[VulnWatch] iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker

• Previous message: Brett Moore: "[VulnWatch] Shattering SEH II"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: vulnwatch@vulnwatch.org
Date: Tue, 29 Jul 2003 11:57:30 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 07.29.03:
http://www.idefense.com/advisory/07.29.03.txt
Buffer Overflow in Sun Solaris Runtime Linker
July 29, 2003

I. BACKGROUND

The Solaris runtime linker, ld.so.1(1), processes dynamic executables
and shared objects at runtime, binding them to create a runnable
process. When LD_PRELOAD is set, the dynamic linker will use the
specified library before any other when searching for shared libraries.

II. DESCRIPTION

A locally exploitable buffer overflow exists in the ld.so.1 dynamic
runtime linker in Sun's Solaris operating system. The LD_PRELOAD
variable can be passed a large value, which will cause the runtime
linker to overflow a stack based buffer. The overflow occurs on a
non-executable stack making command execution more difficult than
normal, but not impossible.

III. ANALYSIS

iDEFENSE has proof of concept exploit code allowing local attackers to
gain root privileges by exploiting the /usr/bin/passwd command on
Solaris 9. A "return to libc" method is utilized to circumvent the
safeguards of the non-executable stack. It is feasible for a local
attacker to exploit this vulnerability to gain root privileges if at
least one setuid root dynamically linked program exists on the system.
Virtually all default implementations of Solaris 8 and 9 fulfill this
criterion.

IV. DETECTION

The following operating system configurations are vulnerable:

SPARC Platform
     * Solaris 2.6 with patch 107733-10 and without patch 107733-11
     * Solaris 7 with patches 106950-14 through 106950-22 and without
       patch 106950-23
     * Solaris 8 with patches 109147-07 through 109147-24 and without
       patch 109147-25
     * Solaris 9 without patch 112963-09

   x86 Platform
     * Solaris 2.6 with patch 107734-10 and without patch 107734-11
     * Solaris 7 with patches 106951-14 through 106951-22 and without
       patch 106951-23
     * Solaris 8 with patches 109148-07 through 109148-24 and without
       patch 109148-25
     * Solaris 9 without patch 113986-05

V. VENDOR FIX

Sun has provided a fix for this issue available from:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2003-0609 to this issue.

VII. DISCLOSURE TIMELINE

01 JUN 2003 Issue disclosed to security-alert@sun.com
02 JUN 2003 Response from Sun Security Coordination Team
03 JUN 2003 Email to Sun Security Coordination Team
04 JUN 2003 Issue disclosed to iDEFENSE
16 JUL 2003 Status Request to Sun Security Coordination Team
22 JUL 2003 Response from Sun Security Coordination Team
28 JUL 2003 iDEFENSE clients notified
29 JUL 2003 Coordinated Public Disclosure

VIII. CREDIT

Jouko Pynnonen (jouko@iki.fi) discovered this vulnerability.

Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"

About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPyaJcPrkky7kqW5PEQJrXACgsGjrOSs/MJVudUP55/MlX6KrPuEAn1uC
99jxCgAMjChg8Y1P5N+QUYzy
=26td
-----END PGP SIGNATURE-----

• Previous message: Brett Moore: "[VulnWatch] Shattering SEH II"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker ... Buffer Overflow in Sun Solaris Runtime Linker ... iDEFENSE has proof of concept exploit code allowing local attackers to ... 02 JUN 2003 Response from Sun Security Coordination Team ... (Full-Disclosure) iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker ... Buffer Overflow in Sun Solaris Runtime Linker ... iDEFENSE has proof of concept exploit code allowing local attackers to ... 02 JUN 2003 Response from Sun Security Coordination Team ... (Bugtraq) [Full-Disclosure] iDEFENSE Intelligence Report: Local-Remote Exploit for FreeBSD in the Wild ... iDEFENSE: The Power of Intelligence: Current Intelligence Report ... Local Remote FreeBSD Kernel Exploit Exists in the Wild ... in computer security, who have infiltrated some of the most nefarious ... (Full-Disclosure) [VulnWatch] iDEFENSE Security Advisory 10.31.02c: PHP-Nuke SQL Injection Vulnerability ... iDEFENSE Security Advisory 10.31.02c: ... PHP-Nuke SQL Injection Vulnerability ... all bugs and security fixes apply in the ... (VulnWatch) [Full-disclosure] iDefense Security Advisory 06.04.08: Skype File URI Security Bypass Code Execu ... iDefense Security Advisory 06.04.08 ... video conference with other Skype users and traditional telephone ... attacker to execute arbitrary code in the context of the user. ... iDefense confirmed version 3.6.0.248 of Skype to be vulnerable. ... (Full-Disclosure)