[17658] in bugtraq
Re: Solaris libc locale bug exploit against non-exec stack
daemon@ATHENA.MIT.EDU (Jay D. Dyson)
Wed Nov 15 14:25:22 2000
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.GSO.3.96.1001114130430.4813A-100000@crypto>
Date: Tue, 14 Nov 2000 13:44:47 -0800
Reply-To: "Jay D. Dyson" <jdyson@treachery.net>
From: "Jay D. Dyson" <jdyson@treachery.net>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200011141133.TAA26893@intra.nsfocus.com>
-----BEGIN PGP SIGNED MESSAGE-----
On Tue, 14 Nov 2000, Warning3 wrote:
> It seems Sun hasn't supplied the patch for libc locale bug yet. Many
> suid programs are affected by this bug, e.g. passwd, eject ,login, ping,
> rcp, etc. It is not enough just drop the "eject"'s suid bit. You are
> not also safe even if you have enabled non-exec stack protection.
> Attachment is the exploit against "/usr/bin/passwd" in Solaris 2.6/7
> (SPARC) with non-exec stack protection.
I found this report compelling enough that I attempted it on one
of the systems on which I have noexec set. The exploit failed as the
example binary had permissions set thus:
- -r-s--s--x 2 root sys 85724 Sep 9 1999 /usr/bin/passwd
With permissions set as above (which are not default, but the
product of some personal work on Solaris hardening), ldd couldn't read the
file and the exploit compilation failed. The same should hold true for
the other affected binaries. (On my systems, the majority of suids are
not left open for "other" to read or execute; they are restricted to
specific "trusted" groups.)
So, as something of a workaround, alter the perms of the affected
binaries, add some new groups that you wish to have access to said
binaries and perform the appropriate chgrp & chmod for those binaries.
Bear in mind that it is possible that one could compile this
exploit on another, identical machine and then load it on a hardened
system to accomplish this exploit, but I haven't tested that possibility.
If nothing else, the intruder would need access to an identical (default)
install, which would limit the ambitions of most budding scriptmonkeys.
- -Jay
( ______
)) .--- "There's always time for a good cup of coffee" ---. >===<--.
C|~~| (>-------- Jay D. Dyson -- jdyson@treachery.net --------<) | = |-'
`--' `----------- My other car is a Sparc Ultra. -----------' `-----'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBOhGyVNCClfiU/BIVAQHG2AQAr20HNlenBNWUNR7/ruoGCwxJQCCsOH5i
vUHmG21+qKtqQf3+XkrfbZQ68GdRcyvtHd5VuhDiInJTnq3KGxFgAo6RRW2j4Wa8
OBO9wkxVMx20QYYAZwX33zGiuULmMaPcbyqkfZNRBaNcANIonsxx1d/l3+stikyC
FBE/Fm5Si14=
=Zeo0
-----END PGP SIGNATURE-----
