Bugtraq: Vulnerability in Solaris mailtool(1)

By ServerWatch Staff (Send Email)
Posted May 28, 2001


The mailtool program is installed setgid mail by default in Solaris, a buffer overrun exists in the OPENWINHOME environment variable. By specifying a long environment buffer containing machine executable code, it is possible to execute arbitrary command(s) as gid mail.

Date: Mon, 28 May 2001 11:46:13 +0200 (CEST)
From: dethy <dethy@synnergy.net>
Subject: [synnergy] - Solaris mailtool(1) buffer overflow vulnerability

Vulnerability in Solaris mailtool(1)

Date Published: May 29, 2001

Advisory ID: N/A

Bugtraq ID: N/A

Sun Bug ID: 4458476

CVE CAN: Non currently assigned.

Title: Solaris mailtool(1) Buffer Overflow Vulnerability

Class: Boundary Error Condition

Remotely Exploitable: No

Locally Exploitable: Yes

Vulnerable Packages/Systems:

Solaris 8       x86
Solaris 8       sparc
[possibly others]

Discovery: dethy@synnergy.net

Synopsis:

The mailtool program is installed setgid mail by default in Solaris,
a buffer overrun exists in the OPENWINHOME environment variable. By
specifying a long environment buffer containing machine executable code,
it is possible to execute arbitrary command(s) as gid mail.

Analysis:

The vulnerability in mailtool incorrectly handles data from the
OPENWINHOME environment variable, if this variable exceeds a predefined
length a stack overflow can occur.


 bash-2.03# export OPENWINHOME='perl -e 'print "A"x1010''
 bash-2.03# mailtool
 Segmentation Fault

 'truss' output:
    Incurred fault #6, FLTBOUNDS  %pc = 0xDF8BD448
    siginfo: SIGSEGV SEGV_MAPERR addr=0x4141414D
    Received signal #11, SIGSEGV [default]
    siginfo: SIGSEGV SEGV_MAPERR addr=0x4141414D
    *** process killed ***


Quick Fix:

Clear the sgid bit off the /usr/openwin/bin/mailtool program.
chmod -s 'which mailtool'

Solution/Vendor:

Sun Microsystems was notified on May 14, 2001 and verified the
vulnerability. Patches/fixes are shortly to be released.

Related Links:

This vulnerability is unrelated to the Solaris 7/8 ximp40 shared library
overflow discovered earlier in the year:
http://www.securityfocus.com/archive/1/159586

Credits :

Vulnerability discovered by dethy (dethy@synnergy.net)

Synnergy Networks http://www.synnergy.net

Page 1 of 1


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.