'sliplogin' Serial Line IP Utility Buffer Overflow May Possibly Allow Local Users to Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1004317 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 17 2002
|
Impact: Execution of arbitrary code via local system, Root access via local system
|
Description: A buffer overflow vulnerability was reported in the 'sliplogin' utility on Mac OS X. The ability for a local user to execute arbitrary code was not confirmed.
The buffer overflow can reportedly be triggered by a local user supplying a long command line argument to the utility, as shown in
the following demonstration exploit transcript:
[localhost:~] elguapo% sliplogin `perl -e 'print "A" x 9000'`
Bus error
It
is reported that 'sliplogin' is configured with set user id (suid) root privileges. However, the ability to execute arbitrary code
was not confirmed in the report.
[Editor's note: The report indicated that the author was not able to confirm remote code execution.
However, because the utility is suid root and the potential may exist, we are reporting the bug.]
|
Impact: The ability of a local user to execute arbitrary code was not confirmed. However, if it is possible, the code would run with root level privileges, giving the local user root access on the system.
|
Solution: No solution was available at the time of this entry.
|
Cause: Boundary error
|
Underlying OS: UNIX (OS X)
|
Underlying OS Comments: 10.1.3
|
Reported By: Kevin Finisterre <dotslash@snosoft.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 15 May 2002 15:41:20 -0700
From: Kevin Finisterre <dotslash@snosoft.com>
Subject: Apple OSX sliplogin overflow
|
(side note ... isn't it odd that I can run gdb on a suid binary?)
Osx version 10.1.3
[localhost:~] elguapo% ls -al /usr/sbin/sliplogin
-r-sr-xr-x 1 root wheel 14700 Dec 8 10:49 /usr/sbin/sliplogin
[localhost:~] elguapo% sliplogin `perl -e 'print "A" x 9000'`
Bus error
[localhost:~] elguapo% uname -a
Darwin localhost 5.3 Darwin Kernel Version 5.3: Thu Jan 24 22:06:02 PST
2002; root:xnu/xnu-201.19.obj~1/RELEASE_PPC Power Macintosh powerpc
[localhost:~] elguapo% id
uid=501(elguapo) gid=20(staff) groups=20(staff), 0(wheel), 80(admin)
[localhost:~] elguapo% ls -al /usr/sbin/sliplogin
-r-sr-xr-x 1 root wheel 14700 Dec 8 10:49 /usr/sbin/sliplogin
[localhost:~] elguapo% gdb /usr/sbin/sliplogin
GNU gdb 5.0-20001113 (Apple version gdb-203) (Wed Nov 7 16:28:57 GMT
2001) (UI_OUT)
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "powerpc-apple-macos10".
Reading symbols for shared libraries .. done
(gdb) r `perl -e 'print "A" x 1476'`
Starting program: /usr/sbin/sliplogin `perl -e 'print "A" x 1477'`
[Switching to thread 1 (process 339 thread 0x1603)]
Program received signal EXC_BAD_ACCESS, Could not access memory.
0x70004c88 in strcpy ()
(gdb) bt
#0 0x70004c88 in strcpy ()
#1 0x00001bd4 in ?? ()
#2 0x00002278 in ?? ()
#3 0x00001af4 in ?? ()
#4 0x00001924 in ?? ()
I have not been able to accomplish anything short of overwriting r0 with
41.
If the sc command gets called you could control the next syscall by
changing
the value in r0. I personally can do nothing with it...
(gdb) r `perl -e 'print "A" x 1478'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /usr/sbin/sliplogin `perl -e 'print "A" x 1478'`
[Switching to thread 1 (process 351 thread 0x1c07)]
Program received signal EXC_BAD_ACCESS, Could not access memory.
0x70004c88 in strcpy ()
(gdb) i r
r0 0x41 65
-KF
|
|
