Date: Tue, 26 Jun 2001 12:24:27 +0300 (EEST)
From: Jouko Pynnonen <[email protected]>
To: [email protected]Subject: Solaris 8 libsldap buffer overflow
DESCRIPTION
The library implementing LDAP naming services on Solaris 8, libsldap,
contains a buffer overflow in the initialization code. While parsing
the environment variable LDAP_OPTIONS, a fixed size buffer is used to
store its contents which can be of any length. This is a
straightforward buffer overflow and exploitable in conjunction with
privileged programs that use the library. Such programs include
passwd, yppasswd, nispasswd, sendmail, and chkey. The library is only
found on Solaris 8 systems. On vulnerable systems the buffer overflow
can lead to a local root compromise.
Testing for the vulnerability of your system can be done as follows:
$ LDAP_OPTIONS=`perl -e "print 'A'x300"` passwd
Segmentation Fault
A segmentation or other fault indicates you have a problem. If the
program works normally (and asks your password), you're probably not
vulnerable. Other setuid binaries can be tested in the same way. To
check whether a program has been linked against the libsldap library,
you can use the ldd command.
WORKAROUNDS
One workaround is to clear the setuid/setgid bits of the vulnerable
programs (chmod 755 prog), but this will in most cases make them useless.
Another way is to compile a dummy library and replace
/usr/lib/libsldap.so.1 with it. This will disable any LDAP functionality
of the programs using this library, but otherwise they seem to work. A
dummy kludge library can apparently be compiled and installed like this:
$ cp /dev/null dummy.c
$ gcc -shared dummy.c -o dummy.so
$ su
# mv /usr/lib/libsldap.so.1 /usr/lib/orig_libsldap_so
# cp dummy.so /usr/lib/libsldap.so.1
This neutralizes the buffer overflow, but might also break some
things and have other side-effects. If you do this, do it on your own
risk. I haven't tested how the dummy library behaves on different kind
of systems and with different programs.
VENDOR RESPONSE
The vendor was informed on May 31st. According to Sun Microsystems
they had just discovered the vulnerability themselves and it "has
been fixed in the development release of Solaris and patches are being
generated for Solaris 8 presently."
CREDITS & ACKNOWLEDGEMENTS
Vulnerability discovered by: Jouko PynnЖnen <[email protected]>
Thanks & greets to: Esa EtelДvuori, cc-opers@IRCNet
--
Jouko Pynnonen Online Solutions Ltd Secure your Linux -
[email protected]http://www.secmod.com
