From labs@idefense.com Mon Aug 4 00:53:51 2003 From: iDEFENSE Labs To: full-disclosure@lists.netsys.com Date: Tue, 29 Jul 2003 11:57:29 -0400 Subject: [Full-Disclosure] iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 07.29.03: http://www.idefense.com/advisory/07.29.03.txt Buffer Overflow in Sun Solaris Runtime Linker July 29, 2003 I. BACKGROUND The Solaris runtime linker, ld.so.1(1), processes dynamic executables and shared objects at runtime, binding them to create a runnable process. When LD_PRELOAD is set, the dynamic linker will use the specified library before any other when searching for shared libraries. II. DESCRIPTION A locally exploitable buffer overflow exists in the ld.so.1 dynamic runtime linker in Sun's Solaris operating system. The LD_PRELOAD variable can be passed a large value, which will cause the runtime linker to overflow a stack based buffer. The overflow occurs on a non-executable stack making command execution more difficult than normal, but not impossible. III. ANALYSIS iDEFENSE has proof of concept exploit code allowing local attackers to gain root privileges by exploiting the /usr/bin/passwd command on Solaris 9. A "return to libc" method is utilized to circumvent the safeguards of the non-executable stack. It is feasible for a local attacker to exploit this vulnerability to gain root privileges if at least one setuid root dynamically linked program exists on the system. Virtually all default implementations of Solaris 8 and 9 fulfill this criterion. IV. DETECTION The following operating system configurations are vulnerable: SPARC Platform * Solaris 2.6 with patch 107733-10 and without patch 107733-11 * Solaris 7 with patches 106950-14 through 106950-22 and without patch 106950-23 * Solaris 8 with patches 109147-07 through 109147-24 and without patch 109147-25 * Solaris 9 without patch 112963-09 x86 Platform * Solaris 2.6 with patch 107734-10 and without patch 107734-11 * Solaris 7 with patches 106951-14 through 106951-22 and without patch 106951-23 * Solaris 8 with patches 109148-07 through 109148-24 and without patch 109148-25 * Solaris 9 without patch 113986-05 V. VENDOR FIX Sun has provided a fix for this issue available from: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680 VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0609 to this issue. VII. DISCLOSURE TIMELINE 01 JUN 2003 Issue disclosed to security-alert@sun.com 02 JUN 2003 Response from Sun Security Coordination Team 03 JUN 2003 Email to Sun Security Coordination Team 04 JUN 2003 Issue disclosed to iDEFENSE 16 JUL 2003 Status Request to Sun Security Coordination Team 22 JUL 2003 Response from Sun Security Coordination Team 28 JUL 2003 iDEFENSE clients notified 29 JUL 2003 Coordinated Public Disclosure VIII. CREDIT Jouko Pynnonen (jouko@iki.fi) discovered this vulnerability. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world - from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPyaJcPrkky7kqW5PEQJrXACgsGjrOSs/MJVudUP55/MlX6KrPuEAn1uC 99jxCgAMjChg8Y1P5N+QUYzy =26td -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html