Re: BIG Security Hole in Solaris 2.X (X)passwd + exploit (fwd)

[avarvit () CC ECE NTUA GR (Aggelos P. Varvitsiotis)]

Cristian SCHIPOR <skipo () sundy cs pub ro> writes:
> An Exploit for a Big Big security hole in passwd ( + yppasswd and nispasswd)
>
> Under Solaris 2.X passwd, yppasswd and nispasswd can be overflowed in
> an internal function ( some like sa_chauthtok() ). Using a buffer
> overflow exploit anyone can gain root access (passwd need suid exec bit
> from root). passwd has a second  overflow bug  when it is called with
> '-s' option in an internal strcpy().
>
> I written two exploits one for Solaris 2.4 and one for Solaris 2.5 for
> sa_chauthtok() type function ( passwd LEMON_BUFFER ). It's a little trick
> here - the LEMON_BUFFER is shifted in memory with 1 char after exec so it
> must to shift the LEMON_BUFFER in a reverse direction before exec -
> that's happening only for a special combination of the exec args -
> see my exploits.

[exploits deleted]

I verified the exploit on Solaris 2.5.1, when /etc/nsswitch.conf contains
the line

passwd: files

However, as it was the case with the gethostbyname() exploit, when
/etc/nsswitch.conf reads

passwd: files nis

the exploit did not work. It seems than passwd(1) queries the NIS
server and falls into some kind of an infinite loop. Maybe Casper Dik
(who, if I remember well, had an explanation for the gethostbyname()
case) can explain this better than I can.

Can anyone confirm this behavior?
---

a.varvitsiotis () ece ntua gr                      A.Varvitsiotis
                                             ICCS Computer Center
                                      National Technical University of Athens