Date: 16 Nov 2001 12:37:22 -0500
From: Mike Furr <[email protected]>
To: [email protected]Subject: buffer overflow in solaris 'format' command [non-root]
--=-mZWQS8QkXB8UHHl6QJCC
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Command: /usr/sbin/format
Remote?: No
Root? : No
Prio : <=3D low
The 'format' utility provided with the Solaris 2.6 and 2.8(and probably
others as well) does not handle command line arguments correctly. Any
argument that is passed on the command line that is not a switch is
treated as a path to a disk device. Each of these arguments is then
strcpy()'d into a buffer of length MAXPATHLEN which is set to 1024 at
compile time. This is done without any bounds checking leaving the
possibility of an overflow.
Since this occurs before it tries to open any devices, any user with
execute permissions to format can exploit this. An intruder may be able
to break out of an (ill constructed) restricted environment using this
vulnerability and then perform further attacks to a system from there.
Example:
me@XXXXXX:~(0)$ uname -a
SunOS XXXX.YYYY.ZZZ 5.8 Generic_108528-11 sun4u sparc SUNW,Ultra-60
me@XXXXXX:~(0)$ /usr/sbin/format `perl -e 'print "A"x1050;'`
Bus Error
Upstream has been contacted and stated that it assigned it a low
priority bugID and will not backport a fixed executable to the current
versions of Solaris without without a more pressing justification.
My recomendation for a fix:
# chmod 0500 /usr/sbin/format
cheers,
Mike Furr
--=-mZWQS8QkXB8UHHl6QJCC
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA79U7R7ZPKKRJLJvMRApglAKC6lHi0gBGiHDZClR82hANU2IpWXwCguBne
DUXwsnEXnprV+5K7CHMmG38=
=Woaq
-----END PGP SIGNATURE-----
--=-mZWQS8QkXB8UHHl6QJCC--
