what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

RISE-2008001.txt

RISE-2008001.txt
Posted Oct 14, 2008
Authored by Adriano Lima | Site risesecurity.org

There exists a vulnerability within a function of the Sun Solstice AdminSuite sadmind, which when properly exploited can lead to remote compromise of the vulnerable system.

tags | advisory, remote
SHA-256 | 8ac2013b17795600d5228efb512a53587caa34b658cc30dbd1fd5363ec38e008

RISE-2008001.txt

Change Mirror Download
RISE-2008001
Sun Solstice AdminSuite sadmind adm_build_path() Buffer Overflow Vulnerability

http://risesecurity.org/advisories/RISE-2008001.txt
Published: October 14, 2008
Updated: October 14, 2008

INTRODUCTION

There exists a vulnerability within a function of the Sun Solstice AdminSuite
sadmind, which when properly exploited can lead to remote compromise of the
vulnerable system.
This vulnerability was confirmed by us in the following versions of the Sun
operating system, other versions may be also affected.

Sun Solaris 9 SPARC
Sun Solaris 9 x86
Sun Solaris 8 SPARC
Sun Solaris 8 x86

DETAILS

Solstice AdminSuite is a collection of graphical user interface tools and
commands used to perform administrative tasks such as managing users, groups,
hosts, system files, printers, disks, file systems, terminals, and modems.

The distributed system administration daemon (sadmind) is the daemon used by
Solstice AdminSuite applications to perform distributed system administration
operations.

The sadmind daemon is started automatically by the inetd daemon whenever a
request to invoke an operation is received. The sadmind daemon process
continues to run for 15 minutes after the last request is completed, unless a
different idle-time is specified with the -i command line option. The sadmind
daemon may be started independently from the command line, for example, at
system boot time. In this case, the -i option has no effect; sadmind continues
to run, even if there are no active requests.

The vulnerable function adm_build_path() does does not validate user supplied
data when appending it to a stack-based buffer using strcat(), resulting in a
stack-based buffer overflow. The exploitation of this vulnerability is trivial
and results in remote compromise of the vulnerable system.
This is the debug information about this vulnerability (from Sun Solaris 9 x86).


Breakpoint 1, 0xd330e5b0 in adm_build_path ()
from /usr/snadm/lib/libadmapm.so.2
(gdb) until *adm_build_path+38
0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc
0xd330e5c6 <adm_build_path+38>: call 0xd3304fa8 <strcat@plt>
(gdb) x/x $esp+4
0x80411e4: 0x080b7cd0
(gdb) x/x $esp
0x80411e0: 0x08041208
(gdb) x/s 0x080b7cd0
0x80b7cd0: 'A' <repeats 200 times>...
(gdb) x/s 0x08041208
0x8041208: "system.2.1/"
(gdb) where
#0 0xd330e5c6 in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
#1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2
#2 0xd335326b in verify_vers_1 () from /usr/snadm/lib/libadmagt.so.2
#3 0xd3352e88 in verify_validate () from /usr/snadm/lib/libadmagt.so.2
#4 0xd3352cf8 in amsl_verify () from /usr/snadm/lib/libadmagt.so.2
#5 0xd32c8a85 in __0fQNetmgtDispatcherPdispatchRequestP6Hsvc_reqP6J__svcxprt
() from /usr/snadm/lib/libadmcom.so.2
#6 0xd32c8656 in __0fQNetmgtDispatcherOreceiveRequestP6Hsvc_reqP6J__svcxprt ()
from /usr/snadm/lib/libadmcom.so.2
#7 0xd32c837c in _netmgt_receiveRequest () from /usr/snadm/lib/libadmcom.so.2
#8 0xd311d4a3 in _svc_prog_dispatch () from /usr/lib/libnsl.so.1
#9 0xd311d24e in svc_getreq_common () from /usr/lib/libnsl.so.1
#10 0xd311d130 in svc_getreq_poll () from /usr/lib/libnsl.so.1
#11 0xd3121550 in _svc_run () from /usr/lib/libnsl.so.1
#12 0xd3121293 in svc_run () from /usr/lib/libnsl.so.1
#13 0xd32cd165 in __0fQNetmgtDispatcherNstartupServerv ()
from /usr/snadm/lib/libadmcom.so.2
#14 0xd32cd13b in netmgt_start_agent () from /usr/snadm/lib/libadmcom.so.2
#15 0x0805168f in main ()
(gdb) stepi
0xd3304fa8 in strcat@plt () from /usr/snadm/lib/libadmapm.so.2
(gdb) step
Single stepping until exit from function strcat@plt,
which has no line number information.
0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
(gdb) x/i $pc
0xd330e5cb <adm_build_path+43>: add $0x8,%esp
(gdb) where
#0 0xd330e5cb in adm_build_path () from /usr/snadm/lib/libadmapm.so.2
#1 0xd330eaa7 in adm_find_method () from /usr/snadm/lib/libadmapm.so.2
#2 0xaabbccdd in ?? ()
#3 0x08063000 in ?? ()
#4 0x08063128 in ?? ()
#5 0x080b7cd0 in ?? ()
#6 0x08041730 in ?? ()
#7 0x00000400 in ?? ()
#8 0x00000001 in ?? ()
#9 0xd336ac8c in ?? () from /usr/snadm/lib/libadmagt.so.2
#10 0x00000000 in ?? ()
(gdb) c
Continuing.

Breakpoint 1, 0xd330e5b0 in adm_build_path ()
from /usr/snadm/lib/libadmapm.so.2
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xaabbccdd in ?? ()
(gdb)


A proof of concept code for this vulnerability can be downloaded from our
website http://risesecurity.org/.

VENDOR

Sun Security Coordination Team was notified of this issue, proper corrections
should be available soon. Meanwhile, we recommend disabling the distributed
system administration daemon (sadmind).

CREDITS

This vulnerability was discovered by Adriano Lima <adriano@risesecurity.org>.

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any
information provided, including any kind of information which is incomplete or
incorrect, will therefore be rejected.

$Id: RISE-2008001.txt 2 2008-10-14 14:40:53Z ramon $


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close