Sun Microsystems Solaris srsexec Format String Vulnerability
5 Nov. 2007
Summary
The srsexec utility is part of the SRS Proxy Core package that is available with Solaris 10. This package is used to monitor the performance of clients running Solaris from a centralized administrative console. This software would be installed on all of the client machines being monitored and is set-uid root by default. Local exploitation of a format string vulnerability in the srsexec binary, optionally included in Sun Microsystems Inc.'s Solaris 10, allows attackers to execute arbitrary code with root privileges.
Vulnerable Systems:
* Solaris 10 with the SUNWsrspx package
The vulnerability exists since attacker supplied data is passed directly to the syslog() function as the format string. This allows an attacker to overwrite arbitrary memory with arbitrary data, and can result in the execution of arbitrary code with root privileges.
Analysis:
Exploitation results in the execution of arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must have the ability to execute the set-uid root binary.
The SRS Proxy Core package is not installed by default, but it is a common application.
Workaround:
To prevent exploitation of this vulnerability, remove the set-uid bit from the srsexec binary as shown below.
