[VulnWatch] sparc exploit for known solaris 8 kcms_configure overflow

From: Adam Slattery (helo@sunriselinux.com)
Date: 07/07/02 

Date: Sun, 7 Jul 2002 09:49:51 -0700 (PDT)
From: Adam Slattery <helo@sunriselinux.com>
To: vulnwatch@vulnwatch.org

See http://www.securityfocus.com/bid/2558 for the published details of the
vulnerability. It's a classic local suid 0 buffer overflow in
kcms_configure on solaris 8 systems. Sun issued a patch a LONG time ago.
Sunsolve patch 111400-01.

This is an old vulnerability (04/2001), but I don't think there are any
published exploits for sparc systems (I could only find i386). It works
with the default addresses on both of the unpatched Solaris 8 systems I
have access to. These were ironically very busy machines with a lot of
users that stay reasonably well patched. I guess the admins didn't realize
they needed the kcms patch, which doesn't say anything about a root
compromise.

DESCRIPTION:

The overflow is in an sprintf() call that occurs when kcms_configure is
called with -o -S blah [>1024 byte string]. The sprintf call is made from
a library in the kcms suite, so this might be exploitable from other
suid kcms tools (but kcms_configure is probalby the most straight
forward). It's a command line buffer overflow that's fairly easy to
control as long as an attacker can keep the program from seg faulting
before the second return (to the address in the overwritten saved i7
register). This is somewhat tricky because _a lot_ of code gets executed
between the overflow and the second return. I'm not sure if I've ever seen
any published sparc exploits deal with this problem (it's not that hard
though). I dealt with it by overwriting the saved l0-l7 and i0-i6[fp]
registers with the address of a string of pointers in memory (found in a
couple of minutes with gdb). If an attacker doesn't do this, various
instructions (notably st, clr) end up trying to use invalid memory and
causing a segmentation fault.

My exploit is well commented, and could probably even be used as a simple
SPARC Solaris exploit tutorial.

relevent links:

http://www.securityfocus.com/bid/2558
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fpatches/111400
kcms_sparc.c is attached.

- Adam Slattery

Relevant Pages

  • sparc exploit for known solaris 8 kcms_configure overflow
    ... It's a classic local suid 0 buffer overflow in ... Sun issued a patch a LONG time ago. ... with the default addresses on both of the unpatched Solaris 8 systems I ... It's a command line buffer overflow that's fairly easy to ...
    (Vuln-Dev)
  • sparc exploit for known solaris 8 kcms_configure overflow
    ... It's a classic local suid 0 buffer overflow in ... Sun issued a patch a LONG time ago. ... with the default addresses on both of the unpatched Solaris 8 systems I ... It's a command line buffer overflow that's fairly easy to ...
    (Bugtraq)
  • Re: pathetic patches
    ... install the Solaris 10 Recommended Patch Cluster a couple of times ... Almost all patches gave a return status of 45 - ... After that I gave up trying to patch Solaris 10 ... follows every attempt to install Solaris 10 patches... ...
    (comp.unix.solaris)
  • Re: Solaris downloads
    ... its as if you never existed - you have to login all over again. ... Use firefox on Solaris or even Linux to get the images. ... Because it installs with the rest of Nevada and Solaris 10 u5? ... Patch 120186-16.zip is only 273116832 bytes in size. ...
    (comp.unix.solaris)
  • Re: patchadd on Solaris 10 fcs release
    ... I'm facing installation error for same patch with same commands ... Suggest me how to overcome this error in solaris 10 or any altarnative ... from the observation that I had patches for Studio 11 fail in Solaris ...
    (comp.unix.solaris)