r0ar Security Advisory October 5, 2001
Buffer overflow vulnerability in action argument of dtaction
The dtaction utility allows applications or shell scripts, which are otherwise not connected into the CDE development environment, to invoke action requests. The action called action_name is invoked with the action_arg provided on the command line. A single action_name is required; the user may provide any number of action_args. Whereas the buffer overflow is occurred when an action_arg has more than 1023 characters.
We concluded this vulnerability is not local root compromise on our SunOS 5.8 (x86) machine.However, dtaction have root suid and sys sgid permissions. Thus this vulnerability should be examined rigorously on other systems.
If root suid or sys sgid permission is not needed, remove suid and sgid bits.
SunOS 5.8 (x86), SunOS 5.6 (sparc)
We confirmed the buffer overflow vulnerability of action_arg in /usr/dt/bin/dtaction as following procedure.
$ DISPLAY="127.0.0.1:0.0" $ export DISPLAY $ /usr/dt/bin/dtaction foo `perl -e 'print "A"x1023'` Segmentation Fault $ ls -l /usr/dt/bin/dtaction -r-sr-sr-x 1 root sys 22496 Dec 2 1999 /usr/dt/bin/dtaction $ uname -svrm SunOS 5.8 Generic_108529-10 i86pc
Thus, the stack layout for action_arg is investigated and shown in the following diagram.
[ Buffer ] Offset 0000-1022 [ Saved ebp ] Offset 1023-1026 [ Saved eip ] Offset 1027-1029 [ Saved edi ] Offset 1027-1030 [ Saved eax ] Offset 1031-1034 [ Saved edx ] Offset 1044-1047
>From the result of analysis of dumped core, we found that dtaction uses strcpy and then strcat to move action_arg to stack region and strcat function call from libDtSvc library causes buffer overflow.
>From above diagram, we can't overwrite all return address. So, we tried the frame pointer overwrite technique to exploit dtaction. However, we can get only normal user shell because the setuid(0) function call in the shellcode is failed. Thus we concluded this vulnerability is not local root compromise but should be rigorously investigated.
Thanks to r0ar members and UNYUN for his valuable discussion and shellcode.
http://www.r0ar.org (formely known as ksecurity)
e-mail : firstname.lastname@example.org