COMMAND

	format buffer overflow

SYSTEMS AFFECTED

	SunOS 5.8 Generic_108528-11

PROBLEM

	Mike Furr disclosed :
	

	The \'format\'  utility  provided  with  the  Solaris  2.6  and  2.8(and
	probably  others  as  well)  does  not  handle  command  line  arguments
	correctly. Any argument that is passed on the command line that  is  not
	a switch is treated as a path to a disk device. Each of these  arguments
	is then strcpy()\'d into a buffer of length MAXPATHLEN which is  set  to
	1024 at compile time. This is done without any bounds  checking  leaving
	the possibility of an overflow.
	

	Since this occurs before it tries to open any  devices,  any  user  with
	execute permissions to format can exploit this. An intruder may be  able
	to break out of an (ill constructed) restricted environment  using  this
	vulnerability and then perform further attacks to a system from there.
	

	Example:
	

	me@XXXXXX:~(0)$ uname -a

	SunOS XXXX.YYYY.ZZZ 5.8 Generic_108528-11 sun4u sparc SUNW,Ultra-60

	me@XXXXXX:~(0)$ /usr/sbin/format `perl -e \'print \"A\"x1050;\'`

	Bus Error

	

	Upstream has been contacted  and  stated  that  it  assigned  it  a  low
	priority bugID and will not backport a fixed executable to  the  current
	versions of Solaris without without a more pressing justification.

SOLUTION

	

	# chmod 0500 /usr/sbin/format