COMMAND

    dmispd

SYSTEMS AFFECTED

    Solaris7

PROBLEM

    Brock Tellier  found several  holes in  the Solaris  2.7 SPARC/x86
    dmispd daemon that  will allow malicious  users to do  various DoS
    attacks and probably more.  This  was tested only on 2.7 with  the
    latest patches  as of  this writing.   dmispd is  the "DMI service
    provider".

    Vuln #1 - local/remote users can use all /var disk space
    ========================================================
    By using  "dmi_cmd", any  user on  any other  Solaris machine  (or
    anyone  who  cares  to  port  dmi_cmd)  can  use  the "dmi_cmd -CI
    sp.mif"  command  to  add  the  sp.mif  files  to  the /var/dmi/db
    database.  A  user can repeat  this process again  and again until
    all of /var's (or wherever  the conf file is placing  these files)
    disk space has been  used up.  sp.mif  appears to be installed  by
    default and  no user  authentication is  done.   An attack of this
    sort could  be a  prelude to  another, more  serious attack, since
    most of  Solaris's system  logs reside  on /var.   The interaction
    with dmispd does not appear to be logged in any way.

    Vuln #2 - local/remote users can crash the dmispd daemon
    ========================================================
    By using the same "dmi_cmd  -CI" command, users can specify  their
    own file to add.  If this file contains enough bites on the  first
    line, we can cause  the daemon to segfault  and crash.  We  can do
    this using the reverse directory transversal problem as shown:

        # any more than 1024 characters in here and dmispd reports an error
        # and exit()'s without segfaulting.
        echo `perl -e "print 'A' x 1000"` > /usr/home/btellier/my.mif
        dmi_cmd -CI ../../../usr/home/btellier/my.mif

    The  client  hangs,  then  reports  an  error.   The  daemon   has
    segfaulted and died.   Brock has been  able to overwrite  ONLY the
    %o4 register  and nothing  more.   In addition  to this,  it seems
    that the daemon  will only accept  regular letters/numbers/symbols
    and all other characters are discarded, which greatly reduces  our
    chances of making this exploit anything more than a DoS.

    He tried specifying ../../../etc/shadow and other files to see  if
    they are written  to the /var/dmi/db  database, but dmispd  parses
    the files for correct format and reports an error if they are  not
    what was expected.

SOLUTION

    Nothing yet.