SecuriTeam - Buffer Overflow in Sun Solaris Runtime Linker

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

The Solaris runtime linker, ld.so.1(1), processes dynamic executables and shared objects at runtime, binding them to create a executable process. When LD_PRELOAD is set, the dynamic linker will use the specified library before any other when searching for shared libraries.

Credit:
The original advisory can be downloaded from: http://www.idefense.com/advisory/07.29.03.txt
The information has been provided by iDEFENSE Labs, the vulnerability was discovered by Jouko Pynnonen.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
SPARC Platform
* Solaris 2.6 with patch 107733-10 and without patch 107733-11
* Solaris 7 with patches 106950-14 through 106950-22 and without patch 106950-23
* Solaris 8 with patches 109147-07 through 109147-24 and without patch 109147-25
* Solaris 9 without patch 112963-09

x86 Platform
* Solaris 2.6 with patch 107734-10 and without patch 107734-11
* Solaris 7 with patches 106951-14 through 106951-22 and without patch 106951-23
* Solaris 8 with patches 109148-07 through 109148-24 and without patch 109148-25
* Solaris 9 without patch 113986-05

A locally exploitable buffer overflow exists in the ld.so.1 dynamic runtime linker in Sun's Solaris operating system. The LD_PRELOAD variable can be passed a large value, which will cause the runtime linker to overflow a stack based buffer. The overflow occurs on a non-executable stack making command execution more difficult than normal, but not impossible.

Vendor fix:
Sun has provided a fix for this issue available from: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680

Recreation:
It is possible to recreate the issue by issuing the following command line:
LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd

Disclosure timeline:
01 JUN 2003 Issue disclosed to security-alert@sun.com
02 JUN 2003 Response from Sun Security Coordination Team
03 JUN 2003 Email to Sun Security Coordination Team
04 JUN 2003 Issue disclosed to iDEFENSE
16 JUL 2003 Status Request to Sun Security Coordination Team
22 JUL 2003 Response from Sun Security Coordination Team
28 JUL 2003 iDEFENSE clients notified
29 JUL 2003 Coordinated Public Disclosure

	Publique! CMS and SQL Injection Vulnerabilities
	Files2Links F2L-3000 SQL Injection Vulnerability
	HP-UX Running Apache Data Injection and DoS Vulnerability
	MIT krb5 KDC denial of service in cross-realm referral processing
	AproxEngine Multiple Vulnerabilities
	APC Switched Rack PDU XSS Vulnerability
	HP-UX Running OpenSSL Unauthorized Data Injection and Denial of Service
	HP OpenView NNM snmpviewer.exe CGI Host Header Stack Overflow Vulnerability
	HP OpenView NNM ovwebsnmpsrv.exe OVwSelection Stack Overflow Vulnerability
	HP-UX Running VRTSweb Remote Execution of Arbitrary Code and Privilege Escalation
	FreeBSD SSL and TLS Session Renegotiation vulnerability
	CoreHTTP Web Server Buffer Overflow Vulnerability
	HP OpenView Network Node Manager DoS Vulnerability
	ToutVirtual VirtualIQ Multiple Vulnerabilities
	Transport Layer Security Renegotiation Vulnerability