COMMAND

    /usr/lib/exrecover

SYSTEMS AFFECTED

    Solaris 2.4, 2.5, 2.6

PROBLEM

    Pablo  Sor  found  following.   The  /usr/lib/exrecover contains a
    buffer  overflow  (this  command  is  suid in Solaris 2.4/5/6) The
    problem occurs when  it gets the  second argument, it  accepts the
    argument  without  checking  out  its  lenght  and this causes the
    problem.  The overflow seems to be in the heap space.

        $ /usr/lib/exrecover hola `perl -e 'printf "A"x50000'`
        Segmentation Fault (core dumped)

        $ gdb /usr/lib/exrecover --core=core

        GNU gdb 4.17
        Copyright 1998 Free Software Foundation, Inc.
        GDB is free software, covered by the GNU General Public License, and you
        are welcome to change it and/or distribute copies of it under certain
        conditions.
        Type "show copying" to see the conditions.
        There is absolutely no warranty for GDB.  Type "show warranty" for
        details.
        This GDB was configured as "sparc-sun-solaris2.6"...
        (no debugging symbols found)...
        Core was generated by `/usr/lib/exrecover hola
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
        Program terminated with signal 11, Segmentation Fault.
        Reading symbols from /usr/lib/libmapmalloc.so.1...
        (no debugging symbols found)...done.
        Reading symbols from /usr/lib/libc.so.1...(no debugging symbols
        found)...done.
        Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols
        found)...done.
        Reading symbols from /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1...
        (no debugging symbols found)...done.
        #0  0xef6a44d8 in strcpy ()

    This  buffer  overflow  is  probably  not specific to Solaris, but
    already contained in the original  AT&T/UCB vi sources.  It  seems
    as if exrecover never was designed to be installed setuid root.

SOLUTION

    Starting with Solaris  7 exrecover is  no longer installed  setuid
    root.  It is safe to  change the exrecover permissions to 0555  on
    all other releases since it doesn't need elevated privleges to  do
    its job; /var/preserve is 1777.

    This is Sun bug# 4161925