[UNIX] Buffer Overflow in Sun Solaris Runtime Linker
From: SecuriTeam (support_at_securiteam.com)
Date: 07/31/03
- Previous message: SecuriTeam: "[NT] GameSpy Arcade Arbitrary File Writing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 31 Jul 2003 14:15:45 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Get Thawte's New Step-by-Step SSL Guide for Apache.
In this guide you will find out how to test, purchase,
install and use a Thawte Digital Certificate on you Apache web server.
Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates. Get you copy of this new guide now:
http://ad.doubleclick.net/clk;5903117;8265118;i
- - - - - - - - -
Buffer Overflow in Sun Solaris Runtime Linker
------------------------------------------------------------------------
SUMMARY
The Solaris runtime linker, ld.so.1(1), processes dynamic executables and
shared objects at runtime, binding them to create a executable process.
When LD_PRELOAD is set, the dynamic linker will use the specified library
before any other when searching for shared libraries.
DETAILS
Vulnerable systems:
SPARC Platform
* Solaris 2.6 with patch 107733-10 and without patch 107733-11
* Solaris 7 with patches 106950-14 through 106950-22 and without patch
106950-23
* Solaris 8 with patches 109147-07 through 109147-24 and without patch
109147-25
* Solaris 9 without patch 112963-09
x86 Platform
* Solaris 2.6 with patch 107734-10 and without patch 107734-11
* Solaris 7 with patches 106951-14 through 106951-22 and without patch
106951-23
* Solaris 8 with patches 109148-07 through 109148-24 and without patch
109148-25
* Solaris 9 without patch 113986-05
A locally exploitable buffer overflow exists in the ld.so.1 dynamic
runtime linker in Sun's Solaris operating system. The LD_PRELOAD variable
can be passed a large value, which will cause the runtime linker to
overflow a stack based buffer. The overflow occurs on a non-executable
stack making command execution more difficult than normal, but not
impossible.
Vendor fix:
Sun has provided a fix for this issue available from:
<http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680>
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680
Recreation:
It is possible to recreate the issue by issuing the following command
line:
LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
Disclosure timeline:
01 JUN 2003 Issue disclosed to security-alert@sun.com
02 JUN 2003 Response from Sun Security Coordination Team
03 JUN 2003 Email to Sun Security Coordination Team
04 JUN 2003 Issue disclosed to iDEFENSE
16 JUL 2003 Status Request to Sun Security Coordination Team
22 JUL 2003 Response from Sun Security Coordination Team
28 JUL 2003 iDEFENSE clients notified
29 JUL 2003 Coordinated Public Disclosure
ADDITIONAL INFORMATION
The original advisory can be downloaded from:
<http://www.idefense.com/advisory/07.29.03.txt>
http://www.idefense.com/advisory/07.29.03.txt
The information has been provided by <mailto:listserv@idefense.com>
iDEFENSE Labs, the vulnerability was discovered by <mailto:jouko@iki.fi>
Jouko Pynnonen.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] GameSpy Arcade Arbitrary File Writing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [Full-Disclosure] iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker
... Buffer Overflow in Sun Solaris Runtime Linker ... iDEFENSE has proof
of concept exploit code allowing local attackers to ... 02 JUN 2003 Response from Sun Security
Coordination Team ... (Full-Disclosure) - iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker
... Buffer Overflow in Sun Solaris Runtime Linker ... iDEFENSE has proof
of concept exploit code allowing local attackers to ... 02 JUN 2003 Response from Sun Security
Coordination Team ... (Bugtraq) - [VulnWatch] iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker
... Buffer Overflow in Sun Solaris Runtime Linker ... iDEFENSE has proof
of concept exploit code allowing local attackers to ... 02 JUN 2003 Response from Sun Security
Coordination Team ... (VulnWatch) - [Full-Disclosure] GUNINSKI THE SELF-PROMOTER
... Schneier has a little more credibility that Smith methinks. ... software companies
feud over disclosure of weaknesses ... software maker about a devastating security flaw
in one of its most popular ... Microsoft acknowledged that 200 ... (Full-Disclosure) - [Full-Disclosure] FW: Response to David Litchfield on Responsible Disclosure and Infosec Research
... Infosec Research ... security reponse focused on precisely those boxes
that most urgently needed ... that might be leveraged by an aggressive prosecutor to turn this
disclosure ... into a violation of law is itself an urgent systemic vulnerability
in need ... (Full-Disclosure)
