RE: Solaris ld.so.1 buffer overflow
From: clint walker (cwalker_at_gnx.com)
Date: 07/30/03
- Previous message: Last Stage of Delirium: "[LSD] IRIX nsd remote buffer overflow vulnerability"
- In reply to: Jouko Pynnonen: "Solaris ld.so.1 buffer overflow"
- Next in thread: Rukshin, David: "RE: Solaris ld.so.1 buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 30 Jul 2003 10:28:17 -0400 To: 'Jouko Pynnonen' <jouko@iki.fi>, bugtraq@securityfocus.com
Juoko,
I ran the command ($ LD_PRELOAD=/`perl -e 'print "A"x2000'` passwd) on a
patched box as well as an unpatched box.
In both cases I got the same output (see below).
My question is: if there's no segmentation fault, does that mean the system
is not vulnerable?
$ LD_PRELOAD=/`perl -e 'print
"A"x2000'` passwd
ld.so.1: passwd: warning:
/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAA: open failed: illegal insecure pathname
passwd: Changing password for <username>
Enter existing login password:
-----Original Message-----
From: Jouko Pynnonen [mailto:jouko@iki.fi]
Sent: Tuesday, July 29, 2003 4:36 PM
To: bugtraq@securityfocus.com
Subject: Solaris ld.so.1 buffer overflow
OVERVIEW
========
There is a buffer overflow vulnerability in the Solaris runtime linker,
/lib/ld.so.1. A local user can gain elevated privileges if there are
any dynamically linked, executable SUID/SGID programs in the
filesystem.
On a typical Solaris installation most or all SUID/SGID programs are
dynamically linked. The trend has been to completely move towards
dynamically linked binaries due to Sun's recommendation. Support for
static binaries will be removed in Solaris 10.
DETAILS
=======
The environment variable LD_PRELOAD is used to force ld.so.1 to load
the specified library during runtime linking. If a setuid or setgid
program is being loaded, the value of this variable is checked to
prevent a potential malicious user-defined library to be linked in. In
this case the linker only accepts libraries located under certain
trusted directories. The code doing this evaluation is most likely the
point containing the "unchecked buffer".
The buffer overflow happens if the LD_PRELOAD value starts and ends
with a slash and contains about 1200 characters. An exploit won't be
presented here, but the existance of the vulnerability can be tested
like this:
$ LD_PRELOAD=/`perl -e 'print "A"x2000'` passwd
ld.so.1: passwd: warning /AAAAAAA ... AAAAA/: open failed: illegal
insecure pathname
Segmentation Fault (core dumped)
My test exploit for Solaris 9 / SPARC gets a root shell by setting
the variable and starting /usr/bin/passwd. The exploit builds a fake
stack frame and causes the linker to return to libc in order to defeat
the nonexecutable stack protection. I haven't produced an exploit for
Intel platform, but according to Sun the vulnerability exists on both
platforms.
SOLUTION
========
Sun Microsystems was contacted on June 1st, 2003 and has released a fix
for the flaw. A complete list of vulnerable Solaris versions and the
fix can be found here:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680
CREDITS
=======
The vulnerability was discovered by Jouko Pynnönen, Finland.
-- Jouko Pynnonen http://iki.fi/jouko/ jouko@iki.fi
- Previous message: Last Stage of Delirium: "[LSD] IRIX nsd remote buffer overflow vulnerability"
- In reply to: Jouko Pynnonen: "Solaris ld.so.1 buffer overflow"
- Next in thread: Rukshin, David: "RE: Solaris ld.so.1 buffer overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
