Date: Tue, 29 Jul 2003 11:57:30 -0400
From: iDEFENSE Labs <[email protected]>
To: [email protected]Subject: iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDEFENSE Security Advisory 07.29.03:
http://www.idefense.com/advisory/07.29.03.txt
Buffer Overflow in Sun Solaris Runtime Linker
July 29, 2003
I. BACKGROUND
The Solaris runtime linker, ld.so.1(1), processes dynamic executables
and shared objects at runtime, binding them to create a runnable
process. When LD_PRELOAD is set, the dynamic linker will use the
specified library before any other when searching for shared libraries.
II. DESCRIPTION
A locally exploitable buffer overflow exists in the ld.so.1 dynamic
runtime linker in Sun's Solaris operating system. The LD_PRELOAD
variable can be passed a large value, which will cause the runtime
linker to overflow a stack based buffer. The overflow occurs on a
non-executable stack making command execution more difficult than
normal, but not impossible.
III. ANALYSIS
iDEFENSE has proof of concept exploit code allowing local attackers to
gain root privileges by exploiting the /usr/bin/passwd command on
Solaris 9. A "return to libc" method is utilized to circumvent the
safeguards of the non-executable stack. It is feasible for a local
attacker to exploit this vulnerability to gain root privileges if at
least one setuid root dynamically linked program exists on the system.
Virtually all default implementations of Solaris 8 and 9 fulfill this
criterion.
IV. DETECTION
The following operating system configurations are vulnerable:
SPARC Platform
* Solaris 2.6 with patch 107733-10 and without patch 107733-11
* Solaris 7 with patches 106950-14 through 106950-22 and without
patch 106950-23
* Solaris 8 with patches 109147-07 through 109147-24 and without
patch 109147-25
* Solaris 9 without patch 112963-09
x86 Platform
* Solaris 2.6 with patch 107734-10 and without patch 107734-11
* Solaris 7 with patches 106951-14 through 106951-22 and without
patch 106951-23
* Solaris 8 with patches 109148-07 through 109148-24 and without
patch 109148-25
* Solaris 9 without patch 113986-05
V. VENDOR FIX
Sun has provided a fix for this issue available from:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680
VI. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2003-0609 to this issue.
VII. DISCLOSURE TIMELINE
01 JUN 2003 Issue disclosed to [email protected]
02 JUN 2003 Response from Sun Security Coordination Team
03 JUN 2003 Email to Sun Security Coordination Team
04 JUN 2003 Issue disclosed to iDEFENSE
16 JUL 2003 Status Request to Sun Security Coordination Team
22 JUL 2003 Response from Sun Security Coordination Team
28 JUL 2003 iDEFENSE clients notified
29 JUL 2003 Coordinated Public Disclosure
VIII. CREDIT
Jouko Pynnonen ([email protected]) discovered this vulnerability.
Get paid for security research
http://www.idefense.com/contributor.html
Subscribe to iDEFENSE Advisories:
send email to [email protected], subject line: "subscribe"
About iDEFENSE:
iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPyaJcPrkky7kqW5PEQJrXACgsGjrOSs/MJVudUP55/MlX6KrPuEAn1uC
99jxCgAMjChg8Y1P5N+QUYzy
=26td
-----END PGP SIGNATURE-----