw.so.1 is .hash at 0x74 (no debugging symbols found)...done. Reading symbols from /usr/lib/libthread.so.1...(no debugging symbols found)... done. Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done. Reading symbols from /usr/lib/libmp.so.2...(no debugging symbols found)...done. Reading symbols from /usr/lib/libgen.so.1...(no debugging symbols found)... done. Reading symbols from /usr/openwin/lib/libSM.so.6... (no debugging symbols found)...done. Reading symbols from /usr/openwin/lib/libICE.so.6... (no debugging symbols found)...done. Reading symbols from /usr/openwin/lib/libXext.so.0... ---Type <return> to continue, or q <return> to quit--- (no debugging symbols found)...done. #0 0x41414141 in ?? () (gdb) info r eax 0x0 0 ecx 0x4e 78 edx 0x0 0 ebx 0x81e2688 136193672 esp 0x8045c84 0x8045c84 ebp 0x41414141 0x41414141 esi 0x8162d88 135671176 edi 0x81e1990 136190352 eip 0x41414141 0x41414141 eflags 0x10286 66182 cs 0x17 23 ss 0x1f 31 ds 0x1f 31 es 0x1f 31 fs 0x0 0 gs 0x10f 271 (gdb) q bash-2.03$ su Password: # truss -t'!all' -u libc:getgid,setgid /usr/dt/bin/dtmail -f \ `/usr/local/bin/perl -e 'print "A"x1200'` /1: -> libc:getgid() /1: <- libc:getgid() = 1 /1: -> libc:setgid(0x1) /1: <- libc:setgid() = 0 /1: -> libc:setgid(0x6) /1: <- libc:setgid() = 0 /1: -> libc:setgid(0x1) /1: <- libc:setgid() = 0 Incurred fault #6, FLTBOUNDS %pc = 0x41414141 siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141 Received signal #11, SIGSEGV [default] siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141 *** process killed *** You'll see same result in dtmailpr. It should be noted that dtmail and dtmailpr on Solaris 8 will not cause this overflow. Regards, ----------------------------------------------- ARAI Yuu <y.araiat_private> Network Security Specialist / LAC Computer Security Laboratory http://www.lac.co.jp/security/
This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 00:33:04 PST