The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Solaris 8 libsldap buffer overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Tue, 26 Jun 2001 12:24:27 +0300 (EEST)
From: Jouko Pynnonen <[email protected]>
To: [email protected]
Subject: Solaris 8 libsldap buffer overflow


DESCRIPTION

The library implementing LDAP naming services on Solaris 8, libsldap,
contains a buffer overflow in the initialization code. While parsing
the environment variable LDAP_OPTIONS, a fixed size buffer is used to
store its contents which can be of any length. This is a
straightforward buffer overflow and exploitable in conjunction with
privileged programs that use the library. Such programs include
passwd, yppasswd, nispasswd, sendmail, and chkey. The library is only
found on Solaris 8 systems. On vulnerable systems the buffer overflow
can lead to a local root compromise.

Testing for the vulnerability of your system can be done as follows:

$ LDAP_OPTIONS=`perl -e "print 'A'x300"` passwd
Segmentation Fault

A segmentation or other fault indicates you have a problem. If the
program works normally (and asks your password), you're probably not
vulnerable. Other setuid binaries can be tested in the same way. To
check whether a program has been linked against the libsldap library,
you can use the ldd command.



WORKAROUNDS

One workaround is to clear the setuid/setgid bits of the vulnerable
programs (chmod 755 prog), but this will in most cases make them useless.
Another way is to compile a dummy library and replace
/usr/lib/libsldap.so.1 with it. This will disable any LDAP functionality
of the programs using this library, but otherwise they seem to work. A
dummy kludge library can apparently be compiled and installed like this:

$ cp /dev/null dummy.c
$ gcc -shared dummy.c -o dummy.so
$ su
# mv /usr/lib/libsldap.so.1 /usr/lib/orig_libsldap_so
# cp dummy.so /usr/lib/libsldap.so.1

This neutralizes the buffer overflow, but might also break some
things and have other side-effects. If you do this, do it on your own
risk. I haven't tested how the dummy library behaves on different kind
of systems and with different programs.



VENDOR RESPONSE

The vendor was informed on May 31st. According to Sun Microsystems
they had just discovered the vulnerability themselves and it "has
been fixed in the development release of Solaris and patches are being
generated for Solaris 8 presently."



CREDITS & ACKNOWLEDGEMENTS

Vulnerability discovered by: Jouko PynnЖnen <[email protected]>
Thanks & greets to: Esa EtelДvuori, cc-opers@IRCNet


-- 
Jouko Pynnonen          Online Solutions Ltd      Secure your Linux -
[email protected]                                http://www.secmod.com

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру