Solaris /opt/SUNWssp/bin/cb_reset Vulnerability
A problem with the cb_reset setuid root command included in the SUNWssp package results in a buffer overflow and potentially the execution of arbitraty code.
Date: Wed, 20 Jun 2001 12:30:59 -0400 From: Pablo Sor <firstname.lastname@example.org> Subject: Solaris /opt/SUNWssp/bin/cb_reset Vulnerability Vulnerability in Solaris /opt/SUNWssp/bin/cb_reset Date Published: June 12, 2001 Advisory ID: N/A Bugtraq ID: N/A CVE CAN: Non currently assigned. Title: Solaris /opt/SUNWssp/bin/cb_reset Buffer Overflow Vulnerability Class: Boundary Error Condition Remotely Exploitable: No Locally Exploitable: Yes Vulnerability Description: A problem with the cb_reset setuid root command included in the SUNWssp package (not in the standard install), results in a buffer overflow and potentially the execution of arbitraty code. Due to the insufficient handling of input parameter, a buffer overflow at 600 characters makes it possible to overwrite variables on the stack including the return address. Vulnerable Packages/Systems: SunOS 5.8 (have not tested on other version) Solution/Vendor Information/Workaround: Sun Microsystems was notified on June 12, 2001. Patches are excepted shortly. Credits: This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina. This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail email@example.com. Technical Description : $ uname -a SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10 $ ls /tftpboot/cb_port /tftpboot/cb_port $ /opt/SUNWssp/bin/cb_reset 'perl -e 'print "A"x600'' Resetting host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA