SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  OS (UNIX)  >  ld.so.1 Vendors:  Sun
Sun Solaris 'ld.so.1' Runtime Linker Buffer Overflow Lets Local Users Gain Root Privileges
SecurityTracker Alert ID:  1007328
CVE Reference:  CAN-2003-0609   (Links to External Site)
Date:  Jul 29 2003
Impact:  Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  iDEFENSE
Version(s): Solaris 2.6, 7, 8, and 9
Description:  A buffer overflow vulnerability was reported in in Sun Solaris operating system in the ld.so.1(1) runtime linker. A local user can execute arbitrary code with root privileges.

iDEFENSE reported that a local user can supply a large, specially crafted LD_PRELOAD value to the linker to trigger a stack overflow. According to the report, the overflow occurs in a non-executable portion of the stack, but it is still possible to execute arbitrary code.

The report indicates that a local user can feasibly exploit this flaw to execute arbitrary code with root privileges if there is at least one set user id (setuid) root application on the system that is dynamically linked. iDEFENSE states that nearly all default installations of Solaris 8 and 9 meet this criteria and, therefore, are affected.

The following notification timeline is provided:

01 JUN 2003 Issue disclosed to security-alert@sun.com
02 JUN 2003 Response from Sun Security Coordination Team
03 JUN 2003 Email to Sun Security Coordination Team
04 JUN 2003 Issue disclosed to iDEFENSE
16 JUL 2003 Status Request to Sun Security Coordination Team
22 JUL 2003 Response from Sun Security Coordination Team
28 JUL 2003 iDEFENSE clients notified
29 JUL 2003 Coordinated Public Disclosure
Impact:  A local user can execute arbitrary code with root privileges.
Solution:  The vendor has issued Sun Alert ID 55680. The following fixes are available:

SPARC Platform

* Solaris 2.6 with patch 107733-11 or later
* Solaris 7 with patch 106950-23 or later
* Solaris 8 with patch 109147-25 or later
* Solaris 9 with patch 112963-09 or later

x86 Platform

* Solaris 2.6 with patch 107734-11 or later
* Solaris 7 with patch 106951-23 or later
* Solaris 8 with patch 109148-25 or later
* Solaris 9 with patch 113986-05 or later
Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680 (Links to External Site)
Cause:  Boundary error
Underlying OS:  UNIX (Solaris - SunOS)
Reported By:  "iDEFENSE Labs" <labs@idefense.com>
Message History:   None.

 Source Message Contents
Date:  Tue, 29 Jul 2003 11:57:30 -0400
From:  "iDEFENSE Labs" <labs@idefense.com>
Subject:  iDEFENSE Security Advisory 07.29.03: Buffer Overflow in Sun Solaris Runtime Linker

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iDEFENSE Security Advisory 07.29.03:
http://www.idefense.com/advisory/07.29.03.txt
Buffer Overflow in Sun Solaris Runtime Linker
July 29, 2003

I. BACKGROUND

The Solaris runtime linker, ld.so.1(1), processes dynamic executables
and shared objects at runtime, binding them to create a runnable
process. When LD_PRELOAD is set, the dynamic linker will use the
specified library before any other when searching for shared libraries.

II. DESCRIPTION

A locally exploitable buffer overflow exists in the ld.so.1 dynamic
runtime linker in Sun's Solaris operating system. The LD_PRELOAD
variable can be passed a large value, which will cause the runtime
linker to overflow a stack based buffer. The overflow occurs on a
non-executable stack making command execution more difficult than
normal, but not impossible. 

III. ANALYSIS

iDEFENSE has proof of concept exploit code allowing local attackers to
gain root privileges by exploiting the /usr/bin/passwd command on
Solaris 9. A "return to libc" method is utilized to circumvent the
safeguards of the non-executable stack. It is feasible for a local
attacker to exploit this vulnerability to gain root privileges if at
least one setuid root dynamically linked program exists on the system.
Virtually all default implementations of Solaris 8 and 9 fulfill this
criterion.

IV. DETECTION

The following operating system configurations are vulnerable:

SPARC Platform
     * Solaris 2.6 with patch 107733-10 and without patch 107733-11
     * Solaris 7 with patches 106950-14 through 106950-22 and without
       patch 106950-23
     * Solaris 8 with patches 109147-07 through 109147-24 and without
       patch 109147-25
     * Solaris 9 without patch 112963-09

   x86 Platform
     * Solaris 2.6 with patch 107734-10 and without patch 107734-11
     * Solaris 7 with patches 106951-14 through 106951-22 and without
       patch 106951-23
     * Solaris 8 with patches 109148-07 through 109148-24 and without
       patch 109148-25
     * Solaris 9 without patch 113986-05

V. VENDOR FIX

Sun has provided a fix for this issue available from: 
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680

VI. CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2003-0609 to this issue.

VII. DISCLOSURE TIMELINE

01 JUN 2003      Issue disclosed to security-alert@sun.com
02 JUN 2003      Response from Sun Security Coordination Team
03 JUN 2003      Email to Sun Security Coordination Team
04 JUN 2003      Issue disclosed to iDEFENSE
16 JUL 2003      Status Request to Sun Security Coordination Team
22 JUL 2003      Response from Sun Security Coordination Team
28 JUL 2003      iDEFENSE clients notified
29 JUL 2003      Coordinated Public Disclosure

VIII. CREDIT

Jouko Pynnonen (jouko@iki.fi) discovered this vulnerability.


Get paid for security research
http://www.idefense.com/contributor.html

Subscribe to iDEFENSE Advisories:
send email to listserv@idefense.com, subject line: "subscribe"


About iDEFENSE:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world - from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com .


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPyaJcPrkky7kqW5PEQJrXACgsGjrOSs/MJVudUP55/MlX6KrPuEAn1uC
99jxCgAMjChg8Y1P5N+QUYzy
=26td
-----END PGP SIGNATURE-----


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC